Common sense tells us that a long, complex password is inherently better than short, simple password primarily because it makes it harder for humans to guess what it might be based upon what they know about the user. However, when computers can brute-force a solution to even the most complex passwords within minutes, a lot of people are starting to question why they bother at all. That’s ever more so the case in light of a recent discovery that Russian hackers have amassed nearly 1.2 billion unique compromised credentials in a series of hacks targeting nearly half a million websites. Investigation into some of the hacked sites has revealed that though you may have put some effort into creating a complex password, the website you created it for didn’t invest nearly as much effort in keeping it safe. In some cases, the passwords stolen were originally stored “in the clear”, ie. not encrypted.
What this means for you:
Sadly, the industry as a whole is still scrambling to come up with a solution to the failure of passwords as a security mechanism. So far, the best some sites can offer is 2 or 3-factor authentication, and as can be surmised from the lackluster adoption of this form of protection, most people will opt for the simpler, less secure method when they aren’t required to do otherwise. As for what to do about the above? Go out there and change your passwords on all your important accounts, and enable 2-factor where available, especially on your critical business services like email, banking and file-sharing sites. It’s highly likely one of your passwords is part of this huge hacker database, and it could be used against you very soon.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net