In late 2010, the popular website Gawker and several other websites owned by the Gawker Media group were breached by hackers who stole the usernames and passwords of more than 1.5 million people. The hackers published the stolen login credentials, revealing that thousands of people simply used “password” as their password. Knowing that many people use the same password on multiple websites, spammers used the stolen Gawker login credentials to access hundreds of thousands of accounts on other websites including Twitter and LinkedIn, for the purpose of spreading spam and malicious links.
The incident is not unique. In 2009, a data breach exposed the usernames and passwords of 32 million users of the social website RockYou.com and it’s estimated that 10 percent of those login credentials could also be used to access those peoples’ PayPal accounts! These breaches expose the poor password practices of most Internet users and demonstrate how easily hackers take advantage of those practices to compromise a large number of accounts across many different websites – even those websites that otherwise have strong security.
It’s easy to lay blame on the users for having chosen weak passwords and using the same password on multiple websites, but the reality is that people simply can’t remember a different strong password for every website they register with. Security experts advise people to have strong passwords with at least 12 random characters including letters, numbers and symbols, but the average user has more than 25 online accounts. The cognitive burden of remembering so many strong passwords is overwhelming, so people resort to old habits despite the security risks.
To improve password practices on the Web – and thereby improve security across all websites – the burden cannot lay solely on users. A recent study by showed that most websites are guilty of having weak authentication standards and enabling bad password practices by users. Of the websites studied, less than 3% required passwords to be more than six characters long, only 1% required users to include non-alphanumeric symbols in their password, and only 9% performed a simple dictionary check to prevent users from choosing “password” as their password.
The interconnected nature of the Web, the domino qq pkv effect of poor password practices, and the amount of sensitive information shared and stored online means that more websites must make strong authentication standards a priority. The availability of image-based authentication solutions make it easy for websites to employ one-time passcodes for logins, which can replace passwords completely or be added to the password to strengthen the security of the login even if the user has a weak password. The widespread use of mobile smartphones makes it possible for consumer-facing websites to employ two-factor authentication without using tokens, smart cards or biometrics – tools that typically are not practical for use on consumer-facing websites.