Last week was a terrible week for password breaches. First LinkedIn revealed that about 6.5 million password hashes were posted online. Hot on the heels came the news that online dating website eHarmony and streaming music site Last.fm have suffered similar breaches.
Are these breaches a surprise? Not really. Websites entice customers by offering compelling features and services, and customers are rarely willing or able to compare the security properties of competing services. Even if a website uses SSL to protect a password in transit, the password will typically be exposed on Web servers and data center networks every time it’s supplied by the user before it is hashed for comparison.
Attackers often merely need to compromise an edge-of-network Web server with some malware to steal every password as it is provided or to steal password hashes. Attackers may target what they perceive to be lower security social media services in the knowledge the same password may grant access to higher value services such as retail or banking. Banks have known this for a long time; this is why they prompt for random characters rather than the whole password and rely on a wide range of security questions or one time pad (OTP) tokens... Read More
Tidak ada komentar:
Posting Komentar