Another month, another round of online services being charged with password leaks – but in the cases of both Snapchat and Dropbox, both are firmly defending the position that their own servers have not been compromised.  So what is happening, and how can we protect ourselves online?

Of course each organisation carefully guards its own systems and security protocols extremely carefully, so we have to guess at the details a bit. But what appears to have happened at Dropbox recently is that the hackers got lucky, using passwords obtained from somewhere a bit *less* secure.
How can this happen? It’s because of the way a lot of people use passwords.
passwordRemembering passwords, especially strong complex ones, is difficult.  We’ve all had the frustration of being locked out of an online service because our password isn’t being accepted for one reason or another, so we look for shortcuts to remembering and logging in.
Saving passwords directly in your browser is a bad idea for anything important such as banking or data security, although I do it myself for some sites – you just need to think through the entire chain of connection, for example you might think who is going to bother to log in as me to browse train tickets on a travel site? And then forget you also have a payment source saved in their database or a link to Paypal or whatever… Forums and so on yes OK save your password in the browser, anything to do with shopping or payments, really don’t do it.
So what happens is some folks decide ‘OK then, I won’t save my complex long password anywhere, or write it down – I will just come up with a brilliant strong unguessable one, and use it everywhere’.  This is a big mistake, and looks like the way Dropbox’s passwords were cracked (NOT hacked).
You register on using your email and password combination of choice (please tell me that doesn’t turn out to be a real site…), but because all it is protecting is the real identity behind username Persianprincess999 their database security is really pretty basic.  You can’t blame the folks at the cat forum, they have no need for more than simple encryption because they never handle sensitive or vulnerable data – just a list of email addresses and passwords.
And if that list gets hacked or stolen, they might not raise the alert – perhaps they don’t even realise their control panel got violated, the forum is defunct and not managed any longer.  The point is a list of email addresses and passwords scraped from a cat forum feels like it probably isn’t that important anyway. It might even change hands several times until no one knows where it came from or how up to date it is… And then it winds up in the hands of someone bad who has the kind of software who can fire hundreds of thousands of logins at a site like Dropbox in milliseconds.
Most of these will fail, but they will soon get a list of ‘bingos’ – successful combinations of username and password that can be used to unlock valuable information. And it is this data, never stolen from the secure site in the first place, that is now used to shame or target security threats in relation to it.  Not their fault, at least not entirely (though they are taking risks by allowing users to depend on this simple form of login).
What can you do to protect yourself, on planet real life, where most of us have finite memories for long strong strings of complex passwords?
Firstly, always look for two-factor authentication, now offered on more and more services (though rarely forced).  They won’t get in to my Dropbox account because if anyone attempts to log in from a new device it will ping a code to my mobile phone that will need entering along with the password.  A minor degree of extra hassle in return for a strong extra layer of security – look for it on every site you use, and take the few moments required to set it up.  Banks of course tend to use increasingly complex security questions and also to lock you out after a handful of failures – this is ideal from a security perspective but would drive us all nuts every time we wanted to buy an eBook from Amazon for example, two-step authentication is a good workable solution.
Secondly, consider using a password manager like OnePassword or LastPass.  These are designed to manage a database of complex passwords on your behalf, and whilst setting them up in the first place has a time cost of course, the hassle and grief of not getting online accounts compromised.
I have used a LastPass pro account for many years now and they are yet to suffer a security breach – I view the minimal cost (which you only need pay if you want to use it on multiple devices) as sound investment in outsourcing this worry.
You can set it to allow it to log you straight in to your cat forums and so on automatically, but require the entering of your LastPass strong password before it completes the specific unique strong password associated with your Paypal or Amazon account – the only password you have to remember outside of the system is your single Lastpass one.
We will return to this subject soon and look at how to get it all set up, but meanwhile its important to understand how breaches can occur that are not the direct fault of the compromised site, simply because users have made the dangerous mistake of using passwords repeatedly… No system can be stronger than its weakest link, and all to often that is the human involved
Share →