And yet again, there has been another security breach with significant number of accounts put at risk. Last week, it was disclosed by Yahoo! that over 450,000 account ID and passwords were obtained by a third party and published on the web.
The thing that bothered me the most about this particular security breach was that apparently the email addresses and passwords weren’t even encrypted. It was just a regular file on their server and once someone had downloaded it, it had the email addresses and passwords to approximately 500,000 people.
I won’t be a broken record and reiterate the importance of not using the same password for multiple websites, but if someone wants to read up on some suggestions I have, here’s the article
Multiple Locks -- One Key.
The revelation that I had with this security breach is that the mindset that I need to take is to assume that any website that requires a password will eventually be compromised. For me, this is an important approach as it means that I will have to have the strategies and contingencies in place so that when the inevitable happens, that I am prepared.
It’s a little discouraging for me to think that there’s probably no chance that any type of password can’t be stolen, but I think that this is just one of the realities (and the disadvantages) of our technologies. In my mind, there’s just no getting around the fact that people will always try to make a living by obtaining things that don’t belong to them.
Part of the problem that we will face though is how do we limit the damage that can be done from those who obtain our identities? I think that some things are in our control and other things aren’t.
What we can control is how many different places that we use that password (refer to the previously mentioned article). If we have a password that is unique to one site, then if that one site’s credentials are exposed then at least we can limit it to that site.
The other thing that we can do is to look at some advanced methods of password creation. Sometimes we are exposed because of hackers that get into a third parties database, but there are other times when the weakness and lack of complexity of our password s makes it easier for a third party to guess – or to use automated tools to try different variations. If we’re using passwords such as PASSWORD or the date and month of our birthday for our banking PIN, we need to take some responsibility for that.
There are many articles online that discuss different strategies for creating stronger passwords – for the next article, I’ll summarize these articles, provide links and give some suggestions.
Those are a couple of things that we can do to limit the damage. One of the things that we don’t have control over is how long it takes to be informed that there has been a breach so that we can change our passwords. This one is a little more problematic as it could be days or even weeks before we’re aware and this means that they have seamless access to our account.
I suppose that the only real way to mitigate this is by keeping assessing the relative damage that can be done and then for those sites where it’s more critical, to make sure that we keep a closer eye on activity for anything out of the ordinary.
The other thing that we can do is to change passwords on a regular basis. From what I understand, this particular security breach was in a historical document containing usernames and passwords, so anyone who had changed their password since the list was created would not have been affected by the breach.
Unfortunately, there’s no one solution out there, I think that if I had to summarize how to minimize damage, it would be to be smart, be proactive and be vigilant of account activity.