Disasters Waiting to Happen With Your Personal Data

Internet security requires both users and websites to follow safe practices. Consumers should use multiple passwords across websites, while companies should do their best to guard users' data. However, it is particularly bad when companies follow substandard practices as they have the potential to expose the data of millions of users all at once. Besides weakening Internet security for everyone, this laxity can have major consequences for companies like bad PR, fines, and much more. Read on for a history of password security failures and a list of four companies that are currently putting your data and themselves at risk.

Password security
Consumers often fall short on holding up their end of the bargain when it comes to Internet security. Microsoft Research conducted a comprehensive study of people's password habits in 2007. The company found that people had on average 25 online accounts but just 6.5 passwords. This is bad, because one leaked or stolen password could grant someone access to several accounts.

Many companies use weak encryption to safeguard consumer passwords. Recent examples include Adobe (NASDAQ: ADBE  ) , which had 150 million passwords leaked in 2013, and LinkedIn, which had 6.5 million passwords leaked in 2012. Adobe's password list was encrypted, but its reversible encryption allowed hackers to reverse-engineer users' passwords. Each time a new list is leaked, password-crackers get stronger, as they can first run these old lists against account management systems.As people frequently use the same passwords across multiple sites, many passwords will easily be broken with these lists.

It gets worse
The worst thing a company can do is store passwords in plaintext, i.e. unencrypted. Last year, Cupid Media had 42 million plaintext passwords leaked, while Rockyou had 32 million leaked in 2009. Besides fines from the Federal Trade Commission and other expenses dealing with the fallout, the biggest risk for companies is the loss of consumers' trust and the terrible PR that comes with a data leak.

It blows my mind when I come across companies that store passwords in plaintext or an easily reversible format. The following four companies all store passwords weakly, putting your data at risk. If these companies were storing your passwords safely, they would not be able to email your password.

1. Marriott International (NASDAQ: MAR  )

2. Royal Caribbean Cruises (NYSE: RCL  )

3. The NFL's

4. 1-800-Flowers  (NASDAQ: FLWS  )

Modern best practices for password encryption call for the use of unique-to-the-password, one-way mathematical functions to store passwords as what's called "hashes." Using one-way mathematical functions means you can calculate the hash from the password, but you cannot figure out the password if you only have the hash. As such, companies never store your actual password; they simply run it through the formula and see whether its output matches up with the hash. Password encryption gets more complicated than this with another process called "salting" and the use of key derivative functions to vary the length of the hash functions. In any case, however, companies should never be able to tell you your password

These companies are taking the risk that hackers will have easy access to users' password data if they ever experience a database breach. Like motorists who drive without seatbelts because they're "good" drivers, these companies are putting themselves and others at risk in the event of an accident.

Accidents do happen; just look at how Target (NYSE: TGT  ) was breached by hackers using stolen credentials from one of the company's refrigeration contractors. The immediate cost of the breach was $61 million dollars -- fairly small for a company of Target's size. But the loss of consumer confidence was immediate: The number of transactions dropped 5.5% in the fourth quarter compared to the year before. The company summarized the situation it is facing in its most recent annual report:

Until the fourth quarter of 2013, all incidents we experienced were insignificant. The Data Breach we experienced was significant and went undetected for several weeks. We experienced weaker than expected U.S. Segment sales immediately following the announcement of the Data Breach, and we are currently facing more than 80 civil lawsuits filed on behalf of guests, payment card issuing banks and shareholders. In addition, state and federal agencies, including State Attorneys General, the Federal Trade Commission and the SEC, are investigating events related to the Data Breach, including how it occurred, its consequences and our responses. Those claims and investigations may have an adverse effect on how we operate our business and our results of operations.

It will be years before the full cost of the breach to Target will be known -- if it ever is. While you can't always ensure that companies will do their part to protect your data, there are some simple ways to boost your Internet security.

Nine simple tips to boost your data security

  1. Use long passwords. There are simple ways to create and remember longer passwords.
  2. Don't reuse the same password across multiple websites.
  3. Use two-step authentication wherever possible.
  4. Choose obscure answers to your password retrieval questions.
  5. Use antivirus software and set it to update automatically.
  6. Set all software you use to update automatically.
  7. Use BillGuard to monitor your credit card. BillGuard is a free monitor for your credit and debit cards. It uses crowdsourced data to create the most advanced fraud-monitoring system, which it sells to credit card companies.
  8. If you receive a suspicious email, do not open it, particularly if it has attachments.
  9. If you receive a suspicious email from someone you know, especially if it has attachments or links that seem suspicious, call (do not email) the person to confirm he or she sent it.

Foolish takeaway
The companies noted in this article are taking risks with users' data due to their weak protection of passwords. Don't reuse passwords across sites, especially the ones above.

Your credit card may soon be completely worthless
As data security becomes more important, especially after Target's credit card data breach, the plastic in your wallet is about to go the way of the typewriter, the VCR, and the 8-track tape player. When it does, a handful of investors could stand to get very rich. You can join them -- but you must act now. An eye-opening new presentation reveals the full story on why your credit card is about to be worthless -- and highlights one little-known company sitting at the epicenter of an earth-shaking movement that could hand early investors the kind of profits we haven't seen since the dot-com days. Click here to watch this stunning video.

Read/Post Comments (7) | Recommend This Article (20)

Comments from our Foolish Readers

Help us keep this a respectfully Foolish area! This is a place for our readers to discuss, debate, and learn more about the Foolish investing topic you read about above. Help us keep it clean and safe. If you believe a comment is abusive or otherwise violates our Fool's Rules, please report it via the Report this Comment Report this Comment icon found on every comment.

  • Report this Comment On May 14, 2014, at 6:54 PM, axz055 wrote:

    A better option than trying to remember 3 dozen 20 character passwords is to just use a password manager like LastPass or Password Safe. Then you only need to remember one master password. Many programs (including both of those AFAIK) also support 2-factor auth.

  • Report this Comment On May 15, 2014, at 9:53 AM, ejclason2 wrote:

    The longer a password is, the greater the chance of mistyping it. And since most sites don't display your password, you can't check your work. Given a 20 character password, with upper and lower case, numbers, and special chars, which many websites require, there is about a 50% that I will mistype it. If you are locked out after 3 tries, which a few website do, than 1 in every 8 logins, I will be locked out.

  • Report this Comment On May 15, 2014, at 11:02 AM, RobinSims wrote:

    I've been using a password manager for years to manage all of my passwords. I really like RoboForm, it seems to be the best one when it comes to functionality. It also has a great password generator so I don't have to come up with (or remember) any of my passwords.

  • Report this Comment On May 16, 2014, at 11:01 AM, TMFDanDzombak wrote:

    Don't normally do this but,

    Because this is so important, Please Share so your friends learn and these companies change their ways.


  • Report this Comment On May 16, 2014, at 11:50 AM, TMFDanDzombak wrote:

    Don't normally do this but,

    Because this is so important, please share so these companies change their ways and your friends learn about internet security.


  • Report this Comment On May 16, 2014, at 11:50 AM, DukeTG wrote:

    I like LastPass because the browser add-ins are handy and it's free (unless you put it on your mobile device) but they're all pretty good. Any manager should be able to generate an extremely strong password for you based on a site's individual requirements. A password manager is really the only viable solution. At least until we get Demolition Man-style palm-chips.

  • Report this Comment On May 16, 2014, at 11:58 AM, anindakumars wrote:

    Good article. Here are my suggestions:

    2. Don't reuse the same password across multiple websites. - Not OKAY, unrealistic!

    4. Choose obscure answers to your password retrieval questions - I'd say answer Falsely to these questions. That way you no one can trace the answers from say your social profile.

    5. Set all software you use to update automatically. - Disagree, set to notify you and then choose to update. Many time the updates introduce vulnerabilities. I typically update 2 weeks after a patch is available and has been run by others. By this time most easily discoverable vulnerabilities are reported and fixed.

Add your comment.

Sponsored Links

Leaked: Apple's Next Smart Device
(Warning, it may shock you)
The secret is out... experts are predicting 458 million of these types of devices will be sold per year. 1 hyper-growth company stands to rake in maximum profit - and it's NOT Apple. Show me Apple's new smart gizmo!

DocumentId: 2955021, ~/Articles/ArticleHandler.aspx, 9/4/2015 9:33:10 PM

Report This Comment

Use this area to report a comment that you believe is in violation of the community guidelines. Our team will review the entry and take any appropriate action.

Sending report...

Dan Dzombak

Dan Dzombak has written for The Motley Fool since 2008. He covers value investing, investing process, and success among other things. You can follow him on Facebook or Twitter by clicking the buttons below or head over to his blog at

Today's Market

updated 17 minutes ago Sponsored by:
DOW 16,102.38 -272.38 -1.66%
S&P 500 1,921.22 -29.91 -1.53%
NASD 4,683.92 -49.58 -1.05%

Create My Watchlist

Go to My Watchlist

You don't seem to be following any stocks yet!

Better investing starts with a watchlist. Now you can create a personalized watchlist and get immediate access to the personalized information you need to make successful investing decisions.

Data delayed up to 5 minutes

Related Tickers

9/4/2015 3:59 PM
FLWS $8.56 Down -0.26 -2.95%
1-800-FLOWERS.COM,… CAPS Rating: **
MAR $70.02 Down -1.05 -1.48%
Marriott Internati… CAPS Rating: ***
RCL $88.54 Down -0.75 -0.84%
Royal Caribbean CAPS Rating: ***
TGT $76.42 Down -1.03 -1.33%
Target CAPS Rating: ****