Tag Archives: Passwords

Meta Fined $102 Million For Storing Passwords In Plain Text

Meta,

The Irish Data Protection Commission (DPC) has slapped Meta with a $101.5 million (€91 million) fine after wrapping up an investigation into a security breach in 2019, wherein the company mistakingly stored users’ passwords in plain text, Engadget reported.

Meta’s original announcement only talked about how it found some user passwords stored in plain text on its servers in January of that year. But a month later, it updated its announcement to reveal that millions of Instagram passwords were also stored in easily readable format.

While Meta didn’t say how many accounts were affected, a senior employee told Krebs on Security back then that the incident involved up to 600 million passwords. Some of the passwords had been stored in easily readable format in he company’s servers since 2012. They were also reportedly searchable by over 20,000 Facebook employees, though the DPC has clarified in its decision that they were at least not made available to external parties.

Reuters reported the lead European Union privacy regulator fined social media giant Meta 91 million euros ($101.5 million) on Friday for inadvertently storing some users’ passwords without protection or encryption.

The inquiry was opened five years ago after Meta notified Ireland’s Data Protection Commission (DPC) that it had stored some passwords in ‘plaintext’. Meta publicly acknowledged the incident at the time and the DPC said the passwords were not made available to external parties.

“It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data,” Irish DPC Deputy Commissioner Graham Doyle said in a statement.

A Meta spokesperson said the company took immediate action to fix the error after identifying it during a security review in 2019, and that there is no evidence the passwords were abused or accessed improperly.

ArsTechnica reported officials in Ireland have fined Meta $101 million for storing hundreds of millions of user passwords in plaintext and making them broadly available to company employees.

Meta disclosed the lapse in early 2019. The company said that apps for connecting to various Meta-owned social networks had logged user passwords in plaintext and stored them in a database that had been searched by roughly 2,000 company engineers, who collectively queried the stash more than 9 million times.

Meta officials said at the time that the error was found during a routine security review of the company’s internal network data storage practices. They went on to say that they uncovered no evidence of anyone internally improperly accessed the passcodes or that the passcodes were ever accessible to people outside of the company.

Despite those assurances, the disclosure exposed a major security failure on the part of Meta. For more than three decades, best practices across just about every industry hav been to cryptographically hash passwords. Hashing is a term that applies to the practice of passing passwords through a one-way cryptographic algorithm that assigns a long string of characters that’s unique for each unique input of plaintext.

In my opinion, it sounds as though Meta wasn’t interested in having this information be reported on. It makes no sense for a company like Meta to hide what they were doing with customer’s passwords.

23 Million People Use 123456 as a Password

Security,

Despite all the warnings, 23 million people worldwide use the password “123456”. This is according the UK’s National Cyber Security Centre which analysed the Have I Been Pwned data set to produce a list of the top 100,000 passwords.

It’s frankly embarrassing – here’s the top 10. Anyone who uses any of these should have their computer, tablet and phone taken away from them immediately.

  1. 123456
  2. 123456789
  3. qwerty
  4. password
  5. 111111
  6. 12345678
  7. abc123
  8. 1234567
  9. password1
  10. 12345

Looking through the full list, there’s a reasonable selection of expletives, and for Brits, variations on “Liverpool” appear twenty eight times. For non-Brits, Liverpool is not only a city in the North of England but a premier league football (soccer) team. James Bond 007 is rich pickings too, with variations into the teens. No matter how smart or unique you think you are, there’s someone else who thinks the same.

The NCSC recommends using three random words for passwords such as “tablehouseblue” and  not to re-use passwords between accounts. It particularly suggests to always have a different password for your email account.

Dr Ian Levy, NCSC Technical Director, said: “Password re-use is a major risk that can be avoided – nobody should protect sensitive data with something that can be guessed, like their first name, local football team or favourite band. Using hard-to-guess passwords is a strong first step and we recommend combining three random but memorable words. Be creative and use words memorable to you, so people can’t guess your password.

You can read the full UK Cyber Survey and there’s more analysis on the password list in this article.

Photo by Kristina Flour on Unsplash

Two Million Passwords Stolen by Hackers

Facebook, google, Hacker, LinkedIn, Security, Twitter, Yahoo, , , , , , ,

Trustwave logoOn November 24, 2013, researchers at Trustwave discovered that hackers have obtained up to 2 million passwords for websites like Facebook, Google, Yahoo!, Twitter (and others). Researchers learned this after digging into source code from Pony bonnet. It appears that information about this has only been made public very recently.

Here’s some quick stats about some of the domains from which the passwords were stolen:

* Facebook – 318,121 (or 57%)
* Yahoo! – 60,000
* Google Accounts – 54,437
* Twitter – 21,708
* Google.com – 16,095
* LinkedIn – 8,490
* ADP (a payroll provider) – 7,978

In total, Pony botnet stole credentials for: 1.58 million websites, 320,000 email accounts, 41,000 FTB accounts, 3,000 remote desktops, and 3,000 secure shell accounts.

According to Trustwave, around 16,000 accounts used the password “123456”, 2,221 used “password” and 1,991 used “admin”. Now is a good time to go change your passwords into something strong and secure.

Doing so won’t make it entirely impossible for hackers to crack it, but it could make it more difficult. Trustwave noted that only 5% of the 2 million passwords that were stolen had excellent passwords (meaning the passwords had all four character types and were longer than 8 characters).

Top 10 Worst Passwords of 2012

Security,

It’s sad that, even today, lists like this exist.  Unfortunately, security continues to be a major issue for computer users around the world thanks to, not only malware and viruses, but also just plain old lack of understanding by many users.  The biggest problem can be insecure passwords, which account for many of the highest profile hacks that make the news.

Recently the web site Techie Buzz put together the top passwords of 2012 using data from Splash Data.  The results weren’t pretty, with “password” once again topping the list and going along with such favorites as “123456” and many more easy to hack passwords that nobody should seriously consider using.

You can view the list below, but if you have family or friends who are less than sophisticated computer users then perhaps you should share this information with them.  These are the first passwords used in a basic dictionary attack which can brute force it’s way into an account in mere minutes.  If you are using anything on the list below then please change it now.  Add capital letters, numbers and symbols and, especially, more characters.

#              Password                Change from 2011
1               password                 Unchanged
2               123456                    Unchanged
3               12345678                Unchanged
4               abc123                     Up 1
5               qwerty                     Down 1
6               monkey                    Unchanged
7               letmein                     Up 1
8               dragon                     Up 2
9               111111                    Up 3
10             baseball                   Up 1
11             iloveyou                   Up 2
12             trustno1                   Down 3
13             1234567                  Down 6
14             sunshine                  Up 1
15             master                      Down 1
16             123123                    Up 4
17             welcome                  New
18             shadow                    Up 1
19             ashley                      Down 3
20             football                     Up 5
21             jesus                        New
22             michael                     Up 2
23             ninja                         New
24             mustang                   New

Strong Passwords For Dummies

Information, Security,

If you’re the kind of person who wants to use really strong passwords but you’ve a memory like a sieve, then PasswordCard might be for you.

It’s a credit card-sized set of random characters with symbols along the top and coloured bars which you keep handy in your wallet (or phone).

So how does it work?  First of all, set yourself a standard for the length of the passwords, say 8, and direction, say right-to-left.

Let’s say you want a password for a music web site.  Look along the top until you find the musical note symbol and then decide on a colour – yellow in this case.  You go down to the yellow row and then start reading 8 characters from right-to-left.  In this case it would be “cNKmSzNv”.

Anytime you return to the music site, all you have to remember is “note-yellow”, whip out the card and bang, you’ve got your strong password.  Note….yellow….right-to-left….8 letters.

Your bank could be “dollar-green”, social web site “smiley-yellow”, email “star-white” and so on.  Much easier to remember those two combinations than eight letters of gibberish.  There’s an option to generate a card with a PIN area, i.e. numbers only.

Each PasswordCard is different so there’s a unique number that you need to keep safe in case you need to regenerate it.  Personally, I’d save the .jpg in multiple locations and print out a copy for a safety deposit box.

The brilliance of the PasswordCard is that even if a nefarious individual does get hold of the card, without knowing the symbol-colour combination, the direction of read and the number of characters, it’s nearly impossible to make use of it.

It’s also low tech, incredibly cheap and easily replaceable – perfect if you are going to be travelling and you are worried about theft.

Wear Your Email Safety Helmet

Information, Microsoft, spam, Virus, , , , ,

Whenever I want to feel fearful and depressed I usually visit one of the news websites. Earthquakes, murder, war, theft, snoops, kidnappers, recession, depression, corruption, and all other sorts of horrible news. When I read the news sites I’m reminded of how unsafe the world is. Soon I tire of the bad news and move on to investigate the net for news on tech and design. Today Foxnews.com had the audacity to remind me that I am unsafe even on the web. The site highlighted the news from Microsoft that thousands of Hotmail passwords had been exposed. It scared me to death. I nearly jumped to my Hotmail account before I even finished the article. Reading on I discovered that Microsoft had deactivated all the affected accounts until true control could be restored. Why do I care? Hotmail only collects my spam from sites that demand an email address. Hotmail lets through all the other spam anyway! But I digress.

email icon The point of all this is: we are never safe. Their is no safe haven in the world or the web.  Every company does it’s best and so must we.  Yet, sometimes problems may come. If we live with that understanding we can truly do our best to protect ourselves. When we react in panic there is not a clear path of thinking. So with this reminder of our web-identities fragility, what should we do? Let’s refresh four basic email and online account rules:

  1. Always use a secure password. Your birthday, name spelled backwards, address, mothers name, dog’s name, middle name, favorite food, and initials hardly qualify. Use one of the many free random password generators on the web or if you insist on an easier to remember one then create a mixture of information that you can remember. For example and purely fictitious: !S1eP99t9 This could be a combination of the month and year you and your spouse were married. Now while I would only call this a basic password it sure beats “Fluffy”. Of course if you want your bank account to be protected by Fluffy, then more power to you.
  2. Never use the same passwords for multiple accounts. For that matter don’t do what I did at the start and use the same password with just the last letter different! Why would you want someone to have a free-for-all with all your accounts? Use different passwords and find an open-source or free password vault. I personally love 1Password for the Mac.
  3. Change your passwords periodically. I must admit it takes the misfortune of someone to remind me to do this.
  4. Don’t use a public computer. Many public computers are not adequately protected against the installation of malicious password key logging applications. Just don’t log in on a public computer. Just say no. And certainly don’t buy something online with your credit card information! Browse the web on it, read the news, just don’t give any information.

I understand these are basic tips, but sometimes we just need to be reminded to stay alert and on guard.  Kind of like reminding our kids to wear their helmet when they ride a bike.  Resist the urge to become lazy online. I don’t want to read about you on Foxnews.com.

Why You Need to Lie to be Secure

Security, , ,

Twitter IconWhen you sign up for a new site that requires a logon with a password, it generally asks you to answer one or more security questions just in case you forget your password. These questions are simple ones like “What was the name of your first pet?”, “What street did you live on when you were growing up?”, “What city were you born in?”, “What month were you born?”.  The idea is if you forget your password, you just answer the security question and it will reset your password and allow you access.

This is how Twitter was hacked last month and how someone gained access to Sarah Palin’s yahoo email account last year. More and more people are joining social sites like Facebook and Twitter and posting personal information. Because the Internet doesn’t forget, this information is pretty easy to find by anyone willing to take the time to look.

This is why you should lie when you answer these simple “security questions.” Having a strong password is not enough if you answer a weak security question. Some sites allow you to pick your security question or even make up your own. What I find disturbing is a number of sites asking the same security questions (i.e. What city were you born in?). You can lie and give them the wrong answer, but than you have to remember the answer if you ever need to reset your password. If you use multiple sites and they all ask the same question, you should answer each one differently, just in case one of the sites is hacked and they steal the security question answers. Now the problem is worst because you need to remember two lies.

I use both a Mac and a PC and have password programs for both machines. I make sure that I use a unique and strong password for every site that requires a logon so I really have no need for the security questions that some sites require. In fact, I wish I could disable the ability to have the correct answer to a security question reset my account. My password programs can generate and store away my logon information so I never run into the case of not having that information available (unless I forget my password logon information).

I can understand why you would need a way to reset your password if you are trying to logon to a email account but don’t understand why other secure sites do it that way. A number of sites have a “Forget your password” feature that sends your password to the email account that you used when you first created the account. As long as you keep your email account safe (strong, unique password and a non-searchable answer to a security question), not giving out your password information, or clicking on unknown links in emails, you should be fine.

More and more of our lives are spent online which means the more we depend on it for passing around sensitive information. Leaving a backdoor access at one site can mean a breach in the entire chain. In the case of Twitter, a hacker was able to guess the security question in an employee’s Gmail account, which opened the door to gaining access to Twitter. This should be a wake-up call for everyone to think about their own on-line security.

73’s, Tom