Russian hack could see end of usernames and passwords: industry

Russian group hacked 1.2 billion usernames and passwords

The implications of a 1.2 billion username and password hack performed by a Russian group could spell the end of the standard username and password combination, say information security experts.

Hold Security released a report on the hack that said the group stole information from more than 420,000 websites. According to the vendor, the list of affected websites includes well known global brands and personal sites such as blogs.

According to NetIQ's solution strategy senior director, Geoff Webb, it will be “some time” before people get a sense of how wide reaching the problem is.

“Although it will be compared to the Target [United States] breach, this is a very different kind of problem. While the Target breach stole credit cards from a retailer, it's impossible to know how many sites will be impacted by this hacker group,” he said in a statement.

According to Webb, the Russian hack could mean the end of the username and password combination approach to security.

“Making users create their own passwords simply forces this step into the hands of people who are least qualified in security: the end user,” he said.

“People don't want to deal with complex passwords they use only once. As we keep requiring users to be responsible for this security it's unsurprising that we keep seeing the same results, weak passwords, reuse of passwords and [data] breaches that affect many websites.”

CyberArk's senior director of cyber innovation, Andrey Dulkin, agreed with Webb that end users are “complacent” about password security.

“Despite the fact that we are continually bombarded with tales of the increased cyber risks facing individuals and enterprises alike, the complacency surrounding password security remains an issue that must be addressed, rather than deemed inevitable,” he said in a statement.

“This is particularly important with privileged accounts, as it is to be expected that among the 1.2 billion credentials stolen, some belong to administrators and other users with network access privileges.”

Dulkin said that these access privileges will prove “highly lucrative” to cyber criminals as they will provide unrestricted access to an organisation’s network database.

“Data breach incidents will continue to occur and the potentially severe consequences will only be mitigated by organisations tackling password security head on.”

For example, this could be achieved by identifying all privileged users and accounts, while managing and monitoring access/activity.

“Organisations should ask themselves: Would they be able to detect malicious activity in their networks, and intervene in time to prevent damage being done to their business? It only takes one privileged credential to fall into the wrong hands to open up a huge data breach,” he said.

Dulkin added that organisations should focus on automated password management and strong passwords for sensitive assets. Consumers should use personal password managers and two-factor authentication when using online services.

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU, or take part in the Computerworld conversation on LinkedIn: Computerworld Australia