Yahoo reported the theft of some 400,000 user names and passwords to access its website, acknowledging hackers took advantage of a security vulnerability in its computer systems.
The Mountain View, California-based LinkedIn, an employment and professional networking site which has 160 million members, was hacked and suffered a data breach of 6 million of its clients and is now involved in a class-action lawsuit.
These sites did something wrong that allowed those passwords to get hacked. However passwords themselves are too hackable. If multi-factor authentication was used in these cases, then the hacks may be a moot point and the hacked data useless to the thief.
The biggest part of the password problem is in 2 parts: first, we are lazy with passwords, for example in regards to the Yahoo breach  CNET pointed out that:
2,295: The number of times a sequential list of numbers was used, with “123456″ by far being the most popular password. There were several other instances where the numbers were reversed, or a few letters were added in a token effort to mix things up.
160: The number of times “111111″ is used as a password, which is only marginally better than a sequential list of numbers. The similarly creative “000000″ is used 71 times.
Second: spyware, malware and viruses on a user’s device can easily record passwords. Which means this username (which is often a publically known email address) and password is easy to obtain from an infected device.
The numerous scams which entice users to cough up sensitive data is a proven con that works enough to keep hackers hacking.
Multi-factor authentication, which your bank uses is far better and more secure and it requires a username, password and “something you haveâ€â€”a personal security device separate from the PC
While additional authentication measures might be a burden to some, it’s a blessing to others who recognize the vulnerabilities of their online accounts otherwise.
Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures
1 user commented in " Is A Password Enough? A Closer Look at Authentication "
Follow-up comment rss or Leave a TrackbackIt is just annoying the fact that we are still living in a password world. Almost everything is still only password protected. But ultimately the fact is passwords (strong or not) do not replace the need for other effective security control. As was stated passwords are useless, outdated, and a security risk. That same organization understood that only real solution is the need to add additional layers of authentication for access and transaction verification without unreasonable complexity and this will of help to their customers if they implement some form of a two-step or two-factor authentication were you can telesign into your account and have the security knowing you are protected if your password were to be stolen. This should be a prerequisite to any system that wants to promote itself as being secure. With this if they were to try to use the “stolen” password and don’t have your phone nor are on the computer, smartphone or tablet you have designated trusted, they would not be able to enter the account.
Leave A Reply