Nissan Security Breach Underscores Password Problem

Okta
April 27, 2012

Earlier this week, Nissan confirmed a network hack that comprised both employee names and encrypted passwords. Nicole Perlroth of the New York Times covered the news, citing the commentary of Nissan spokesperson David Reuter and Shawn Henry, former FBI cyber-cop. Perlroth reported that Nissan tracked the hacks back to an IP address, but according to Reuter:

“Hackers can bounce things off servers all over the world, so the entry I.P. address is not necessarily where the hack originates. The trail goes cold pretty quickly.”

The difficulty in tracing intruders is further augmented by the sheer volume of attacks:

“There are two types of companies: companies that have been breached and companies that don’t know they’ve been breached,” Shawn Henry, the F.B.I.’s top former cyber cop who recently joined the cyber security start-up CrowdStrike, said in an interview. “I’ve seen behind the curtain. I’ve been in all the briefings. I can’t go into the particulars because it’s classified, but the vast majority of companies have been breached.”

This latest news of a major security breach made me think back to an earlier post from Mark Burnett, an IT security consultant and password expert. Burnett has been collecting passwords (without disclosing the list) since 1998. Mining through this data, he’s come to discover a few critical behaviors:

  • Although my list contains about 6 million username/password combos, the list only contains about 1,300,000 unique passwords.
  • Of those, approximately 300,000 passwords are used by more than one person; about 1,000,000 only appear once (and a good portion of those are obviously generated by a computer).
  • The list of the top 20 passwords rarely changes and 1 out of every 50 people uses one of these passwords.

With the vast majority of companies being breached and 1 out of 50 employees using a easy-to-guess password, employee identity management is a critical security consideration for IT departments. Employee password susceptibility must be accounted for in every security strategy.

Tags

Nissan Password Security Breaches
Previous
Next

April 16, 2024

Extend your passwordless journey to device login

By Cynthia Luu
Okta Device Access now supports passwordless login and FIDO2 YubiKeys for Desktop MFA Despite all the talk of driving workers back into the office, most…

Read now

April 15, 2024

Simple and secure user experiences: The latest on Okta Customer Identity Solution

By Ruchita Shah
Customer expectations are higher than ever, including access to the applications they need from any device, wherever they are in the world. Businesses are…

Read now

April 15, 2024

Fine Grained Authorization and new Okta Privileged Access features: The latest in Okta product capabilities

By Harish Peri
Welcome back to Okta’s Quarterly Release Overview! We’re excited to showcase our Q1 innovations from January–March. Dive into the latest capabilities,…

Read now

April 15, 2024

Jumpstart Identity with automation

By Frederico Hakamine
If you’ve ever found yourself thinking “Why does this process take so long? Don’t we have computers for that?” Well, you’re probably right. The strain you’re…

Read now

April 12, 2024

SMB Identity buyer's checklist

By Frederico Hakamine
TL;DR: Identity touches every point of your business. Here’s a checklist of what you should be asking yourself when shopping for an Identity solution.   …

Read now