Billions of Passwords?

September 5, 2014 - The recent theft of 1.2 billion sets of user credentials is your problem.

The mainstream media briefly covered the huge theft of passwords that occurred recently. Just this past week celebrity information was stolen from Apple's iCloud. Of course, we can't have that, and on cue the press was in an uproar.

At least with the Apple situation only one system was hacked. The Russian theft was all over the Web and what the press did not cover is exactly what credentials were stolen, from whom, and how. This is exactly the sort of breach that demands passwords be changed.

As always, deal with your financial institutions first. If a user credential has to do with money, those are the ones you need to adjust quickly. I always recommend that you call your bank or investment house and ask, point blank, if they were affected. They may not want to tell you, so any hedging should be interpreted as a yes. Only accept a no if it comes instantly. Any hesitation or BS - change the password. Once your most obvious money targets are out of the way, change passwords elsewhere, as you see fit.

What About SiteCommander?

If you are one of my Web clients, you know that SiteCommander keeps passwords. I have no way of knowing if your individual Web site was breached and my recommendation to change passwords stands. However, I think such a breach is unlikely for several reasons, which I'll describe in a second. Remember that a thief is after money. Your site does not store anything having to do with money and it does not store information about your customers, so it is not much of a target.

SiteCommander encrypts passwords just like every other online system. If the thief is a government, it is probably possible to take the encrypted password and decode it. Otherwise, the thief has to discover two things by reading the source code. The first is the actual algorithm used to encrypt the password. The second is a secret code used to seed the encryption algorithm. This code is different for every site I build. If the bad guys manage to breach one of my clients, it doesn't mean they can automatically breach another.

Can the bad guys get the source code to your site? Be assured that the source code is not accessible simply by logging in to SiteCommander. If someone does manage to steal a credential and decode the password, source code is not visible. To get the source code, the thief has to hack into the server holding your site and download the source code or discover FTP credentials to your account from the hosting company. We have seen many times that these sorts of hacks are not impossible, but they are unlikely. A criminal is more likely to hack the hosting company itself in order to obtain the records of your financial transactions, not your individual site.

By the way, if you decide to change the credentials for an account to which I need access to support you, don't forget to update me with the new information. A phone call is the most secure way to let me know. If using text messaging or email to communicate this information, don't put both the username and the password in the same email and do not use the word "password" in the subject or body of the message. A good way to keep things separate is to email me the user name and text the password.

Tags: Security, Web

A total of 39 related articles were found. See them all...