Yahoo Breach Highlights Password Reuse Threat

Nearly 60 percent of people who maintained accounts on both Yahoo Voices and Sony Pictures' service used the same password, a big no-no in security.

By: Robert Lemos

The leak of nearly half a million passwords from Yahoo Voices underscores that many online providers have a ways to go before they can properly secure their users. The breach also highlighted the fact that many people continue to put their information in danger by using the same password on multiple accounts, according to an analysis of the leaked file published July 12.

By finding account holders with the same email address, security professional Troy Hunt matched users listed in the recently leaked Yahoo Voices password file and a similar file leaked last year in the attack on Sony's online properties. The technique matched 302 users in the two files, of which 59 percent used the same password on both sites.

"Password reuse remains rampant even after the same password had already been breached elsewhere a year earlier," said Hunt. The analysis "demonstrates a high prevalence of reuse across entirely autonomous systems."

Hunt has made a habit of analyzing password files to shed light on the underlying choices users are making with their passwords. By comparing the password file leaked in the Sony breach to another file leaked in the 2010 breach of online media site Gawker, Hunt found 88 accounts in common, two-thirds of which used the same password.

In the past, security professionals have urged people to use strong passwords with at least eight characters, no common dictionary words and using the full character set including uppercase letters, numbers and special characters. Yet such passwords are difficult to remember, leading users-if they followed the rules at all-to recycle passwords across accounts.

With people increasingly using online accounts to store data, security experts have focused on getting users to assign unique passwords to every account.

For companies, it's a difficult problem. They cannot police their employees' password use outside the corporate firewall, so businesses need to make sure that their workers follow the rules necessary to allow secure access. To protect important corporate resources, businesses should require a second factor of authentication, such as a one-time password generated by a keyfob or a smart card.

Equally important is to ensure that the rules are followed across the company, says Bryan Sartin, director of the RISK Intelligence group at Verizon. Nearly half of all breaches involved guessing passwords or taking advantage of default credentials, and about a third involved stolen log-in credentials, according to the 2012 Verizon Data Breach Investigations Report. Many times, a weak account or set of accounts is targeted by the attacker, said Sartin.

"We see situations where you have a remote-access breach and 99.9 percent [of the workforce] are required to use two-factor authentication, but there is just one select group of accounts-some of which are in it by accident, others are special administrative accounts or special executives-and they have things like one-character passwords," said Sartin. "Guess which accounts are the point of access in a data breach?"

Strong passwords are needed, as well, because breached online services tend to scramble users passwords, if not always correctly. LinkedIn, for example, used a hash function to secure its password file, which was stolen and published to the Internet in June. Yet the company did not use a technique, known as salting, to further randomize-and thus, secure-the resulting file.

"LinkedIn taught us that strength is important, while Yahoo teaches us that uniqueness is important," said Hunt.