Sites that have either leaked user passwords and/or had attempted account hacking using reused passwords include:
The worst part: Many users whose passwords were leaked had used the same password for all of their site accounts. This meant that one password loss at one site could have granted access to many or all of their accounts.
An Example
Suppose you use the same password on Sony’s PlayStation Network as you use when shopping with Best Buy. Now, suppose that your PlayStation username and password were among the 77 million leaked in April 2011. An attacker could, in principle, use that information to take a good guess at your password for Best Buy.
From a report by John Fontana at ZDNet:
“After months of Best Buy customers reporting compromised accounts, the company has finally confirmed hackers are attacking its online retail site using credentials stolen from other sites. It’s a worst-case scenario, where credentials stolen from one site are used to access other sites, most notably retail or banking sites where hackers can extract some value.”Now just imagine if an employee did this same thing, using the same password as their employee user account on an outside site?
What should we do?
- As you should with your personal accounts, don’t use the same passwords for employee accounts, especially for work accounts where the password is stored by a 3rd party outside of your organization. And don’t use your employee account passwords on any personal site.
- Use a secure password management tool to manage and store all of the passwords for your accounts.
- Use 2-factor authentication. Read more about 2-factor authentication here: http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201211_en.pdf
No comments:
Post a Comment