The past 30 days have been the month of the password hack. LinkedIn (6.5 million encoded passwords leaked). Formspring (reset 30 million passwords). eHarmony (1.5 million password hashes leaked). Now Yahoo! Password security continues to cause headlines and headaches. But there two angles to this story that will have long-reaching effects. First, for users that have their one password they use for everything, they need to change them. Immediately. A password in the hands of a hacker that is used for multiple accounts can now give him or her access to your bank and financial accounts, social media accounts, etc. The second angle – primarily prompted by Yahoo – is the responsibility of corporations to protect their users. These passwords weren’t encrypted! They were stored in clear text – that’s basic security – the problem is that they were just sitting there. Is this an issue across additional user and corporate account details at Yahoo? Are they also stored like that? This is a serious security issue. (And if by some chance they weren’t just sitting there, the hackers would not have been able to obtain them unless someone had such complete control of Yahoo’s environment that they could access and see the whole thing.) Plain text. That’s security 101. Mind-blowing. Yahoo wasn’t even doing basic security.
So what to do? As a user, develop strong passwords for each of your accounts and be vigilant about it. Your passwords should be unique to each account and you shouldn’t use them anywhere else. But the corporate problem is much stronger. Yahoo! is an extreme example but it’s only the tip of the iceberg. With security threats are becoming increasingly more sophisticated, corporations need to be more proactive and predictive about security. Otherwise, you’re just reactive and cleaning up after the fact.
- Alex Horan, Senior Product Manager