Know your data 37: one billion passwords
What one billion stolen passwords tell us
Quartz reported that anyone who has money can buy one billion plain-text passwords from someone anonymous.
This news tells us some things about cybersecurity, or the impossibility of it.
***
What have we been told about passwords?
We are told that if we make it super complicated, it will be much harder for bad players to guess it. Here is one recent set of rules that made my stomach churn ... from laughter.
This business wants the password to have between eight and ten characters. That by itself is not funny but after that requirement, it wants at least one letter, at least one number, at least one special character, and at least one capital letter. Soon, I found myself solving a puzzle.
If I were a machine that could remember any set of nine characters randomly generated, then it'd not be laughable; but I'm a human who wants to embed cues that make it easier to remember the password!
(Don't get me started on the head start given to any hacker by telling them that every one of the passwords has between eight and ten characters! Why not restrict it to nine characters exactly?)
Recently, we are told that if we put all our passwords in one place behind a password manager, it would be safe.
We are also told that websites and companies encrypt our passwords, so that they can't be intercepted and read.
We are told that no responsible company should store passwords in plain text.
The hacker has just exposed the reality that none of those measures work as advertised. If businesses aren't storing passwords in plain text, then how did the hacker get a hold of the plain-text passwords? Suppose the hacker found only masked passwords, and somehow was able to convert them to plain text, what does that say about various masking techniques, such as encryption, hashing, salting...? If hackers can buy plain-text passwords online, are they really guessing our passwords until they find the correct one?
The reporter rightly connects the surge in scams to technologies such as cloud servers and AI. People love these technologies because they bring convenience and efficiency - but as everyone who has taken their shoes off at airport security knows, security measures are neither convenient nor efficient.
