I didn’t want to write this blog, as the mere thought of breaches due to password re-use is killing me. LinkedIn, Adobe, GitHub, TeamViewer and pretty much every other cloud service since the almighty decreed on the eighth day that there shall be cloud services, has – until recently – treated customers’ authentication with the least possible security considerations.
Enter the recent media coverage of the LinkedIn and Dropbox breaches. In the case of Dropbox some 68 million users’ log-in details and passwords resurfaced for sale on the Dark Web last month; with LinkedIn it was 117 million account credentials that appeared in May of this year. If these were new breaches they would be relevant, but they are not; both are from 2012. So why today, some four years later, are we are still talking about them?
Let’s consider a couple of things that would have happened between when the breach and the data being offered for sale. Neither platform will have been sat around twiddling its thumbs. Firstly, they would have forced a password reset for all of the compromised user IDs, and secondly they would have suggested or begged users to adopt some form of two-factor authentication.
Yet we have Reddit, LinkedIn and Twitter “freaking out” because folks got breached who were using the same password from 2012 across a range of different cloud services. These are the same people who are in most cases forced to change their local business login passwords every 90 days.
The user ID/email and password combinations revealed in these large breaches have been re-used across different service vendors to the complete detriment of security of personal/private information or business integrity. Yet, indignation and outrage at password re-use attacks spews fourth online like some kind of toxic leak. To the extent that when TeamViewer in characteristically German bluntness suggested their customers were “not following best practices” they were accused of being too “harsh.”
In response let me offer a couple of tips for securing cloud services safely.
1. If you’re re-using your favorite passwords for all your online services, you are asking for trouble
If you’re not using a password management system, then at least try and give yourself a fighting chance by using a self-generated password algorithm: for example, <re-used password>+<name of service>+<re-used password>. So “Unclejerry” as a password (which is lousy security, by the way) becomes “unclejerry+dropbox+unclejerry” (much better security). Not only is it more secure, it’s also far easier to remember than a string of random numbers and gibberish.
Generally, for decrypting attacks the longer the password is the longer it takes to crack. Even with encryption a 10-character password is not difficult to crack; however a 29-character password – with two special characters in it to boot – is going to take an insane amount of time to decrypt, no matter how much compute power and software technology you throw at it.
All the user has to remember is their favorite password, a special character and the name of service they are logging into. So long as the vendor is doing decent job of their encryption, the customer’s data will remain very difficult to brute force or decrypt. You can even mix up the order to make things even less predictable.
2. Two Factor (2FA) – sometimes called Multi-Factor Authentication (MFA) – provides fail-safe protection if your password is decrypted or compromised
Usually, this involves sending an authentication code to your cell phone to verify your access. This is excellent protection and so long as you’re careful with your phone, in terms of installing applications and patches and updates, all is well. Some folks I know use a separate non-smart SMS only phone for authenticating to cloud services. Today, most reputable cloud services offer 2FA It may have to be activated but it is becoming a best practice standard. I strongly believe 2FA for all cloud services provides excellent protection of the account.
There are a lot of safeguards users can take when using cloud and social media services to insure they keep control of their account. Researching security features like the ones offered by Google, Facebook, Microsoft and Dropbox are the user’s responsibility. If you’re not using all the security features available from your cloud service provider, my question to you is simple: “Why are you making it easy to get yourself hacked?”
Ian Thornton-Trump, CSA+, CD, CEH, CNDA is CTO at Octopi Managed Services Inc. Ian is an ITIL certified Information Technology (IT) consultant with more than 20 years of experience in IT security and information technology. He enjoys and maintains a strong commitment to the security community. From 1989 to 1992, Ian served with the Canadian Forces (CF), Military Intelligence Branch; in 2002, he joined the CF Military Police Reserves and retired as a Public Affairs Officer in 2013.
You can follow Ian on Twitter® at @phat_hobbit.