Managing and securing password has been one of the biggest challenges. Password leaks news on such a short span of time on linkedin, eHarmony, last.fm makes me think that, these events are gradually getting more widespread.

According to Wikipedia: A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource (example: an access code is a type of password). The password should be kept secret from those not allowed access.

There are always two parties who maintain the password, the user and the service provider. User should remember the password and not share with anyone and the service provider should all everything possible to make sure it is not exposed to any third party.

What we are seeing these days that the service providers are failing to secure their password storage and hackers are being able to extract it.

What is a password hack?

When someone gains access to the password database by exploiting the system or the process, if not in plain text! they will try to crack it

When someone gets to know your password, you may be targets for your data, access. The motive can vary. Many times hackers just do it to show off their ability and insult the service providers, which of course get big news coverage. In these cases most of the time you have a little to worry about. On the other times they will do targeted hack, can stay unnoticed for long or never be discovered.

What can i do to feel a little more safe with my password?

Avoid using week password, try not to use same password for all your services or even by changing a character or two.

Try using OAuth instead of creating account with each provider when supported.

Avoid using services that do not support authentication over SSL

Ask your provider how they store your password and secure your data

And the last one, this one has a very little to do with the service provider; ensure you always use a secured terminal to login. Not compromised, and protected by antivirus etc etc.

What the industry should do?

All passwords should be encrypted by strong a cryptographic hash function and should never stored in a clear text or in a format which is easy to break.

Ensure secured authentication system using SSL so that password can’t be picked up over the network

Providers must make sure they accepts passwords which are complicated to guess or crack

Support Two-factor authentication. Usually it is your password with a second key, which can be changing. The most common one is RSA SecurID token which keeps changing. Therefore as long you have the SecureID token with you can feel reasonably secured

If the provider is not ready to put on significant amount of time and resource to secure your password they should let is handled by an authentication provider who is up for it. Like using OAuth or OpenID

And finally they should give disclose their security policy and do something about such event.

As we are more used to using free services, we should not forget our rights. Many of us use same password for different services and also store very important data in those services, having the password we use compromised is surely not an option.

Tag: password leak, password hack, linkedin, eHarmony, last.fm, password security, what should I do?,