Over the past few years we have seen a large number of databases get compromised leading to the disclosure of user passwords. Whether or not the passwords were stored properly or not is beyond the discussion in this post and better left for a post on its own. The problem here is that attackers are going after password databases.
When I do presentations I often get asked if it is ok to use the same password across multiple sites. Most people trying to claim that their password is strong and complex. Some going as far as to say they have two passwords.. One for their critical sites and one for their social network sites. My response is to use different passwords or pass phrases on each site. If you can’t remember them, look into getting a password manager application to track them. I personally use SplashID for managing passwords, but I do not endorse it or any other product.
You may be wondering why the attackers are going after these password databases. The short answer.. it stores your password. I know.. that was exactly what you were thinking. In reality, the attackers know that users are using the same password across multiple sites. To make it worse, many sites set your username to your email address. If an attacker is able to comprise a site that has not properly protected your password then no matter how complex it is, it could now be compromised. This now opens the door for attackers to attempt to log into other sites you are a member of if you used that same password.
I understand that you may not think that your account on some bulletin board is nothing spectacular, but if that account uses a shared password with your bank, it could be big trouble. In addition, since many applications use email to send password resets, email passwords should be heavily guarded.
One thing I have found very interesting is the willingness of many companies to be proactive against your account getting compromised in these situations. Just recently, there were multiple credential databases that got breached. I received an email from two different companies I have accounts with alerting me that my email address (user name) was in the list of breached accounts. They recommended that I change my password if it was the same one I used on the breached site. They also recommended that I implement 2-factor authentication on those sites that have it.
Fortunately, I was already using 2-factor authentication with the Google Authenticator on both of those sites and I didn’t use the same password, so there really wasn’t any action for me to take. It is good that they are taking action to look at these lists that get released and attempt to alert their users. Then again, whether through the fault of theirs or not, they stand to benefit from warning the users of this type of situation.
If you are not using 2-factor authentication on sites that allow it, it really has worked well for me so far. It doesn’t give you a free pass to start sharing passwords across sites, but may come in handy if the credentials database is compromised.
Please be cautious when setting up your accounts to get the best security protection possible. Unfortunately we are not able to control how the company stores our details. Believe that they are doing it right, but assume they are not and do as much as you can to be secure.
James Jardine is a principal security consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at james@secureideas.com or visit the Secure Ideas – Professionally Evil site for services provided.