Consumer Security

The Futility of the Strong Password Solution

After experiencing a data breach, most companies take a number of measures to strengthen security, including advising users to change their passwords and to make them strong.

Although it stopped short of confirming that it was hacked or that any customer data had been exposed, Amazon-owned Twitch last week notified users that its network might have been hacked and that some user account information might have been exposed.

Among the actions Twitch took to protect its users were expiring passwords and stream keys, and disconnecting user accounts from Twitter and YouTube.

That meant users would have to create new passwords the next time they attempted to log into their accounts — and Twitch imposed new requirements that would force users to create strong ones.

One might think Twitch users would be upset at the possibility their data was stolen. However, the outcry that ensued was not due to fear of exposure. Users were angry that Twitch was attempting to force them to use unwieldy, difficult-to-remember passwords — like !70v3Gr33n@pple$auce?, which is the example the company provided of one it considered good.

Give Me a Break

“Why cant I pick my own passwords? I don’t care how strong or weak they are, i want to be able to chose. There’s no point on making it stronger if whoever is hacking into your database is going to get access to it anyways,” wrote NO SEK on the Twitch user forum.

“The password requirements are stupid. Its not our passwords that were bad – its THEIR SECURITY that is bad, and all the complex passwords in the world cant fix that. This wasn’t a brute force attack on passwords, this was YOU ***failing*** to secure your servers. You got owned, not us,” wrote Murdabenne.

“Twitch, your security people are idiots, tell them to take a human factors class and then rethink your requirements for your users. Fix the problem, _your_ problem — which is your security, not our passwords,” Murdabenne added.

“I can’t remember passwords with capitals or more than one or two numbers. I seriously can’t. This is so ridiculous,” wrote Lumakiri.

“Who the f*ck thought of this system, this isn’t personal banking, let me use whatever password I desire,” said chronicpayne.

Twitch’s response? After being pelted by its subscribers, it did an about-face: “We’ve heard your concerns about overly-restrictive password requirements, and have reduced them to an 8 character minimum. Best practices regarding password security remain true. “

What’s at Risk

The degree to which users are at risk if hackers get their hands on passwords is highly variable.

“A lot of the risk threat is going to depend on what the criminals do with the information. There are two ways they can leverage it. One is decrypting the passwords. The other is using them on other social media sites, said J. Wolfgang Goerlich, cybersecurity strategist at CBI.

“Typically users keep the same passwords for five or six different websites,” he told the E-Commerce Times.

Provided users adequately reset passwords to a more secure form, they should not have any additional risk on the Twitch site, noted Goerlich — but so many users objected that Twitch felt compelled to cave on its stronger-password requirements.

“That just goes to show you — breach after breach, simple things like having a reasonably complex password just get pushed down,” he said.

The fact that hackers may have obtained login information puts some Twitch users at risk elsewhere, said Chris Knapik, Thundertech digital support services manager.

“Because a person is able to subscribe to streams, or a user receives monetization from subscribers, payment information might be at risk of being leaked. Compromised information may include names, birth dates, phone numbers, addresses, usernames, email addresses and the last IP address logged in from,” he told the E-Commerce Times.

Twitch does store limited credit card information such as card type, truncated card number and expiration date, Knapik noted — but that wouldn’t be enough to put a person’s credit card information at risk.

The Amazon Question

Amazon last year acquired Twitch for US$970 million. Twitch has about 100 million viewers, on average, per month.

“Because Twitch is still a separate physical entity from Amazon, this breach has not affected anything with Amazon’s security,” Knapik pointed out.

That said, Amazon’s payment information for Twitch account holders might still be at risk — depending on the Twitch password, warned CBI’s Goerlich.

“If the users password is the same, that could give the criminals access to the user’s credit card information on Amazon … . Much of a user’s personal information could be available to let the criminal get past the challenge questions at login,” he said.

What’s Next

Considering the user rebellion against Twitch’s stronger-password requirements, it appears likely that many also rejected the company’s advice to change their identical or similar passwords on other sites.

That could put them at serious risk, suggested Alisdair Faulkner, CPO at ThreatMetrix.

“The issue is that if hackers capture an email and associated password, they can use that information anywhere users share that info,” he told the E-Commerce Times. “This makes it incredibly easy for them to begin purchasing goods in your name and have them shipped directly to a new drop-off site.”

Additionally, the leak of IP addresses can be useful for hackers. They can apply geolocation data information to use proxies in a similar proximity to a Twitch user’s IP address to make logins look authentic, Faulkner said.

“Twitch itself will most likely see an increase in fraud losses as previous purchases on their site made in their customer’s name start being reported and charged back,” he predicted.

However, the biggest concern is the impact this stolen information has downstream, added Faulkner. Hackers can use that information to directly buy and sell goods in your name, or even to escalate an attack elsewhere.

Jack M. Germain has been writing about computer technology since the early days of the Apple II and the PC. He still has his original IBM PC-Jr and a few other legacy DOS and Windows boxes. He left shareware programs behind for the open source world of the Linux desktop. He runs several versions of Windows and Linux OSes and often cannot decide whether to grab his tablet, netbook or Android smartphone instead of using his desktop or laptop gear. You can connect with him onGoogle+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Jack M. Germain
More in Consumer Security

E-Commerce Times Channels