This week has been fairly interesting in the aspect that a ‘professionals’ website ‘LinkedIn’ was hacked releasing 6.5 million [roughly] user accounts and passwords. Almost immediately following that announcement was a report that LAST.FM, a media website, had been hacked for their user account. And back in December 2010 Gawker media news site was hacked as well…
It’s always interesting me that when these websites get hacked, where user accounts and passwords are taken, or personal information has been compromised, there’s almost no repercussions for that website for the breach of security. The only kind of impact that these websites take is a hit on their credibility and their ability for security, but in the Internet age these things seem to be quickly forgiven.
The impact of having someone’s userid and password stolen is a big deal. The first big problem is that the website that was entrusted to keep that information secure had faulted on the user; the website failed to protect the users information— it’s as simple as that. But the problem is actually much worse in the fact that most users use the same user ID and password on multiple websites. This is where it really gets bad…
Microsoft‘s Hotmail recognized this problem so much with common passwords, that they banned passwords that were of a common nature.
Take for instance, if you have a very conscientious person that takes time to create a unique user ID and a comprehensive password, and that password is very strong; if that user uses that ID and password on multiple websites thinking his account is secure, he would be right, until one of those websites security was breached.
So many websites require you to login to their websites and create accounts before they can do anything with the services of that site; even doing trial services or testing things out. More often than not, websites/services are tested out and the accounts are just left abandoned, but not deleted. These are the accounts that can be hijacked and used against the user. The abandoned account could have even more personal information, resulting in a more even damning experience.
It’s virtually impossible, or even expected, for every user on the Internet to create a unique ID and password for every website that they visit; it’s simply not something that people think about in a reasonable nature. To be perfectly honest, a good solution to controlling security to websites like this hasn’t been perfected. There are applications that will generate and remember your ID and password for every website, but the possibility of services like that being attacked and having all of your user ids and passwords stolen for every website that you have ever visited is a more scary thought then most of want to think about.
Realizing that every time a security breach like this happens, there’s a password list somewhere on the Internet that’s like a master list of every password that’s ever been used, and the people who use this are the individuals with malicious intent. They’re going to use that account to slam every user ID with every password variation they can think of based on that list— it’s just a logical assumption.
I’m surprised that more of these websites aren’t hit with lawsuits, but I’m sure there something in the terms and conditions of using the website that the user accepts a certain amount of risk in participating with the website; leaving the responsibility of creating a unique user ID and password for, that particular website, completely in the responsibility of the user.
It’s almost as if these websites expect to have their security breach to some point after have a canned response and response action for whenever it happens. Because it’s not so much as if is going to happen, but when it’s going to happen…
They’re just hoping that there reputation won’t be damaged too much…
I’m disappointed, LinkedIn has not so much sent me a text message or an e-mail advising me that my account may have been compromised and/or that changing my password would be a good idea; nothing…
It wasn’t until later this afternoon that I saw this little indication they were notifiying users…
Larry Henry Jr.
…via Dragon NaturallySpeaking 11