Twitter Latest Victim of Weak Password Breach

November 12, 2012 by Mike Byrnes     No Comments

Today, it’s Twitter who fell victim to a breach from weak passwords. And it’s not surprising as we have seen username and password breaches at many online service providers over the years: Sony PlayStation Network,  Gawker,  Zappos,  DropBox, Epsilon, LinkedIn, Yahoo and the list goes on and on.

The problem stems from two main facts:

1) Internet-based services/applications continue to grow and expand every single day and consumers take advantage of them

2) These services are all independent of one another and each maintain their own set of user credentials and put forth “best efforts” in protecting those credentials

Each online service issues their own set of credentials and need a simple method to onboard users so typically defer to usernames and passwords. End users have so many usernames and passwords, they tend to re-use them.

Unsurprisingly, usernames and passwords are commonly re-used across services, allowing criminals to execute database attacks to harvest accounts credentials that can then be used (or sold to other criminals) to obtain data or money from other online services. While online service providers do their best to protect user credentials, they just don’t have the breadth of resources to effectively provision a solution that is both secure and simple for end-users.

Let’s face it, the Internet, and all of its applications, services and information, is mature, mainstream, and has achieved mass adoption. It’s clearly proven its ongoing value to the world, but the security underpinning it has not received due attention and is slowly becoming the true Achilles heel.

Online service providers need to come together and start moving toward a stronger, easier approach to identity-based security. HTTPS will not cut it; database firewalling will not cut it; encrypted usernames and passwords won’t cut it.

The giants of the Internet need to move toward strong user credentials that:

  • Cannot be stolen or replicated
  • Can be easily leveraged across multiple service providers
  • Are simple to use on an ongoing basis (preferably by leveraging something the user already has, like a smartphone)

The good news is that the underlying technology exists, is proven and it’s standards-based. The bad news? An event more significant than a Twitter breach will have to occur before we wake up and smell the coffee.

Mike Byrnes

About

Entrust product manager Mike Byrnes has more than 20 years’ experience in product management and technology marketing with a focus on internet security and business communication systems. Mike drives product marketing for the Entrust IdentityGuard authentication platform with a significant focus on mobile solutions. In addition to mobile, his background covers identity and access management, fraud detection, malware protection, and email encryption solutions. Mike serves as vertical market prime for Entrust financial services segment, working with large banks across the globe to roll out solutions to their consumer- and corporate-banking client base.

Add to the Conversation