The recent assault on Yahoo resulted in the compromise of almost 450,000 passwords (more here). Big firm hacks like this are becoming the rule, not the exception nowadays. According to the Identity Theft Resource Center, there were 189 known breaches from January of this year through the beginning of June. These security breaches have exposed over 13 million personal records (passwords, personal profiles, financial and credit info etc…). Here’s another reason to raise an eyebrow at the alleged Panacea that our industry’s hype machine makes of all things “cloud”.
What’s troubling is that as the number of cloud-based services and online platforms increases, so does the number of passwords you have to maintain in order to log in to each of them. Users (both business and personal) are spreading their credentials everywhere on the web. The more you have to manage, the more vulnerable you become. And when the threat of getting hacked arises, people are told to change and strengthen their login credentials by crafting stronger passwords. Often this means creating a string of gibberish with random capital letters, numbers and special characters. The problem is that nobody remembers them. Most folks end up reusing their complex passwords, they write them down, or they create a “passwords” file on their phone or desktop … Which, ironically, is probably the first thing hackers look for when they access your device.
One problem has to do with people’s attitudes. Consumers (and especially kids) usually see security and privacy controls as a burden. An unfortunate legacy of the Facebook generation is that password management is really just a pain in the ass … It usually takes a good scare for someone to begin taking security seriously.
A second problem is that our industry doesn’t have a really good standardized alternative to the old “user name and password” approach to credentials for online services. The enterprise IT market has certainly sparked the generation of plenty of password management and single sign on systems that help alleviate some of these worries, but each is not without it’s own problems. There is an awesome article from CIO magazine here, although I really wonder why Citrix didn’t make the list of well-established Single Sign On vendors. The inherent security and password management capabilities baked into the Citrix products have been a strong selling point for years. And now with their Cloud Gateway product, they are definitely a contender in the enterprise Cloud Federation space.
In the meantime, if you and your family are thinking about your online privacy and security (which you should), we’ve got a couple tips to help better manage your passwords. Check them out.