Today we all woke up to another bitter truth of another public big figure of the Internet being hacked into and details of users' credential posted on websites. The hacking into yahoo described as a union-based SQL injection that managed to exploit 450K users' credentials joins the rest that had happened, the ones we were trying to forget like the linkedin incident.
The credentials of 'Username' and 'password' exposed on the website by a hacking group calling themselves d33d indicated that more people used weak passwords including 'password123' which are easy to crack even by some one doing the first try. This shows a sign of weakness on the side of service users on the Internet.
Another link shows that these credentials were stored in plain text even for the passwords with out a single hashing algorithm. This reminds me that even my simple Linux Mint Laptop stores passwords in a shadow file which will take you some good time to crack even if you came across the file. One wonders why Yahoo, a giant firm could do such a great mistake?
In another angle, we have seen companies enabling 'strong password' rules for all those who wish to open up accounts with them. These strong password rules are all over the web which include but not limited to, having an alphanumerical password with a capital letter. Having a password phrase longer than 6 characters and other things. But the same report showed that some people had passwords less than three characters, passwords like, 'qwerty', '123456' and so many others. Why could Yahoo of all companies allow such passwords on their network in the first place.
I wouldn't want to mention the firewall and network security to avoid things like Injections because those ones are a little more complex but a company of yahoo's strength and financial standing, would be able to invest in any sort of security measures.
It is on this note that I ask, who would you blame for the rampant hacking of user credentials on popular networks? Would you take the users as weak and lazy, or the providers as people who don't mind about security?
No comments:
Post a Comment