Time to rethink password security as we know it

540 0
ebay

eBay

By now, everyone of you should know or have at least heard of the security breach experienced by one of the largest e-commerce sites in the world – eBay Inc.

To recap, Reuters reported that the San Jose, California-based giant acknowledged at that hackers raided its network three months ago, accessing some 145 million user records in what is poised to go down as one of the biggest data breaches in history, based on the number of accounts compromised.

Subsequently, the company advised customers to change their passwords immediately, saying they were among the pieces of data stolen by cyber criminals who carried out the attack between late February and early March, the news wire added.

eBay spokeswoman Amanda Miller told Reuters late on Wednesday that those passwords were encrypted and that the company had no reason to believe the hackers had broken the code that scrambled them.

“There is no evidence of impact on any eBay customers,” Miller said. “We don’t know that they decrypted the passwords because it would not be easy to do.”

She said the hackers gained access to 145 million records of which they copied “a large part.” Those records contained passwords as well as email addresses, birth dates, mailing addresses and other personal information, but not financial data such as credit card numbers.

Now there are some people who believe that eBay wasn’t aware or was at least slow to come to terms with the fact that such an attack had happened, and the claim that its customers’ data was safe led to the company being slow to react to the problem at hand.

In fact, this has even now escalated to formal investigations by several states in the United States as well as in Britain.

Notwithstanding whether eBay knew or not, one thing is for certain: Consumers like us need to be much more vigilant over the number of passwords we use as so much our lives is invested on the Internet.

If you think about it, many of us do not just have a handful of online accounts such as an e-mail or a Facebook account. A typical Internet-savvy user could hold anywhere from half-a-dozen to a dozen online accounts, including productivity, online banking, social media, and e-commerce accounts.

ebay

Without being specific, I think all consumers – meaning all of us – need to thoroughly review how they manage their passwords and whether they’re duplicating passwords for different accounts or services that they use.

Plainly put, duplication in this case isn’t a good idea any more as having just one or two passwords to access all your online services means that should a compromise happen, you’ll be caught with your pants down should any of your passwords be compromised.

So what can you do?

There are a variety of ways you can approach this. The first of which is to try not to use duplicate passwords. This is where you could consider using pass lock programmes, commonly known as Password Managers, so that they can store your multiple passwords.

Examples of these are 1Password and Lastpass. There are of course others you can consider and searching online would get you a list.

From an industry perspective, this eBay breach has shown that more must be done to come up with a better way of authenticating our online accounts. Currently, most online services, save the most secure ones, are based on a one-step authentication consisting of a username and password.

ebay

The eBay breach also raises a question: Is there a place for the implementation of a two-step or two-factor authentication for Internet services worldwide?

For a more detailed explanation on two-factor authentication, surf here.

All major web services companies have them already. Google, for example, has the option of doing two-factor authentication and so does Microsoft.

google two step

A cost worth bearing?

Surely by adopting two-factor authentication, users will be bothered more than usual when logging in to their online accounts. There are more steps to take and more inconvenience to face.

While this may seem a chore, the alternative of not doing so will be much, much worse, especially should any of your accounts be compromised or hacked.

As the age-old adage says, “It’s never an inconvenience till it happens to you.”

As technology surges ahead and as more of our lives become so intertwined with the Net, there needs to be a fundamental re-engineering of how we access services over the Net.

But like with most things in life, so much time is spent focusing on the big things that the small things get overlooked. IMHO, the truth is that simply accessing these complex services via simple usernames and passwords can’t be the way forward.

So it’s time we take our passwords and security seriously. Because only when we can do so safely will the power of these services make effectual sense to us all.

Header image credit: Betranslated.com

About The Author

An engineer by training, Edwin turned his back on the engineering world to cut his teeth as an award-winning full-time journalist with his own editorial consultancy inSight Editorial Services. He is also stirring up the regional tech space as co-founder of the highly respected tech news portal Digital News Asia. You can find Edwin at http://twitter.com/yedwin01.