Password Fails: 6 Reasons You Need A Better Password
The media is always quick to jump on the latest computer security blunders, but they almost always oversell the “hacking” involved. As we mentioned in our article about how to set up a strong password, the “celebgate” scandal that resulted in celebrity photos getting leaked online was not due to a cybercriminal cracking his way into Apple’s iCloud.
Celebgate, and many other breaches like it, happened because users fall prey to a phishing scams or use weak, easily crackable passwords (often across multiple accounts). This is a huge security blunder and a good way to ensure all of your data ends up online — although, I guess that way you won’t have to worry about making backups anymore.
Have You Been Hacked?
You may not even be aware that one or more of your accounts has been compromised; you may have signed up for a service you used once and then forgot about.
The website Have I Been Pwned allows you to enter your email address and see if your email appears in any of the leaked databases online. Unfortunately, there isn’t much you can do except change your password and ensure you aren’t using the same password elsewhere. Once it’s out there, it’s out there for good.
Password Fails
To give you an idea of how often bad passwords lead to breaches, we’ve compiled a short list here of the most eye-catching events in recent years due to people not being careful with their login credentials. If you would like to avoid ending up on a list like this in the future, check out our password generator tool.
Celebrity Twitter Accounts Compromised
In 2016, Drake and Katy Perry, among others, had their Twitter accounts compromised. Twitter itself, however, wasn’t and it quickly turned out Drake and Perry made the mistake of reusing their passwords across multiple sites and services.
The passwords most likely came from a dump of MySpace passwords that appeared for sale online, compromising 360 million user accounts.
Moral of the story: never reuse a password.
John Podesta Email Leaks
John Podesta, campaign chairman for Hillary Clinton, fell prey to a phishing scam that resulted in the leaks of a decade’s worth of emails. Podesta received an email purportedly from Google which claimed someone had tried to hack into his email account.
Charles Delavan, a campaign aide responsible for IT, accidentally said it was a “legitimate” email — he had meant to type “illegitimate.” Podesta used the fake Google website from the phishing email to update his password and the rest is history.
Moral of the story: always be suspicious. No reputable service provider will ever ask you for your password.
Classified Data on a Public Server
If there’s one thing worse than a weak or reused password it’s simply being too lazy to set one up at all. Surprisingly, this happens all too often.
Booz Allen, a consulting firm with close ties to military and intelligence branches of the U.S. government, was found to have exposed a cache of over 60,000 sensitive files via a public facing server in Amazon’s cloud. The leaks contained passwords to government systems and the security credentials of at least one Booz Allen employee.
New York University (NYU) dropped the ball as well when it was found to have a public, unprotected backup drive with files on a confidential encryption-breaking program being developed jointly with IBM, the Department of Defense and NYU. An unnamed security researcher found the backup drive while searching for security vulnerabilities. “Adam,” the alias he used in interviews, wasn’t out to cause any harm. He contacted NYU to let them know their mistake, and they promptly took the data offline.
Moral of the story: use a strong password and encryption on sensitive data. Better yet, don’t connect a NAS full of confidential secrets to the Internet. If there’s no other way, make sure to read our NAS security guide first.
Zomato Hack
Zomato, a food tech company, made the news recently when they were hacked. The attacker, using the handle “nclay,” stole over 17 million user records. The database contained users’ names, email addresses and passwords.
The database was put up for sale on the dark web for a mere $1,001.45. Zomato claimed, at first, that the hashed passwords couldn’t be decrypted — until a security researched called them out on Twitter. Zomato changed their statement, saying that the hashed passwords couldn’t be “easily” decrypted. Any Zomato users that reused passwords across websites and services were put at risk by this breach.
Moral of the story: again, never use the same password twice.
Ashley Madison
Ashley Madison, a website designed to make having an affair as easy as online dating, was breached in 2015 and a database leaked online. Almost 10GB in size, the database made its first appearance on the dark web.
The company claimed to have almost 40 million users at the time of the breach and the list is a well-known, high-profile target for hackers seeking to make some cash via blackmail.
Besides passwords and usernames for 32 million users, the leaked database contained seven years’ worth of credit card and payment details, as well as addresses, phone numbers and real names. Interestingly, there were about 15,000 emails belonging to .mil and .gov domains — it seems even Uncle Sam was trying to have a steamy affair.
Moral of the story: have morals, not affairs. Joking aside, don’t reuse passwords. Seeing a trend here? You put your security into the hands of total strangers when you reuse a password, and some of them are very incompetent, as you’ll see next.
Cupid Media Hack
Cupid Media, an online dating website, was hacked in 2013. No website or server is completely safe and most services seem to take this fact into account by employing precautions like encrypting or hashing sensitive information.
Not Cupid Media. They stored passwords in plaintext for over 42 million accounts. The hackers made away with a database and probably couldn’t believe their luck when they discovered their work was essentially done for them.
Bryan Krebs, reporter and security researcher, reviewed the records and made some unsurprising discoveries:
- 1.9 million accounts using the password “123456”
- 1.2 million passwords using “111111”
- 574,914 passwords were simply “123456789”
Users that employ such lazy passwords are likely to do the same thing across other websites, opening themselves up to further attack and compromise.
Moral of the story: choose a secure password. and don’t reuse it. Seriously.
Conclusion
Websites and servers get hacked all the time. It’s impossible to have complete and total security without turning a computer off and burying it 50 meters underground inside a locked vault. The best thing you can do is to choose a secure password and never reuse it.
Use Have I Been Pwned to check if your email appears in any of the publicly available leaks, and change any passwords for those accounts. Reusing a password and choosing a weak password places you at risk. Don’t leave your privacy and security in the hands of total strangers.
Feel free to leave your comments below and also to share this article with family and friends on social media. Thank you for reading.