Take action ahead of next password hack
Tom Burton says the massive Russian password hack is more than a numbers game
A Russian gang has through hacking activities acquired 1.2bn user names and passwords belonging to more than 500 million email addresses. While the scale of the breach is eye-catching, the real issue is what those hackers can do with the stolen data.
This latest breach might finally be the wake-up call that businesses need when it comes to password protection.
Accessing more than a billion passwords takes a significant level of organisation and sophistication, but if ever there was an argument that size doesn't matter, this is it.
Each year the number of password hacks seems to be climbing, but such a large number stolen in one go raises a question about what the attackers are going to do with the information they now possess.
One possibility is that the plan is to package the information, price it, and sell it according to its usefulness.
This latest breach also offers more evidence that passwords are losing their effectiveness as a protection mechanism. Individuals cannot possibly remember a different password for each website they use, let alone passwords that have the recommended strength.
In the short term, individuals must take a more risk-based approach, maintaining strong and unique credentials for those sites that would create the greatest impact if breached – such as bank or email accounts – while being pragmatic and using common passwords for sites that would be little more than an irritation if breached.
The next step will be the rise of consumer-driven two-factor authentication using physical devices such as mobile phones to provide unique codes for each access – akin to the one-time pads used by spies during the Cold War.
(Some banks already issue customers with similar pads that generate one-time passwords - Ed)
The fact remains, though, that this latest hack into supposedly secure data is another example of the risks that businesses face.
Many will react to the news by changing their passwords – which is a sensible move – but they would be better served taking a proactive stance against cyber threats and focusing on what they can do in advance, rather than reacting to an already publicised threat.
The fear is that if this doesn't prompt businesses and individuals to rethink how they protect themselves, the criminal fraternity has a bright future ahead.
Tom Burton is a director in the cyber security practice at KPMG