Huge Credential Leak Underscores Need to Protect Passwords, Login IDs

NEWS ANALYSIS: Nobody knows for sure where all of the billion-plus Pwned credentials came from, but at this point that hardly matters. What matters is how you protect your own credentials.

Pwned Passwords 2

By now you already know that passwords are problematic. Getting your employees to create passwords that are even slightly secure is hard.

Getting them to change to new passwords is even harder. Getting them to actually remember passwords instead of writing them on sticky notes and attaching them to their monitor is nearly impossible.

This problem was made clear this past week when over 1 billion credentials were leaked from a variety of sources. Those credentials, which included user names and passwords along with other information, have been put up for sale on the Internet, and by now they're likely in the hands of cyber-criminals who will eventually use them.

In the near term, you know that you need to alert your users to change their passwords in the event that some of those stolen credentials belong to them. You may also want to check to see if their company email address is among those stolen, which you can do at sites such as Have I Been Pwned to see if their credentials are among those that have been stolen.

Until now, there was another place to check such things called, but according to security researcher Brian Krebs, that site was the source of many of those stolen credentials.

Meanwhile, if you haven't implemented some necessary security practices in regard to your company passwords, then by now it's a must. This includes validating passwords so that your employees don't use common words or character sequences, that they change passwords on a regular basis, and that managers pay attention to their workspaces closely enough that they can see whether the employees are writing passwords down on those sticky notes.

There are a couple of other things that are important when managing passwords. One is that while it's important that they not be common words, they still need to be something that your employees can remember so they aren't tempted to write them down. This why you don't insist on a 64-character hex number as passwords, since relatively few people can remember those.

But perhaps more important, you need to start thinking of ways to stop using passwords, or at least supplement passwords with something else for the credentials necessary to access your network and data systems.

An example of how this works is with some of the networks and data systems in the federal government. In most agencies, employees are provided with a smartcard-based identification card, which is called either a CAC card (for common access card) or a PIV card (for personal identity verification).

Those cards include a chip similar to the one found in new credit cards that can be read by the agency's security system to verify identity.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...