August 7, 2014

Posted in:

In The News: Massive Password Breach Reported

Another month, another big data breach. In case you haven’t heard, there’s news that 1.2 billion logins were stolen by a Russian cyber group. Hold Security, the group that reported the breach, isn’t forthcoming in the details as to who or what services are affected due to non-disclosure agreements on their end. They do offer a service to check if your password was stolen but even then, the form appears to be asking for your passwords which they will then hash using SHA-512 and compare that against the database they have reportedly obtained.

Should you submit your passwords to them is the big question. Ultimately the answer to the question in our opinion is no. The problem is that not every company uses this encryption algorithm for their data. The responsible thing to do would be to disclose to the end users that are affected, if this is truly an email password breach, rather than asking for their passwords and then comparing it against their data. Further to that, there’s a lot of misinformation out there due to the way it was reported. Krebs on Security provides a decent overview of the situation in that the data was likely obtained over a period of 7 months.

In the end, it comes down to using hard to guess passwords and a different password for each site. Think of it this way for email at least. If you only check your email using Outlook, for example, do you really need to know the password or use one that is easily guessed? If it’s your personal computer and only you have access to it and save the password for Outlook to check the mail, there’s very few reasons that you’d need to use an insecure password.

Personally I, and others here, use LastPass or KeePass to keep track of passwords all of which are randomly generated. I don’t know 98% of the passwords for any of the sites I use. I rely on LastPass and two factor authentication for that. If two factor authentication is available, use it. That in itself is worth the extra 30 seconds spent authenticating and the added security offered. If you’re interested in more information regarding security, Edge offers Duo Security for firewalls, servers, and Duo even has a plugin for popular services such as WordPress. Feel free to contact us for pricing on Duo Security and the added benefit if can offer to your environment.

Go back