Misinformation on Weak Passwords, Poor Authentication Measures and Data Breaches

There is typically a lot of confusion on security issues in the way they are relayed to the general public, especially when the PR folks get involved in trying to take news of major breach events and spin them in an effort to push a vendor's product. Sometimes the level of misinformation just makes you scratch your head and wonder what people are thinking when they are writing a press release. The one that landed in my inbox the other day surely takes the cake.

“In a year loaded with password breaches – Yahoo!, LinkedIn, eHarmony and Last.fm, among others – SplashData Reveals Its Annual '25 Worst Passwords of the Year' List… Users of any of these passwords are the most likely to be victims in future breaches,” the lead line in the press release stated. What? Really?

The way that sentence reads might lead some to believe that the use of weak passwords like “1234” or “qwerty” could result in massive database breaches, and serves only to confuse the two very different issues of password strength and data security at the network level, and furthermore it does not even address the issue of adequate authentication protocols for sensitive accounts.

“First off, none of those breaches were as a result of poor user passwords,“ noted security analyst Javvad Malik. “In all the examples quoted, the breaches were due to the company’s inadequate protection of password databases. In such instances, users could have the best passwords in the world and they would have still been exposed.”

That means everyone who used “abc123” or similarly weak passwords can breath a sigh of relief as they are officially absolved of all responsibility for the breaches referenced in the press release. But is the real issue here about password strength, or is it the about the level of authentication required to keep sensitive accounts secure? Does selecting strong passwords that use both upper and lower case letters in combination with other characters and numbers, as the press release goes on to suggest, really mean your accounts will be adequately protected from hackers?

Well no, not necessarily. The problem with only using passwords as a form of authentication is that they are single factor, and even the best password choices don't go far enough to protect sensitive accounts like those for banking or medical records.

“The fact of the matter is, no matter how long, how complex, how much you hide them and/or how much you encrypt them – passwords merely present a single form of authentication for access into your personal account. This doesn't mean make your passwords longer or harder to guess or even to change them more often or all of the above – all the nonsense that is being spewed about 'how to make passwords more secure' – it means to implement an additional method of authentication, ensuring only you can access your account even if your password has been compromised,” security engineer and penetration tester Marc Quibell says.

Many companies offer users multi-factor authentication to better protect their online accounts, and while these security features are more often becoming standard practice much of the time it is up to the user to voluntarily opt-in if they want the additional security.

“When it comes to online financial sites such as banking, users should take better control of their security by opting for a second factor of authentication such as out-of-band authentication (where they send you a PIN code via text message) or by using a security token where available. Where ever the risk is higher, where the data is more sensitive or crucial, the access controls should proportionately increase in strength,” said Quibell.

The moral of the story here is simple: Choosing strong passwords is a good practice, but consumers should not be left with the impression that single factor authentication is an adequate method for ensuring the security of sensitive online accounts. Furthermore, vendors need to do a better job of conveying the facts about security and avoid unnecessarily complicating issues with blatant misinformation.