Following the major Adobe breach in October, both Facebook and Evernote have sent notices to users warning about passwords.
In the case of Facebook, it asked those it identified to answer some security questions before granting them access, according to BBC News. Security blogger Brian Krebs reported that a Facebook spokesman said that it “actively look for situations where the accounts of people who use Facebook could be at risk—even if the threat is external to our service” and when it found those situations, it presented messages to help affected people secure their accounts.
Following this, IT Security Guru saw an announcement from Evernote which said that it compared the list of Adobe passwords to its user email addresses and while it has not been compromised and is not connected to this incident, it recommended that users change their Evernote password now.
I turned to some of the industry’s experts for their views on why this was happening, especially as these two companies in question had not been affected directly. Symantec security strategist Sian John said that this was quite a good education process as users would have read about it, and she said that it was a good thing for organisations to promote the right behaviour.
“We are saying don’t share passwords in light of Adobe and it is a good thing to educate, but there are still too many passwords! The goal with sharing authentication is the user experience on the enterprise side and this is the fastest way downhill to break policy and you need to think about that,” she said.
Raj Samani, CTO of McAfee, said: “By and large, users should be changing their passwords as it is basic cyber hygiene and have different passwords for different websites. I think that it is more important than anything, as the telling thing is that the most prominent password used by the Adobe users was “123456”, as there are not many hackers who cannot count beyond 6.”
Likewise, Steven Hope, CEO of authentication firm Winfrasoft, said that it was no secret that people use the same password for many sites, as it is simply not practical to have a unique password for each.
“This password sharing, while convenient for users, is also a huge security risk which is regularly exploited since once a password is hacked at Adobe, for example, odds are that the same password will work for the same user at many other common sites such as Facebook, Evernote, Twitter etc.
“It’s one of the many intrinsic flaws of passwords. Anybody using passwords to secure their site is really only as secure as the weakest site which also uses passwords (this week its Adobe) even though there is no technical connection – the link is the end user. The only way to protect against this risk is to stop using passwords!”
Naturally this is a simple solution, and in fact this is not easily solved as applications and websites demand a unique credential is created for each account. So what is the solution? Write all of your passwords down and put that piece of paper in a safe? Hardly likely, but until we see a better solution then it is hard to solve this.
Tom Cross, director of security research at Lancope, called the move by Evernote and Facebook “a great proactive step”, especially as they are “taking the time to double check”. “It would be wonderful to see other sites follow suit,” he said.
I spoke to security consultant Br
uce Hallas about why he felt companies were doing this, and he said that he said he was “inclined to agree that it’s probably a house cleaning exercise”
He said: “I remember seeing the reports about the password choices that Adobe customers had made. This was all exposed as part of the breach. It’s frightening to see the scale of either ignorance, neglect or awareness when it comes to poor password practises. Maybe this has motivated the others to send reminders out to their communities and prompt them to think and change.”
The issue is that there are too many passwords and people are either forgetting them or write them down, or more often than not they use the same password for everything because user experience dictates that is the more beneficial for them. Perhaps this spot of cyber hygiene is no bad thing, and it will help users become more cyber-savvy, but then again what if they change their passwords to something that is the same across different applications? What has been achieved then?