The popular website Gawker and several other websites owned by the Gawker Media group recently were breached by hackers to steal the usernames and passwords of more than 1.5 million people.
The hackers published the stolen login credentials, revealing that thousands of people simply used “password” as their passcode.
Knowing that many people use the same password on multiple websites, spammers used the stolen Gawker login credentials to access hundreds of thousands of accounts on other websites, including Twitter and LinkedIn, for the purpose of spreading spam and malicious links.
The incident is not unique. In 2009, a data breach exposed the usernames and passwords of 32 million users of the social website RockYou.com, and it is estimated that 10 percent of those login credentials could also be used to access those victims' PayPal accounts.
These breaches expose the poor password practices of most internet users and demonstrate how easily hackers take advantage of those practices to compromise a large number of accounts across many different websites – even those websites that otherwise have strong security.
It is easy to lay blame on the users for having chosen weak passwords and using the same password on multiple websites, but the reality is that people simply can't remember a different strong password for every website with which they register.
Security experts advise people to have strong passwords with at least 12 random characters, including letters, numbers and symbols, but the average user has more than 25 online accounts. The cognitive burden of remembering so many strong passwords is overwhelming, so people resort to old habits, despite the security risks.
To improve password practices on the web – and thereby improve security across all websites – the burden cannot lay solely on users.
A recent study by University of Cambridge researchers showed that most websites are guilty of having weak authentication standards and enabling bad password practices by users. Of the websites studied, less than three percent required passwords to be more than six characters long, only one percent required users to include non-alphanumeric symbols in their password, and only nine percent performed a simple dictionary check to prevent users from choosing “password” as their password.
The interconnected nature of the web, the domino effect of poor password practices, and the amount of sensitive information shared and stored online means that more websites must make strong authentication standards a priority.
The availability of cloud-based authentication solutions make it easy for websites to employ one-time passcodes for logins, which can replace passwords completely or be added to the password to strengthen the security of the login even if the user has a weak password.
The widespread use of smartphones makes it possible for consumer-facing websites to employ two-factor authentication without using tokens, smart cards or biometrics – tools that typically are not practical in these cases.
Until more websites eliminate antiquated password schemes in favor of strong authentication methods that are easy for users, we'll continue to see poor password practices used around the web, making it easy for hackers to take a data breach at one website, such as Gawker, and use it to compromise user accounts and commit fraud on a number of other websites.