Computer experts from around the world are warning users to change passwords immediately following the announcements that millions of passwords from LinkedIn, eHarmony and Lastfm were posted on hacker websites.
The Internet is full of stories about various topics surrounding the breaches as well as articles on how to effectively protect passwords. Here’s an excerpt from a Washington Post article on the password breaches:
“If there’s one thing that the LinkedIn, eHarmony and now Last.fm hacks have taught us in the past week, it’s that people are really bad at picking secure passwords….
What’s important to remember, even if you can’t keep track of a different password for every account, is that you shouldn’t ever use the same password for accounts that you use every day. That means, Facebook and Gmail should have different passwords, which in turn should be different from your LinkedIn, Spotify, Pandora, Twitter or, goodness forbid, your bank. Hackers are unlikely to target you, specifically, but if one of your passwords gets into a major data dump, you’re just opening the door for them if you’re sharing passwords.”
No doubt, this string of reported hacks has lit a fire under many people regarding their online habit of providing simple passwords or reusing passwords for multiple sites. I made a LinkedIn password change myself this week. My guess is that the disclosures actually underestimate the overall problem. How many others websites have been hacked that we don’t know about yet for a variety of reasons? Is this the tip of an iceberg? I totally agree that this is a wakeup call for users’ password habits.
However, I disagree with the advice, which is growing more popular and mentioned in several referenced articles, that we should even lie about such things as the answers to security or profile questions in order to fool the hackers. I believe that the practice of online lying can (and will) create other unintended consequences. Even though some people view these as harmless “little white lies,” this practice leads down a very slippery slope regarding cyber ethics. We are trying to build trustworthy interactions in cyberspace, and lying usually leads to more lying.
For example, the Washington Post interviewed Chet Wisniewski, senior security advisor for Sophos, who said, “… People should think about being a little less truthful on their security questions, as well, just as a precaution. Name, for example, your second car and not your first, or your child’s high school mascot.”
Huh? Will we remember which “a little less than truthful” answer we gave to which online question? (I already have trouble remembering whether I included words like "street" or "drive" on truthful answers.) Soon, we’ll need a database for all of the fabricated answers we gave to the dozens of different social networking sites that questioned us as we changed passwords.
Also, if we lie about answers to security questions, why not lie about a whole host of other things online. What messages are we sending to our kids about online conduct regarding downloading files, lying in chat rooms, profile settings about age, home addresses or a long list of other items? We already have a large part of society which (wrongly) believes that what we do or say online doesn’t count the same in real life. No, lying on security questions is definitely an unwanted rabbit trail.
What do I recommend instead? How about if the security questions were different or better? Stop asking us our mother’s maiden name. Why not just let us choose or even write our own questions? Or, I could pick my favorite car. My daughter likes the Facebook security challenge where she needs to name the pictures of several of her friends – rather than answering pre-populated questions or typing in a CAPTCHA. I agree with her, and I’ve had trouble with CAPTCHA’s before myself.
Moving on, there is no doubt that breaches harm the reputation of an online service. One article from Reuters even claims that this latest breach places LinkedIn’s reputation on the line. Here’s an excerpt:
“LinkedIn is a natural target for data thieves because the site stores valuable information about millions of professionals, including well-known business leaders.
‘This is the serious social networking site. This isn't the one I got to see pictures of my friend's new dog,’ said Mary Hildebrand, chair of the privacy practice area at the law firm Lowenstein Sandler.
The way that the company responds to the theft will play a critical role in determining the extent to which the incident damages LinkedIn's reputation, experts said”
Forbes went further and addressed the relationship between these breaches and the hacking of online banking sites. There is starting to be a cumulative effect of the massive number of new hacks that seem to be announced weekly. At what point does this start to slow down e-commerce? Will we get to the situation where people don’t want to go online with their sensitive data at all for fear of being hacked? This “stay offline” message is what the US Postal Service (USPS) tries to infers with their recent commercials on TV.
Only time will tell us about the long-term impact of this new password hacking trend. But meanwhile, I’ll repeat the manner that the IEEE Spectrum article on this same topic closes, “Let's hope that ‘inconvenience’—like getting lots of phishing email asking you to reset your eHarmony or LinkedIn passwords—is the extent of the suffering.”
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.
During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.
He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.
He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.
Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.
He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.
Follow Lohrmann on Twitter at: @govcso
Building effective virtual government requires new ideas, innovative thinking and hard work. From cybersecurity to cloud computing to mobile devices, Dan discusses what’s hot and what works in the world of gov tech.