Wednesday, November 20, 2013

The Ethical Problems Storing Passwords


Adobe lost 150 million user passwords which were not hashed, not salted, and contained the password hint. This is a hacker's dream. Since most users keep only one password, this means that roughly 150 million passwords are publicly available for the public to see.

By looking at the domains in Adobe's customer list, it is very easy to find some three letter agencies in there. For those organizations, this is a huge concern. Since the members of those agencies reuse passwords, that means that it would be somewhat easy to look for one with an easy password hint. If you can guess their password, that means that you potentially have a way into someone's personal accounts. For everyone involved in this incident, it is very embarrassing.

Hacks happen, which is why password storage has such strict requirements. All of the standard requirements were completely ignored by Adobe. This poses the question: who's responsibility is it to protect passwords? Should users be the ones that should be responsible enough to have one unique password per site. The responsibility could also be placed on the site operator, and trust that they will properly hide the password from any potential hackers.

I think the best solution would be for both sides to take responsibility for securely storing passwords. Users can use password managers and keep one secure, unique password per site. Site operators can stay responsible for keeping the password hashed and salted (unlike Adobe). By both sides working on security instead of just one, everyone as a whole will be more security.

While writing this post, the passwords of 42 million users were revealed by someone who hacked Cupid Media. Seeing how often passwords are being revealed by malicious actors shows how important protecting passwords is.

No comments:

Post a Comment