THE GREAT PASSWORD STORY
12 July 2015
We all are aware that Companies get hacked all the time even though the said Company may or may not have chosen to hash the passwords.
If they went with the latter, the passwords are either being stored in plain text or are being encrypted. It is to be understood that encrypting is not a good option as that means it can be recovered. -
People reuse passwords all the time, so chances are hackers could wipe your account clean using the same passwords you used to buy your toilet wipes on amazon. Yes, it has happened and will continue to happen as long as people remain lazy.
So, what are our options, how can we prevent NPI data leaks, do we ask companies to hash their passwords database, do we tell people not to reuse passwords, or do we just give them up altogether. There are a few answers lined up.
Lets break down all three in detail -
1) First- asking companies to hash the passwords would be a good start and if they start using salts even better. But, the truth is you have no have of knowing how the company stores its customer’s confidential data. Until there is some policy or standardization procedure in place, depending on this option is a bit like asking kids not to cheat.
2) Second- Now its common knowledge that people who care about their data do spend time and effort creating and remembering passwords, it’s a noble idea and I laud their effort to do so.
Let suppose if number one happens to be the password that you spent a whole evening creating based on complexity requirements and etc. and which possibly contains NPI, and then later one realizes that data about you is now being added to passwords list that attackers use.
After this blunder you just lost a whole evening, some personal information that may not directly link to you, but is still out in the open, and you’re back to where you started.
It is a possibility that this may scare a lot of people, as this is the most people popular option when it comes to passwords.
People feel safe and in control when they come up with strong passwords and they should rightly so. So the question is, how do we fix this? The pertinent answer is to use password managers.
Password managers are software programs that you install on your personal device to keep track of passwords for different websites. Only a master password is required and you’re good to go. These encrypt your data but use strong encryption algorithms like AES, Blowfish. The effort of creating and remembering complex passwords is gone, just login to your password manager create a random password and link it with the respective websites.
3) Third- this is a bit new and was recently adopted by the site medium.com. The user enters their email to login and a link is emailed to them. Opening your mailbox and clicking on that link logs you in. So it’s simple, easy to understand and removes the overhead of creating, remembering and storing passwords.
Your medium account is only as safe as your email account, which is good if you use Google, MS, etc. other providers I don’t know about. So basically what the guys at medium have done is just outsourced the password responsibility back to you and your email provider.
If your email is hacked that’s it, good luck trying to convince the guys at Google that you really are email@example.com
The author is a security consultant at a leading security firm.
 NPI- Non Public Information
 AES- Advanced Encryption Standard