Nissan Security Breach Underscores Password Problem

Earlier this week, Nissan confirmed a network hack that comprised both employee names and encrypted passwords. Nicole Perlroth of the New York Times covered the news, citing the commentary of Nissan spokesperson David Reuter and Shawn Henry, former FBI cyber-cop. Perlroth reported that Nissan tracked the hacks back to an IP address, but according to Reuter:

“Hackers can bounce things off servers all over the world, so the entry I.P. address is not necessarily where the hack originates. The trail goes cold pretty quickly.”

The difficulty in tracing intruders is further augmented by the sheer volume of attacks:

“There are two types of companies: companies that have been breached and companies that don’t know they’ve been breached,” Shawn Henry, the F.B.I.’s top former cyber cop who recently joined the cyber security start-up CrowdStrike, said in an interview. “I’ve seen behind the curtain. I’ve been in all the briefings. I can’t go into the particulars because it’s classified, but the vast majority of companies have been breached.”

This latest news of a major security breach made me think back to an earlier post from Mark Burnett, an IT security consultant and password expert. Burnett has been collecting passwords (without disclosing the list) since 1998. Mining through this data, he’s come to discover a few critical behaviors:

  • Although my list contains about 6 million username/password combos, the list only contains about 1,300,000 unique passwords.
  • Of those, approximately 300,000 passwords are used by more than one person; about 1,000,000 only appear once (and a good portion of those are obviously generated by a computer).
  • The list of the top 20 passwords rarely changes and 1 out of every 50 people uses one of these passwords.

With the vast majority of companies being breached and 1 out of 50 employees using a easy-to-guess password, employee identity management is a critical security consideration for IT departments. Employee password susceptibility must be accounted for in every security strategy.