272 Million Password Dump Highlights Need for Strong, Unique Passwords

By on May 17, 2016

With the recent password dump of 272 million email credentials including Gmail, Hotmail, Microsoft, Yahoo and Mail.ru, posted on the Darknet, security professionals are once again warnings against reusing personal email credentials with corporate accounts. While recommendations to change one’s personal email password after any such attack remain consistent, experts are also reminding us about the benefits of implementing basic best practices such as one site, one password policy.

Security professionals have established that this password dump was not the result of a one-time large scale hack, and instead was a collection of multiple breaches from a variety of less secure third-party sites and password phishing attacks over a long period of time that were subsequently aggregated. The aggregation of user credentials affects many of the most popular cloud-based emails services. Considering that 31% of passwords are reused across sites, the password dump may also impact many more services including accounts employees use in corporate systems.

The role of human error in password theft

Data breaches are on the rise and criminals are continuing to exploit human nature as they rely on users to use passwords which are easy to remember or repeat passwords across websites or use default passwords. Using a pet’s name as a bank account password or professional email account password are some of the most common errors made by users even today. The Verizon 2016 Data Breach investigation report states that 63% of confirmed data breaches involve using weak, default, or stolen passwords.

Imagine getting locked out of one’s own email account or hackers going through one’s personal and very private conversations. It could either be a conversation with a prospective client or a private conversation regarding an employee. What if this information falls into the wrong hands such as a competitor? Cyber criminals could also very well delete critical financial emails, once inside the email account. Furthermore, hacking these email accounts could act as a gateway into many other personal shopping or financial accounts which could prove disastrous if placed in the wrong hands.

Enabling multi-factor authentication

With one site, one password policy, users are advocated not to reuse their passwords for different login sites. Thus, even if one of their sites is compromised, there is no real danger to other personal or professional login sites. This proves especially useful while using collaboration tools such as Box or Microsoft Office 365. Assuming a personal external collaboration account such as Hotmail is being actively used in a professional login site such as Microsoft Office 365, a compromised Hotmail account definitely does not pose any real danger to the Microsoft Office 365 account.

Moreover, enabling multi-factor authentication on personal email accounts as a simple best practice adds an extra layer of protection on top of email credentials. With multi-factor authentication, when a user signs into a website with their username and password (their first factor), they must also enter a second authentication factor such as a randomly generated code or a security key to verify their identity. This authentication code can be sent to the user’s smartphone with no additional cost to the user. Taken together as shown in the illustration below, these multiple factors provide an increased security for any website, whether personal or professional.

authentication diagram

t’s easy to enable multi-factor authentication for the most popular websites. Based on user count, we’ve summarized the top 10 consumer and enterprise services with links to instructions on how to enable multi-factor authentication below:

Top 10 Consumer Cloud Services

  1. Facebook
  2. Twitter
  3. LinkedIn
  4. Gmail
  5. Google Drive
  6. Yahoo! Mail
  7. Dropbox
  8. Evernote
  9. Apple iCloud
  10. Tumblr

Top 10 Enterprise Cloud Services

  1. OneDrive
  2. Cisco WebEx
  3. Salesforce
  4. Concur
  5. Zendesk
  6. Hightail
  7. ServiceNow
  8. Box
  9. Workday
  10. MailChimp

Gmail is the most popular consumer email services. Here are five steps to secure your personal Google Mail account using multi-factor authentication:

1. Login to your Google Mail account with your username and password.
2. Click on My Account > Sign-in & security > Signing in to Google > 2-Step Verification.
3. Click on “Get started” to enable multi-factor authentication.

google verification

4. Confirm your password once again and set up your personal phone number with this email account for second factor authentication. One can either opt for a text message or a phone call to receive the authentication code.

google verification step

5. Click on “TRY IT” and the user is prompted to enter the authentication code sent to his phone number. Once the authentication code is entered, the user is logged in to his Google Mail account.

About the Author

McAfee Cloud BU

Learn about cloud threats, the latest cloud security technologies, and the leading approaches for protecting data in cloud services.

Read more posts from McAfee Cloud BU

Categories: Cloud Security

Subscribe to McAfee Securing Tomorrow Blogs