The domino effect of Gawker's poor password practices

Share this article:
The domino effect of Gawker's poor password practices
The domino effect of Gawker's poor password practices

The popular website Gawker and several other websites owned by the Gawker Media group recently were breached by hackers to steal the usernames and passwords of more than 1.5 million people.

The hackers published the stolen login credentials, revealing that thousands of people simply used “password” as their passcode.

Knowing that many people use the same password on multiple websites, spammers used the stolen Gawker login credentials to access hundreds of thousands of accounts on other websites, including Twitter and LinkedIn, for the purpose of spreading spam and malicious links.

The incident is not unique. In 2009, a data breach exposed the usernames and passwords of 32 million users of the social website RockYou.com, and it is estimated that 10 percent of those login credentials could also be used to access those victims' PayPal accounts.

These breaches expose the poor password practices of most internet users and demonstrate how easily hackers take advantage of those practices to compromise a large number of accounts across many different websites – even those websites that otherwise have strong security. 

It is easy to lay blame on the users for having chosen weak passwords and using the same password on multiple websites, but the reality is that people simply can't remember a different strong password for every website with which they register.

Security experts advise people to have strong passwords with at least 12 random characters, including letters, numbers and symbols, but the average user has more than 25 online accounts. The cognitive burden of remembering so many strong passwords is overwhelming, so people resort to old habits, despite the security risks.

To improve password practices on the web – and thereby improve security across all websites – the burden cannot lay solely on users.

A recent study by University of Cambridge researchers showed that most websites are guilty of having weak authentication standards and enabling bad password practices by users. Of the websites studied, less than three percent required passwords to be more than six characters long, only one percent required users to include non-alphanumeric symbols in their password, and only nine percent performed a simple dictionary check to prevent users from choosing “password” as their password. 

The interconnected nature of the web, the domino effect of poor password practices, and the amount of sensitive information shared and stored online means that more websites must make strong authentication standards a priority.

The availability of cloud-based authentication solutions make it easy for websites to employ one-time passcodes for logins, which can replace passwords completely or be added to the password to strengthen the security of the login even if the user has a weak password. 

The widespread use of smartphones makes it possible for consumer-facing websites to employ two-factor authentication without using tokens, smart cards or biometrics – tools that typically are not practical in these cases.

Until more websites eliminate antiquated password schemes in favor of strong authentication methods that are easy for users, we'll continue to see poor password practices used around the web, making it easy for hackers to take a data breach at one website, such as Gawker, and use it to compromise user accounts and commit fraud on a number of other websites.

Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in Opinions

Sign up to our newsletters

TOP COMMENTS

More in Opinions

Beware of the malware walking dead

Beware of the malware walking dead

This Hallows Eve might be a good time to remind ourselves that zombies can be just as deadly, and I'm referring to recycled tools and techniques from years gone by.

Why the Home Depot attack shouldn't have happened

Why the Home Depot attack shouldn't have happened

Major retailers are falling prey to massive credit card information heists, despite spending millions on cyber security systems.

Next-generation malware: Think like the enemy and avoid the car alarm problem

Next-generation malware: Think like the enemy and avoid ...

When it comes to enterprise security, one rule remains constant - attacks will continue to increase in sophistication and attackers will seek to outmaneuver existing defenses.