New year, same old security passwords

Attackers hack global intelligence service Stratfor's website, and the real lesson for IT is the hazards of password reuse

It's a new year, but security practitioners got a salient reminder that an old issue -- password reuse -- continues to be a pernicious problem.

The day before Christmas, hackers claiming a connection with the Anonymous movement compromised the website of global intelligence firm Stratfor. In the following week, the group released a stolen file containing the usernames and hashed passwords of more than 860,000 users. An effort to use typical dictionary attacks and brute-force techniques to break the passwords yielded quick results: Nearly 10 percent of the passwords succumbed to standard password-recovery techniques in less than 5 hours, according to the Tech Herald.

Yet the lesson is not that people pick poor passwords. Badly chosen passwords did not lead, as far as we know, to the compromise of Stratfor's servers, says Nick Selby, a security analyst for law enforcement and a subscriber to the service.

"The reason the Stratfor breach occurred had absolutely nothing to do with users using 'Stratfor' or 'password' or other forms of stupid passwords," Selby wrote on Tuesday. "The reason was that Stratfor spent no time or energy on its information security, were bad stewards of my data, and broke industry standards and guidelines as to the protection of specific data such as passwords, credit card numbers, and personally identifiable information of its members."

The lessons for users go beyond the poor security of many online services. The lasting impact of the Stratfor breach will be that many credit-card issuers will have to replace account numbers and many users will have to hunt down other accounts where they used the same passwords and change their credentials.

Following the breach of Sony's online sites and the leak of a million passwords, for example, an analysis found that of a small subset of users whose passwords were leaked in another breach, two-thirds reused their same passwords.

Companies should take this lesson to heart. Easily guessable passwords can be solved with in-house policies, but fighting password reuse requires education. While training is no panacea, teaching employees to not reuse their passwords outside of the firm's firewall is important. Otherwise, the poor security of one online service becomes a flaw that attackers can use to get inside the corporate network.

This story, "New year, same old security passwords," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Copyright © 2012 IDG Communications, Inc.