June 10, 2012 By Dan Lohrmann
Computer experts from around the world are warning users to change passwords immediately following the announcements that millions of passwords from LinkedIn, eHarmony and Lastfm were posted on hacker websites.
The Internet is full of stories about various topics surrounding the breaches as well as articles on how to effectively protect passwords. Here’s an excerpt from a Washington Post article on the password breaches:
“If there’s one thing that the LinkedIn, eHarmony and now Last.fm hacks have taught us in the past week, it’s that people are really bad at picking secure passwords….
What’s important to remember, even if you can’t keep track of a different password for every account, is that you shouldn’t ever use the same password for accounts that you use every day. That means, Facebook and Gmail should have different passwords, which in turn should be different from your LinkedIn, Spotify, Pandora, Twitter or, goodness forbid, your bank. Hackers are unlikely to target you, specifically, but if one of your passwords gets into a major data dump, you’re just opening the door for them if you’re sharing passwords.”
No doubt, this string of reported hacks has lit a fire under many people regarding their online habit of providing simple passwords or reusing passwords for multiple sites. I made a LinkedIn password change myself this week. My guess is that the disclosures actually underestimate the overall problem. How many others websites have been hacked that we don’t know about yet for a variety of reasons? Is this the tip of an iceberg? I totally agree that this is a wakeup call for users’ password habits.
However, I disagree with the advice, which is growing more popular and mentioned in several referenced articles, that we should even lie about such things as the answers to security or profile questions in order to fool the hackers. I believe that the practice of online lying can (and will) create other unintended consequences. Even though some people view these as harmless “little white lies,” this practice leads down a very slippery slope regarding cyber ethics. We are trying to build trustworthy interactions in cyberspace, and lying usually leads to more lying.
For example, the Washington Post interviewed Chet Wisniewski, senior security advisor for Sophos, who said, “… People should think about being a little less truthful on their security questions, as well, just as a precaution. Name, for example, your second car and not your first, or your child’s high school mascot.”
Huh? Will we remember which “a little less than truthful” answer we gave to which online question? (I already have trouble remembering whether I included words like "street" or "drive" on truthful answers.) Soon, we’ll need a database for all of the fabricated answers we gave to the dozens of different social networking sites that questioned us as we changed passwords.
Also, if we lie about answers to security questions, why not lie about a whole host of other things online. What messages are we sending to our kids about online conduct regarding downloading files, lying in chat rooms, profile settings about age, home addresses or a long list of other items? We already have a large part of society which (wrongly) believes that what we do or say online doesn’t count the same in real life. No, lying on security questions is definitely an unwanted rabbit trail.
What do I recommend instead? How about if the security questions were different or better? Stop asking us our mother’s maiden name. Why not just let us choose or even write our own questions? Or, I could pick my favorite car. My daughter likes the Facebook security challenge where she needs to name the pictures of several of her friends – rather than answering pre-populated questions or typing in a CAPTCHA. I agree with her, and I’ve had trouble with CAPTCHA’s before myself.
Moving on, there is no doubt that breaches harm the reputation of an online service. One article from Reuters even claims that this latest breach places LinkedIn’s reputation on the line. Here’s an excerpt:
“LinkedIn is a natural target for data thieves because the site stores valuable information about millions of professionals, including well-known business leaders.
‘This is the serious social networking site. This isn't the one I got to see pictures of my friend's new dog,’ said Mary Hildebrand, chair of the privacy practice area at the law firm Lowenstein Sandler.
The way that the company responds to the theft will play a critical role in determining the extent to which the incident damages LinkedIn's reputation, experts said”
Forbes went further and addressed the relationship between these breaches and the hacking of online banking sites. There is starting to be a cumulative effect of the massive number of new hacks that seem to be announced weekly. At what point does this start to slow down e-commerce? Will we get to the situation where people don’t want to go online with their sensitive data at all for fear of being hacked? This “stay offline” message is what the US Postal Service (USPS) tries to infers with their recent commercials on TV.
Only time will tell us about the long-term impact of this new password hacking trend. But meanwhile, I’ll repeat the manner that the IEEE Spectrum article on this same topic closes, “Let's hope that ‘inconvenience’—like getting lots of phishing email asking you to reset your eHarmony or LinkedIn passwords—is the extent of the suffering.”
Building effective virtual government requires new ideas and hard work. Security professionals need to be enablers of innovation. From helpful Internet training to defending cloud computing architectures to securing mobile devices, Dan Lohrmann will cover what's hot and what's not in protecting your corner of cyberspace.