IU expert: Password theft points to need for simple security precautions

Dec. 5, 2013


BLOOMINGTON, Ind. -- The theft of some 2 million passwords to popular Web services like Google, Yahoo, Twitter and Facebook provides a potent reminder of the simple yet critical steps users can take to protect themselves and their data, according to Indiana University cybersecurity expert Fred H. Cate.

The most popular password among those stolen appears to be “123456,” which provides the same protection as having no password as all, Cate said.

Trustwave’s SpiderLabs researchers revealed the breach after discovering more than 2 million compromised passwords on a Dutch server that was being used by a criminal organization.

Affected users were reported in the United States, Germany, Singapore and other countries. According to the SpiderLabs data, more than 325,000 Facebook, 60,000 Google and 59,000 Yahoo users had their passwords stolen. Some of those service providers have already reset the passwords on the affected accounts.

“Any password breach is a serious concern for the consumer,” said Cate, a Distinguished Professor at the IU Maurer School of Law and director of the Center for Applied Cybersecurity Research. “A password can be used to obtain access to a user's account -- not only at the company from which the password was stolen, but anywhere else that the password has been used -- as well as user data stored in those accounts."

Companies could help reduce the burden of passwords by providing two-factor authentication as a simple step to protect an online account, Cate said, but it only makes a difference if users activate it. Many companies, including Facebook, Twitter, Google and Yahoo, offer the process to help add an additional layer of security. In two-factor authentication, the user has to enter the password and then a special code that is typically delivered by a mobile telephone registered to the account.

“With two-factor authentication, even if a password is stolen, the culprit still must have access to the cell phone that is tied to the account,” Cate said. “It's an incredibly simple step most people simply don't -- but should -- take the time to enable.”

As the SpiderLabs data show, more than 16,000 breached accounts were using "123456" as their password, which Cate said is simply unfathomable.

"Creating a strong password, or better yet, a passphrase, is a critical step users must take to protect their personal information," he said. "Even if you've used, or are continuing to use, a weak password, now is the time to update it to something more secure."

Cate pointed consumers to Security Matters, a user-friendly video series that provides practical steps for consumers to take to more effectively secure themselves and their data online. Videos on creating strong passwords, passphrases and two-factor authentication are available at www.securitymatters.iu.edu.

Fred H. Cate is the director of the Indiana University Center for Applied Cybersecurity Research and the C. Ben Dutton Professor of Law. He is a member of the inaugural U.S. Department of Homeland Security Data Privacy and Integrity Committee Cybersecurity Subcommittee and one of the founding editors of the Oxford University Press journal International Data Privacy Law. He can be reached at 812-855-1161 or fcate@indiana.edu.