In June of 2012, LinkedIn, the largest business-oriented social network, found itself in hot water. Due to allegedly weak security practices on the part of the company, a file containing the encoded passwords of roughly 6.5 million LinkedIn users was posted on a Russian hacker site. While there was no way of proving that the breach led to any direct effect on the users, the customers argued in court that the company had deceived them about the level of its Internet security when they had signed up for the service.
Thus a class-action lawsuit was born, involving 800,000 American LinkedIn users who paid for premium services between March 15, 2006 and June 7, 2012. The lawsuit was settled this past February for $1.25 million.
LinkedIn isn't the only major company to face scrutiny for its password security, or lack thereof. Though the company denies the breach, mobile transportation app Uber recently came under fire with reports that thousands of customer logins were being sold online over the Dark Web. Uber claims to have investigated and found no evidence of a breach, but one Uber user confirmed to Motherboard that his personal information for sale on the Dark Web included his Uber username and password. What's particularly alarming in the case of Uber is that the compromised information included GPS information, giving cyber criminals access to records detailing where the user traveled to and from throughout the day.
Enterprise chat platform Slack also suffered a password breach just a few weeks ago. The company revealed that hackers had breached a database that contained usernames, encrypted passwords, and other information. The company has already made an effort to increase security measures as result of the breach, adding two-factor authentication that offers an extra layer of protection to its users.
Password Fatigue: A Domino Effect
As a user, it may not seem like a big deal for one of the platforms you use to suffer a password breach. Most consumers see this as a minor annoyance at having to change their password after a breach. But look at it this way: how often have you created a new social account or email address and found yourself mindlessly typing the same password you use for other sites? This is called password fatigue, and while it's a security worst practice, it is also human nature. The danger with password fatigue is that if and when one of your many accounts is compromised, this can have a domino effect on all of your other email addresses, applications, and other sites for which that password unlocks access to sensitive data. What may have started as a breach on your social chat platform -- where no personal information is stored -- may turn into a situation with more dire consequences -- a hacker getting into your personal photos, your bank account, and your medical information after trying your recycled password to access a site where valuable personal information is stored.
Legislation: Not There Yet, But Getting There
While there are no laws forcing businesses to notify customers of a password breach yet, there is an ethical responsibility that exists for companies to notify their customers in a timely manner when a breach occurs. The sooner that an individual knows they are at risk for identity theft, the sooner they are able to take the necessary steps to protect their personal information and minimize damage. The way to ensure that companies honor this responsibility is through simple and consistent legislation.
This past January, major strides were made toward federal legislation in Congress to improve cyber security. Of particular importance, one of the goals of the Comprehensive National Cybersecurity Initiative includes increasing information sharing between companies and the government. Through better communication between these two parties, the government can be better informed as to how to develop legislation to best protect consumers. This may also enable faster breach notification across industries.
While this is a step in the right direction, the issue that remains is that there is not currently a consensus on when companies need to notify consumers that a breach has occurred. New York Attorney General Eric T. Schneiderman proposed a bill this past January that would expand New York's definition of what constitutes the need for disclosure by including email addresses and passwords (in addition to the already-included Social Security numbers, driver's licenses or credit card information). It may very well be beneficial to mirror a similar law in the federal government.
What You Can Do
We at CSID would like to see legislation to continue to be developed and strengthened around these issues. That being said, protecting your passwords is not entirely out of your hands. It is your responsibility to ensure you are doing all you can to protect your personal information by using strong, unique passwords. Here's what you can do:
- Use a combination of upper and lowercase letters, numbers, and symbols.
- Create a password that is at least eight characters long. The longer, the better. To put this in perspective, a 10-character password can be cracked using standard tools within a calendar week. A hacker using the same "brute-force" tactics would need 1.49 million centuries to crack a 15-character password.
- Don't use dictionary words, slang, names or email addresses. You can have the longest password in the world, but if it's an easily recognizable phrase, it won't do you much good.
- For those that don't want to keep track of long, complex passwords, a password manager can help break natural human tendencies for poor password use.