In 2016, a hacker group going by the name of OurMine took over the Twitter and Pinterest accounts of Facebook CEO Mark Zuckerberg. However, the hackers didn’t employ any secret tricks or tools to access Zuckerberg’s account—they came right through the front door, using his poorly chosen password, “dadada.”
How did OurMine gain access to Zuck’s Twitter and Pinterest passwords? In 2012, hackers stole the credentials of more than 100 million users from professional social networking platform LinkedIn. Zuckerberg was among the affected users. Apparently, as OurMine found out, he had reused the same password his Twitter and Pinterest accounts, and hadn’t changed it since 2012.
Zuckerberg, whom everyone would agree is a tech-savvy person, deserves some serious chiding for making so many obvious mistakes in choosing his passwords and securing his accounts. But LinkedIn, Twitter and Pinterest are also to blame for failing to secure the secrets of their users. The entire episode highlights the exacerbating problem of password vulnerabilities.
Here’s everything you need to know about password vulnerabilities and how they affect you as both an organization and a user.
As computing power becomes increasingly available at affordable prices, attackers find it easier to break into accounts through brute-force methods, such as testing every possible combination in super-rapid succession to find the right password.
To avoid being brute-forced, users must choose passwords that are longer and more complex, containing lower- and upper-case letters, digits and symbols. They must also change their passwords regularly. This puts a lot of strain on users, especially when they must make the same considerations for dozens of online accounts.
A lot of users avoid taking such measures. Year after year, studies find that such as “123456,” “password” and other poor passwords remain extremely popular.
One of the recommendations any cybersecurity expert will give is to avoid reusing passwords across multiple accounts. However, when users must maintain long and complex passwords across several accounts, they tend to reuse their passwords verbatim or with small variations.
When hackers find the password to an account, they can quickly gain access to other accounts that use a similar password. This is exactly what happened to Mark Zuckerberg when LinkedIn got hacked.
Hard Copy Exposure
Following the recent false alarm of Hawaii’s missile warning system, questions began to surface about the integrity of the state’s digital infrastructure. Officials insist the false alarm was due to human error and the state’s system was not hacked. However, a recently surfaced media published photo showing a note with a password posted to a PC monitor inside Hawaii’s Emergency Management Agency, called into question the security practices of the organization. A cybercriminal would have likely been able to use this carelessly exposed password to execute far worse than a false alarm on the state’s systems.
It’s a simple fact of life.
Because users need to remember passwords for all of their accounts, they inevitably resort to making hard copies of their passwords. Unfortunately, this practice leads to serious security compromises, as hard copies tend to be easily exposed. Research has shown that this compromising practice has been widespread for years, and it continues to be a common phenomenon among users today.
Companies and organizations that use passwords to authenticate their users burden themselves with the responsibility to protect those secrets. This means storing them in secure storages and encrypting them to protect their users against data breaches.
These entities often fail to stand up to their duties. LinkedIn had stored the passwords of its users (including Zuckerberg) in encrypted format when it was hacked in 2012. However, it had used a poor algorithm (SHA-1), which made it trivial for the attackers to decipher the passwords. In 2015, giant toymaker VTech was hacked, and since it had used the obsolete MD5 algorithm to encrypt user passwords, it made it easy for hackers to access the accounts of millions of children.
What are the solutions to password vulnerabilities?
It is now evident beyond the shadow of a doubt that plain passwords are extremely bad security practices. Fortunately, there are several ways that, as an organization, you can secure your users without complicating their experience. Following are some of the solutions that can protect the hundreds of millions of people (like Zuckerberg) and organizations (like LinkedIn) from falling victim to password vulnerability exploits every year.
- Multifactor authentication (MFA): MFA involves using several pieces of information to authenticate the identity of the user logging in to a service. With MFA, even if hackers obtain users’ passwords, they won’t be able to gain access to their accounts because they’ll need the other tokens as well. Find out more about MFA here.
- Password-less authentication: Instead of storing and exchanging passwords, password-less authentication technologies use other methods to verify the identity of users. Find out more about password-less authentication here