What Can the Anonymous Password Hack Teach Us?
We learned today that the latest victims of email hacking here in the US were not average consumers suddenly staring down the barrel of identity theft (as it so often is), but instead a whole host of Congressional staff who have had their usernames and passwords stolen and posted to a public website. While this will no doubt be a hassle for those staffers and I don’t envy the systems administrators down on the Hill right now, we shouldn’t let this teachable moment pass us by.
What is perhaps most interesting about the hacked passwords is that they exemplify, in many cases, everything that you should not do when constructing a strong password. In many cases they are just dictionary words with numbers tacked on to the end, the names of the staffers’ bosses, or their favorite sports team. While industry and security experts have tried to emphasize for users the importance of strong passwords, including how long they should be, not to use common words, and to include numbers and punctuation, obviously many people still use easy to guess passwords.
Passwords alone, however, are not the end of the conversation in this day and age. There is little reason today why any information service can’t offer additional protections in its authentication processes. One favorite means today is two-factor authentication, which is becoming more and more widely available online from Google to Dropbox to Twitter. If that sounds familiar, we’ve talked about it a couple times here in the past.
We should all be thinking, however, of what comes next, because passwords are inherently a technology of yesterday that we should be working to move away from. Biometrics and other advanced technologies we haven’t even heard of yet are the future, and companies should be competing to develop them and roll them out to improve everyone’s security.
This area is one in which the federal government itself – including consumer-oriented agencies like the Federal Trade Commission – can and should play a strong role. Poor account security can cause massive consumer harm. That is why identity theft and security have been the number one complaint to the FTC for the past 5 consecutive years, according to the Commission. When the government itself is the victim, there can be no greater case for government-originated guidance, workshops, and institutional education on improving end-user security. No doubt, the public would benefit from agencies like the FTC and others bringing to bear their own experience on mitigating this persistent problem.