You may have seen over the last few days reports of MySpace username and password combinations for sale on hacker spaces. MySpace was breached, and a possible 360 million accounts with 427 million passwords could have been stolen. Yes, MySpace has long since been dominated by almost all other social networks that you can think of today. So who cares?
The first topic applies directly to the user – password reuse. We have talked about this numerous times in previous blogs, and the point still stands. The odds are favorable that either you or your coworkers have/had an account with MySpace. As people moved away from MySpace they probably never deleted their accounts. So their account is still just sitting there. What if you used the same password for MySpace that you used when you set up Facebook? What if it’s different, but uses the same pattern? As we’ve said before — STOP MAKING UP PASSWORDS! Password managers are ubiquitous, free, and solve this exact problem. Many people are prone to password reuse because they are either ignorant of password managers or just too lazy to implement them. Breaches like these are often the genesis of broader cyber crimes involving compromised email accounts. So for the fourth (or fifth, or sixth, I forget) time, get a password manager, let it make good passwords for you, and don’t reuse passwords or password patterns!
The other lesson here goes to anyone or any company hosting or developing an application that stores credentials. The biggest sins MySpace committed were not salting their passwords and only using SHA-1 for protection. For a really quick overview… SHA-1 is a type of encryption method for masking plaintext. As of earlier this year, browsers such as Internet Explorer, Firefox, and Chrome announced they will stop accepting certificates using SHA-1 because they are no longer secure. So, long story short, encrypting passwords with SHA-1 is like not encrypting them at all.
So we have learned, again, that the onus is on the service provider AND the user. Consider it a shared responsibility. As the user, make sure you are doing a sufficient job at protecting yourself to the best of your ability. As the service provider, you have the responsibility to do everything in your power to keep that trusted data secure, including not trusting users.
You can’t blame MySpace for your reuse of a password on another system! But you can blame them for not being diligent in protecting what you gave them.