Despite overwhelming evidence that our passwords are too weak, and that password authentication is easily exploited, users and companies don’t seem to be taking any corrective action. The recent Ashley Madison hack shows us again, that users are incredibly lazy when it comes to creating passwords.
Research firm CynoSure Prime was able to efficiently crack the encryption hashes, and decrypt more than 11 million usernames and passwords, giving them access to the majority of the account details that were leaked.
And as we usually see when passwords are analysed, the top passwords included “123456,” “password,” and “DEFAULT.” Many of the top 100 passwords revealed had a number of problems in common, and all were symptomatic of poor password selection. Many of the entries contained only lowercase letters, few included numbers, none used special characters, and all three lines of the keyboard (e.g. “qwertyuiop”) appeared in the top 100.
While it’s easy to blame users for bad passwords — and you’re right to do so — CynoSure’s detailed write-up explains precisely how they decrypted the passwords, and they were able to compromise 2.6 million accounts in a matter of hours. This is a damning indictment of Ashley Madison’s entire authentication and security system.
It’s becoming more apparent that the current username and password system, clearly isn’t working. End-to-end encryption, password managers, two-part authentication have become imperative. The industry is also moving in the direction of biometric authentication.
Bottom line: Weak security is no security. Companies need to take the responsibility for protecting user data and implement technological solutions that are already available. The Ashley Madison hack is a prime example of both users and businesses are utterly failing to protect data both parties would rather have kept secret.
Image courtesy of Shutterstock.