State of Password Security in 2018 Needs Addressing — You’re Probably Affected
There’s an quote from a famous ex-hacker that goes “Even if a computer is unplugged and at the bottom of the ocean, it is not 100% safe.” Consumers of all kinds don’t always think about the security of their personal information on the Internet, but the threat is realer than previously known. With password security websites that publish user accounts’ statuses and leaked information from previously private databases on the rise, literal billions of people around the world are affected; according to a popular leaked passwords database website (2018), the available records are just over 1 billion accounts and available in plain-text viewing. That’s 13% of the world population. A majority of the user accounts belong to American citizens — well over 500 million are linked to United States records. That’s 156% of the U.S. population that is affected by password security. The chances of an American’s account being accessible on the database are high, and more attention should be paid towards this area of computing that is, on the rise, becoming more vulnerable.
Some of the statistics that carry additional security risks are the sharing of a person’s account credentials with 2 or more services. In fact, the chances of leaked passwords matching a particular individual’s Google credentials are between 7–25% (Thomas, K., Li, F., Zand, A., Barrett, J., Ranieri, J., invernizzi, L., Markov, Y., Camanescu, O., Eranti, V., Moscicki, A., Margolis, D., Paxson, V., and Bursztein, E., 2017). Another interesting fact is that the demographics established of those affected by password security. Key individuals that were affected by these kinds of leaks include Ambassador to the United Nations Sarah Palin, Democratic National Convention leader John Podesta, and Emmanuel Macron.
Many important factors can be examined as sources of breaches of password security. At the base level, credential leaks from corporations with huge user account databases have exposed billions of people’s information to the general public. Besides root leaks, keyloggers, hijackers, and phishers can create private collections of user data and these compilations are later leaked onto the Internet. The level of vulnerability is present at every level from password creation by the user, it’s transmission across servers on the Internet, and finally to being stored in a database on the host service.
Usage of other personal information when choosing a password tends to be a trend among Internet users. The weakest form of authentication remains user-chosen passwords, especially as a primary authenticator (Li, Y., Wang, H., Sun, K., n.d.). The study goes on to cite methods for password creation including usage of personal identifiers such as birthdays, names, and accounts. The purpose derived for the study was usage of a method called Probabilistic Context-Free Grammars in order to crack passwords based on the collection of a user’s personal information. However, it is evident that the process of password creation is, subject to the imagination, indeterminable by algorithms that could prove accurate enough to be of any usefulness besides statistical study.
The question remains, what is the future of password security? Making mention of the studies that have been done on the matter, it seems that the most reasonable way to create a layer of security is to authenticate user’s identities by other means than by password. Some websites have already begun requiring two-step authentication, using various security questions or other forms of authentication. As more attention is paid to the growing problem of password security, futuristic methods of authentication may extend beyond simple password verification, the goal being to make a user’s data safe in every form. Until then, the most prudent solution is to use complex passwords and change them often — staying ahead of leaks of user information will protect a user’s account by having newer passwords than those recorded for public access. Being open about the level of security of all information by knowing exactly what data is available is an important step for designing a plan for password security.
This article itself has already been flagged because it exposes the dangers of password security on the Internet, even though the subjects represented are serious in nature. Knowing more about the problem creates an atmosphere for solutions; the stigma surrounding terabytes of leaked sensitive information needs to be addressed. Instead of attempting to pretend it never happened, as is the case with the leak of the Democratic National Convention, the problem of password security should be open. The data should be open (users should be able to know exactly what information is in circulation without censor), and it is with this in mind that leaked passwords services have joined in the initiative to protect the integrity of all Internet users.
To be completely open about the matter, your password is not safe on the Internet. It doesn’t matter if you use complex passwords or even encrypt your information as it’s sent over the Internet. Leaked passwords databases reveal that large companies as well as small businesses put the security of consumer information at high risk for public exposure. According to a study on the security performance of infrastructure, only half of companies have deployed information technology security programs, and even then, the top threat remains negligent insiders (Tehan, R., 2015) — these kinds of insiders are the sources for leaked information or opportunities for third-parties to take advantage of low security data. The amount of available information is astounding and most Americans don’t even know the severe state that it’s [information’s] security is in.
Li, Y., Wang, H., Sun, K. (n.d). A study of personal information in human-chosen passwords and its security implications. Retrieved from https://www.eecis.udel.edu/~hnw/paper/infocom16.pdf
Riddle, J. (2018) Leaked password volume statistics. Retrieved from http://leakprobe.net
Tehan, R. (2015) Cybersecurity: Data, statistics, and glossaries. Retrieved from https://digital.library.unt.edu/ark:/67531/metadc743587/m1/1/high_res_d/R43310_2015Sep08.pdf
Thomas, K., Li, F., Zand, A., Barrett, J., Ranieri, J., invernizzi, L., Markov, Y., Camanescu, O., Eranti, V., Moscicki, A., Margolis, D., Paxson, V., and Bursztein, E. (2017). Data breaches, phishing, or malware? Understanding the risks of stolen credentials. Retrieved from https://people.eecs.berkeley.edu/~frankli/papers/google_account_compromise.pdf