Russian mega-hack: time to get serious about alternatives to passwords?

All the talk this week has been of the Russian mega-hack. A data breach revealed first in the New York Times by a security firm called Hold Security of an estimated 1.2 billion username and password combinations and 500 million email addresses.

So what can we say about it?

Well, according to the security experts I spoke to we can summarise as follows:

• It won’t be enough to push website owners into adopting more secure authentication mechanisms like two-factor authentication; passwords are just too user friendly and the alternatives would be too expensive.
• The best we can hope for is it will encourage people to use password managers, or at least stop sharing passwords across sites, and improve the strength of those passwords.
• It’s still not clear if this was as big a breach as claimed. We don’t know whether the details are current passwords, where they were obtained and exactly how. Fixating on the size is also missing the point a bit, as there are huge breaches every year.
• Online firms should see this as a wake-up call. Patch those SQL flaws and keep passwords more secure – by doing this you’ll remove the “lower hanging fruit” these Russian attackers clearly went for.

Beyond that, Thales UK head of cyber security, Peter Armstrong told me he was disheartened to see Hold Security already trying to monetise its findings by charging for breach notification services.

“Once of the key building blocks that underpins the improvement in the global cyber defence posture is the preparedness of organisations to share threat intelligence. The creed and ethos here is we are only strong if we are strong together,” he added.

“Threat Information Exchange must remain a philosophy of openness and community benefit not individual benefit. This organisation [Hold Security] has derived benefit historically from this free information exchange helping them to amass the capability and intelligence to make this discovery in the first place. This kind of behaviour is likely to trigger black listing of organisations for bad behaviours from a community perspective and under those circumstances it is only the cyber criminals who benefit.”

For KPMG cyber security director, Tom Burton, the main issue here is whether passwords are still fit for purpose. He thinks not.

“The pervasive nature of the internet means mere mortals cannot possibly remember a different password for each and every website they have registered with, let alone passwords with strength,” he told me by email.

“In the short term, individuals must take a more risk based approach, maintaining strong and unique credentials for those sites that would create the greatest impact if breached (bank accounts and email accounts are two such examples) while being pragmatic and using common passwords for sites that really would be little more than an irritation if breached.”

For CISOs it comes down to risk management, and in many cases fortifying the organisation against such breaches may come higher on the agenda than dealing with advanced targeted attacks, he argued.

“It is too easy with modern processing to crack a large file of password hashes, and there will always be vulnerabilities that enable criminals to gain access to those hash files,” concluded Burton.

“If there is one thing that I feel is certain it is that this is unlikely to be the last announced breach of this kind, and is probably not going to be the largest.  If it doesn’t prompt businesses and individuals to rethink how they are protecting themselves then the criminals will have a bright future ahead of them.”