Monday, 16 July 2012

Why password leaks are no longer acceptable

With the announcement that Yahoo have plugged their security gap: http://www.theregister.co.uk/2012/07/13/yahoo_fixes_password_hole/ I find it unacceptable that day-after-day we receive reports of people's valuable data being leaked, albeit sometimes by sophisticated hacking.
I believe it is time the industry introduced regulation to stop this happening. If I create an account with untrustedcompany.com, I have no-one to blame but myself if something happens to that data. I wouldn't give my data to a stranger on the street. Companies like Yahoo, local authorities and various other organisations however are trusted like shops or banks and why shouldn't they be? They are multi-million pound organisations who cannot complain that they do not have the resources or skills to prevent these kinds of problems.
How on earth does someone like Yahoo buy a company and not carry out the simplest audit in the world where question 1 is, Do you store passwords in plain text? I mean, honestly, there is ABSOLUTELY NO REASON you should be storing passwords in plain text. As everyone knows, most people share their password across multiple sites and Yahoo leaking a password might well be the key into EBay or Amazon.
Since they have this certification for SSL certificates called Enhanced Verification which gives you a green browser bar, why don't these enhanced checks include basic company policy checks like password storage policy and system security policy which, if misused, can result in revoking of the enhanced certificate and something intrusive and expensive to the company to regain?
Personally, I don't accept the tired and overused, "we apologize for this loss and are increasing our security as a result", it would be like a car driver saying, "I'm sorry about driving on the pavement and killing those people, I will now modify my policy to avoid driving on the pavement". This is well known security 101 and if these companies don't get the bascs right, they simply should not be trusted to provide web solutions.
Post a Comment