There's no room in authentication for amateurs

000Webhost hack shows sloppy practices by identity providers rob end-users of any defenses

It's bad enough when you look at the list of Top 10 passwords used on the Internet, but, as 000Webhost showed this week, it's even worse when your infrastructure is defenseless with passwords stored in plaintext.

Google and other identity providers have begged online services for years to get out of the password game, citing complexity, liability, lack of expertise and the threat of becoming the next breach headline. Thirteen million 000Webhost customers wish the service had listened.

In 2013, the password-cracker program oclHashcat-plus was upgraded to break passwords as long as 55 characters, none of the Top 10 passwords in use today by millions of end-users is more than nine (123456789 came in at No. 6). But even then, 000Webhost was storing passwords in plaintext so the idea of a complex password, even at 56 characters and off the oclHashCat-plus radar, never had a fighting chance as a secret.

Those 000Webhost customers that reused their passwords at other sites got the biggest whammy, in that hackers will use them to discover and penetrate those additional sites. Data stolen from 000Webhost and dumped online also included usernames and email addresses, making it even easier for hackers to enjoy this secondary attack adventure.

The amateur status of 000Webhost was revealed in many ways: unencrypted HTTP communications on the login page, plaintext password in URLs, lack of hashing, and outdated and vulnerable platform software. The Lithuania service advertises reliable and high-speed web hosting for free and used that platform to up-sell other services. The freemium model is often fraught with peril like the lack of adequate security.

So what is the answer? The industry isn't quite sure yet, but it obviously includes a lot of variables.

End-user habits need to change, security tools need to get easier to use, awareness of rights (and risks) will have to rise, and passwords can no longer be offered as a security boundary guarding sensitive data and applications.

For service providers, clear laws outlining liabilities and record fines may be the best way to signal that collecting and storing passwords is no longer a business strategy but a minefield best outsourced to a professional service.

As I wrote earlier this year, courts and crooks are already redefining what constitutes a secure digital landscape.

The barrier of entry to a more secure digital world will include re-tuning and retrofitting infrastructure, but be defined by the cost. As a starting point for that discussion, the estimated cost to convert the current U.S. credit card system to the more secure EMV chip-and-pin was pegged at $8.65 billion, roughly $27 per U.S. citizen.

But consider this, 000Webhost's tagline reads: Better than paid hosting.

Perhaps it needs a refresh: You get what you paid for.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All