By Donato Capitella, Senior Security Consultant at MWR InfoSecurity
The recent FriendFinder Network breach has been one of the most recent examples of poor password storage. Apart from the reputational damage, poor password management and storage makes the impact of a data breach on an organisation far worse, and may expose the breached accounts to further exploitation as storing passwords in clear-text or using weak hashing schemes will make it far easier for cyber criminals to exploit the stolen data.
FriendFinder Networks owns several adult only websites where individuals enter their private details in the hope of finding a match. However, this was not the first time that the website has been hit by a data breach. In fact, during May 2015 the details of four million users were leaked in a similar cyber attack. Unfortunately, it would seem that FriendFinder has done very little to improve its cyber security, with many newly registered accounts having passwords still stored in clear-text.
The latest leak, which included 412 million FriendFinder users’ personal information, is the largest breach of its kind and just one more in a long list of high profile attacks to occur in the past few years. Customers who had previously deleted their accounts have also found their details to have been stolen, bringing to light the fact that FriendFinder is storing deleted customer account details without permission. It has also become apparent that FriendFinder also not store passwords using secure methods. In total, 99%of the passwords, including those hashed with SHA-1 or stored in plain visible format, were discovered by Leaked Source, a data breach monitoring service.
Furthermore, the effect of the breach of passwords was not limited to accounts on FriendFinder, as it is still a common practice for people to use the same password multiple times. This makes a hacker’s job far easier, as once they have successfully discovered a password they will try to use it on all other sites requiring one, potentially gaining access to numerous accounts.
Best practice for protecting passwords
There are a number of steps that all companies should be taking to prevent themselves becoming the next headline.
When it comes to protecting sensitive information on websites, users should be advised on how to create strong passwords. Traditionally, the usage of a mixture of upper and lower case letters, words, numbers and symbols has been suggested. General advice is also to avoid using easily guessed combinations of words or numbers, especially consecutive ones or ones which someone could easily deduce, for example dates of birth or well known names connected to you. Words found in the dictionary can also be easy to hack, and there are password-cracking tools readily available on the internet that often contain dictionary and common word or name lists.
But protecting passwords is not just a user’s responsibility. It is also essential that companies take appropriate measures to store user credentials.
We must assume that, even with strong passwords and appropriate storage, a cyber attacker could still in some cases manage to retrieve some passwords, such as through key loggers. In such cases, additional controls should be considered in the form of multi-factor authentication as an obvious step to increase account security and mitigate the exposure of accounts whose passwords have been compromised.
Preventing password theft
Finally, it is also important to build processes and controls that can help reduce the probability of credentials being stolen. The FriendFinder breach was reportedly caused by a Local File Inclusion (LFI) vulnerability. Introducing security activities from the very beginning in the Software Development Lifecycle and ensuring all developers are properly trained on security topics are good controls that would have helped prevent and/or detect this type of vulnerability before the application went live.
Given the number of large scale attacks we have seen in a relatively short space of time it is more important than ever to ensure that organisation’s make data security a priority. They must implement software that will store all passwords following the most updated security guidelines. They also need to advise users on how to create strong passwords or passphrases that are difficult to guess or decipher using brute force methods. Every extra character used makes it an order of magnitude harder to crack.