Armour Comms launches industry leading secure Grou... » London: In direct response to customer demand, Armour Communications has announced the availability ... TDSi Supports Education Programme at IFSEC Inter... » Poole: Integrated security manufacturer TDSi will be sponsoring the Tavcom Training Theatre at IFSEC... 'POWER PLAYERS' INITIATIVE OPENS TO ENTRIES » Leading younger people from across the engineering services sector have a new opportunity to be reco... Multitone launches comprehensive EkoCare Communi... » Multitone Electronics plc has announced the launch of its new EkoCare range for healthcare facilitie... Momentum builds as Critical Communications World d... » Critical Communications World (May 16-18, Hong Kong) is the leading and most influential congress an... New initiative shows increasing importance of CSR » A major new survey on corporate social responsibility (CSR) is now open to electrotechnical busine... OF FOOLS OF THE MIDDLE BELT, ONE NORTH AND PASTORA... » SERIES: BUHARISM AND THE FIERCE URGENCY OF NOW A treatise on pastoral jihadism, islamism, arabism a... Commvault partners with Pure Storage » Cisco Live, Melbourne, AU and Tinton Falls, NJ: Commvault has announced the integration of its Commv... OF FOOLS OF THE MIDDLE BELT, ONE NORTH AND PASTOR... » A treatise on pastoral jihadism, islamism, arabism and cultural imperialism in Nigeria (Ephesians ... Where was Aisha Buhari when idiot Kumapayi flagr... » "Clip-clip..clip-clip...Did you not hear when BABA DAURA say women's place is in the kitchen?" ...


Advertise with Vigilance


Got News?

Got news for Vigilance?

Have you got news/articles for us? We welcome news stories and articles from security experts, intelligence analysts, industry players, security correspondents in the main stream media and our numerous readers across the globe.


Subscribe to Vigilance Weekly

Information Security Header

FriendFinder breach highlights the need for better practice in password security

The FriendFinder Network breach is the most recent example of how poor password storage can exacerbate the impact of a breach and expose accounts to further exploitation. Storing passwords in clear-text, or using weak hashing schemes, will make it far easier for attackers to exploit the stolen data.

FriendFinder Networks owns several adult only websites where individuals input their own details in the hope of finding a match and this is not the first time it has been hit by a data breach. In May 2015, the details of four million users were leaked. Unfortunately, it seems that FriendFinder has not learnt its lesson, as this recent attack is very similar to the one it suffered last year. It would seem that it has done very little to improve its security, with many newly registered accounts having passwords still stored in clear-text.

The latest leak, which included 412 million FriendFinder users’ personal information, is the largest breach of its kind and just one more in a long list of high profile attacks to occur in the past few years. Customers who had previously deleted their accounts have also found their details to have been stolen, bringing to light the fact that FriendFinder is storing deleted customer account details without permission. It has become apparent that FriendFinder also did not store passwords using secure methods. In total, 99%of the passwords, including those hashed with SHA-1 or stored in plain visible format, were discovered by Leaked Source, a data breach monitoring service.

Furthermore, the effect of the breach of passwords was not limited to accounts on FriendFinder, as it is still a common practice for people to use the same password multiple times. This makes a hacker’s job far easier, as once they have successfully discovered a password they will try to use it on all other sites requiring one, potentially gaining access to numerous accounts.

Best practice for protecting passwords

FriendFinder is far from the only company to fall short when it comes to password best practice however, and there are a number of steps all companies should be taking to prevent themselves becoming the next headline.

When it comes to protecting sensitive information on websites, users should be advised on how to create strong passwords. Traditionally, the usage of a mixture of upper and lower case letters, words, numbers and symbols has been suggested. General advice is also to avoid using easily guessed combinations of words or numbers, especially consecutive ones or ones which someone could easily deduce, for example dates of birth or well known names connected to you. Words found in the dictionary can also be easy to hack, and there are password-cracking tools readily available on the internet that often contain dictionary and common word or name lists.

The National Cyber Security Centre (previously CESG) has recently published more modern advice on how to choose strong passwords. These guidelines encourage the usage of long, memorable phrases rather than short passwords that expire often. These are more difficult to crack for attackers.

But protecting passwords is not just a user’s responsibility. It is also essential that companies take appropriate measures to store user credentials. The current preferred way to store passwords is by using adaptive one-way functions that support the configuration of salts and work factors. Cryptographically strong salt values augment entropy and prevent dictionary attacks based on pre-computed lookup tables. Moreover, work factors allow us to impose long verification times on the attackers, making them less effective at cracking passwords at scale. Examples of such algorithms that should be used today to store passwords include: Argon2, PBKDF, scrypt and bcyrpt.

We must assume that, even with strong passwords and appropriate storage, an attacker could still in some cases manage to retrieve some passwords, such as through key loggers. In such cases, an additional defence-in-depth control should be considered in the form of multi-factor authentication as an obvious step to increase account security and mitigate the exposure of accounts whose passwords have been compromised.

Preventing password theft

Finally, it is also important to build processes and controls that help reduce the probability of credentials being stolen. The FriendFinder breach was reportedly caused by a Local File Inclusion (LFI) vulnerability. Introducing security activities from the very beginning in the Software Development Lifecycle and ensuring all developers are properly trained on security topics are good controls that would have helped prevent and/or detect this type of vulnerability before the application went live. ​

Given the number of large scale attacks we have seen in a relatively short space of time –TalkTalk and The Panama Papers, to name just two – it is more important than ever to ensure that organisation’s make data security a priority. They must implement software that will store all passwords following the most updated security guidelines. They also need to advise users on how to create strong passwords or passphrases that are difficult to guess or decipher using brute force methods. Every extra character used makes it an order of magnitude harder to crack.