The Seven Cybersecurity Commandments

And Whatever Happened To “Secure By Design”?

When I go on TV to report on a data breach, there’s a stock answer I usually use to the question on how companies can protect themselves against data breaches: “Enable multifactor authentication” — MTA. But, still, companies blindly hold only passwords as their single source of identification. Like it or not, at the core of cybersecurity is identity, whether it is users, devices or services. Unfortunately, sometimes, it feels like we are still living in a 20th-century world of digital technology, and where the move to the cloud has just moved our passwords there.

Recently, I was lucky to speak to Troy Hunt, and he outlined that it is still common for data breaches to have old (and insecure) hashed versions of passwords. In fact, he outlined that there were many cases where he saw old MD5 hashed passwords mixed with bcrypt, where users who had updated their passwords had a bcrypt hash, and those who hadn’t still had MD5. This, he thought, was silly, as it should have been possible to double hash the passwords in a single instance, and where we use the MD5 hash as a seed for bcrypt. This just seems like a complete lack of understanding of cybersecurity or a complete lack of caring about protecting citizen data.