Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
Editor's Blog and Industry Comments

Russian haul of over a billion stolen usernames and passwords uncovered

06 August, 2014
The IT security industry shares its reaction to the news that over 1 billion user credentials have been stolen by a Russian crime ring

The more than 1.2 billion username/password combinations and more than 500 million email addresses were stolen from over 420,000 websites of all sizes and from all parts of the globe and is thought to be the largest collection of stolen web credentials to date.

Both the scale and the nature of the breach is something that affects both organizations and personal web users, all of whom feel threatened by it. The threat posed by such an extensive database of user credentials sends out a powerful message regarding the continued viability of usernames and passwords as a means of access control.

In order for them to be secure, organizations have to encrypt them and guard them whilst users have to choose difficult passwords, change them regularly and have different ones for every website they visit. Both organizations and individuals are failing in these regards and so the username / password set is as doomed to failure now as it has always been.

Even the local town hall coffee morning group is demanding user names and passwords to access member sections of its site these days so, faced with dozens of such sites, users will not.... will absolutely NOT.... choose different complex credentials for every site they use and most users will choose the same credentials for the coffee morning group as they do for something much more attractive to a hacker, such as eBay or PayPal.

That is a fact of life that exists today and will always exist so long as user names and passwords are the only option. It's rubbish. The IT security industry is awash with high technology wizardry, the ability to combat Advanced Persistant Threats and catch zero-day viruses without the end user even knowing. We even have biometrics and multi-factor authentication as an alternative to userids and passwords but it seems impossible to make a deployment widespread enough to capture mainstream end users. Like I said, it's rubbish. It's like having Electronic Stability Control fitted to a car with dodgy shock absorbers... it doesn't help.

There are alternatives of course. Tenable's EMEA technical director, Gavin Millard told us, "Don't change your password in response to this, change your password habits by using a password manager which will enable you to have an individual password per site you use, thus limiting the impact of any attack of this nature in the future" - So, we're still on passwords then. It only helps those who use password vaults which will always be the minority.

Forgerock's VP of innovation and emerging technology, Eve Maler commented: "We know by now that users are often reluctant to use unique passwords and identifiers for online accounts".

OK, so what's the answer?

Eve Maler explained, "This is why it is so important for organizations to leverage contextual and relational intelligence to measure risk. By doing so, security teams can apply a multi-layered approach to protect data on any external or internal application, device, or thing (sic) and can mitigate risk that may result from this type of breach"

No Eve, you're wrong! It doesn't help. Whilst organizations are trying to work out what "leveraging contextual and relational intelligence to measure risk" actually means, the much more pragmatic cyber criminals will have made off with another couple of billion user credentials.

Most security companies agreed that user names and passwords can no longer be regarded as a secure credential and that the credentials themselves have to change. Mark Kedgley of New Net Technologies told us, "Traditional, basic IT security measures are no longer sufficiently effective, and in 2014, it is no longer forgiveable if a breach occurs due to corner-cutting on what should be considered minimum standards of security".

So what are those minimum standards of security? Minimum standards should be robust enough not to depend on the abilities of millions of people to choose their own level of security and should be based on deployable biometric or multi-factor authentication technology that's affordable by every organisation from the largest corporations down to the local town hall coffee morning group.

Jonathan Newell is a broadcast and technical journalist specialising in security systems and transport safety. He contributes to a range of titles in the technical press. He shares his time between the UK and Kazakhstan

Bookmark and Share