Internet security requires both users and websites to follow safe practices. Consumers should use multiple passwords across websites, while companies should do their best to guard users' data. However, it is particularly bad when companies follow substandard practices as they have the potential to expose the data of millions of users all at once. Besides weakening Internet security for everyone, this laxity can have major consequences for companies like bad PR, fines, and much more. Read on for a history of password security failures and a list of four companies that are currently putting your data and themselves at risk.
Consumers often fall short on holding up their end of the bargain when it comes to Internet security. Microsoft Research conducted a comprehensive study of people's password habits in 2007. The company found that people had on average 25 online accounts but just 6.5 passwords. This is bad, because one leaked or stolen password could grant someone access to several accounts.
Many companies use weak encryption to safeguard consumer passwords. Recent examples include Adobe, which had 150 million passwords leaked in 2013, and LinkedIn, which had 6.5 million passwords leaked in 2012. Adobe's password list was encrypted, but its reversible encryption allowed hackers to reverse-engineer users' passwords. Each time a new list is leaked, password-crackers get stronger, as they can first run these old lists against account management systems.As people frequently use the same passwords across multiple sites, many passwords will easily be broken with these lists.
It gets worse
The worst thing a company can do is store passwords in plaintext, i.e. unencrypted. Last year, Cupid Media had 42 million plaintext passwords leaked, while Rockyou had 32 million leaked in 2009. Besides fines from the Federal Trade Commission and other expenses dealing with the fallout, the biggest risk for companies is the loss of consumers' trust and the terrible PR that comes with a data leak.
It blows my mind when I come across companies that store passwords in plaintext or an easily reversible format. The following four companies all store passwords weakly, putting your data at risk. If these companies were storing your passwords safely, they would not be able to email your password.
1. Marriott International (NASDAQ:MAR)
2. Royal Caribbean Cruises (NYSE:RCL)
3. The NFL's NFLShop.com
4. 1-800-Flowers (NASDAQ:FLWS)
Modern best practices for password encryption call for the use of unique-to-the-password, one-way mathematical functions to store passwords as what's called "hashes." Using one-way mathematical functions means you can calculate the hash from the password, but you cannot figure out the password if you only have the hash. As such, companies never store your actual password; they simply run it through the formula and see whether its output matches up with the hash. Password encryption gets more complicated than this with another process called "salting" and the use of key derivative functions to vary the length of the hash functions. In any case, however, companies should never be able to tell you your password
These companies are taking the risk that hackers will have easy access to users' password data if they ever experience a database breach. Like motorists who drive without seatbelts because they're "good" drivers, these companies are putting themselves and others at risk in the event of an accident.
Accidents do happen; just look at how Target (NYSE:TGT) was breached by hackers using stolen credentials from one of the company's refrigeration contractors. The immediate cost of the breach was $61 million dollars -- fairly small for a company of Target's size. But the loss of consumer confidence was immediate: The number of transactions dropped 5.5% in the fourth quarter compared to the year before. The company summarized the situation it is facing in its most recent annual report:
Until the fourth quarter of 2013, all incidents we experienced were insignificant. The Data Breach we experienced was significant and went undetected for several weeks. We experienced weaker than expected U.S. Segment sales immediately following the announcement of the Data Breach, and we are currently facing more than 80 civil lawsuits filed on behalf of guests, payment card issuing banks and shareholders. In addition, state and federal agencies, including State Attorneys General, the Federal Trade Commission and the SEC, are investigating events related to the Data Breach, including how it occurred, its consequences and our responses. Those claims and investigations may have an adverse effect on how we operate our business and our results of operations.
It will be years before the full cost of the breach to Target will be known -- if it ever is. While you can't always ensure that companies will do their part to protect your data, there are some simple ways to boost your Internet security.
Nine simple tips to boost your data security
- Use long passwords. There are simple ways to create and remember longer passwords.
- Don't reuse the same password across multiple websites.
- Use two-step authentication wherever possible.
- Choose obscure answers to your password retrieval questions.
- Use antivirus software and set it to update automatically.
- Set all software you use to update automatically.
- Use BillGuard to monitor your credit card. BillGuard is a free monitor for your credit and debit cards. It uses crowdsourced data to create the most advanced fraud-monitoring system, which it sells to credit card companies.
- If you receive a suspicious email, do not open it, particularly if it has attachments.
- If you receive a suspicious email from someone you know, especially if it has attachments or links that seem suspicious, call (do not email) the person to confirm he or she sent it.
The companies noted in this article are taking risks with users' data due to their weak protection of passwords. Don't reuse passwords across sites, especially the ones above.
Dan Dzombak can be found on Twitter @DanDzombak or on his Facebook page, DanDzombak. He has no position in any stocks mentioned. The Motley Fool has no position in any of the stocks mentioned. Try any of our Foolish newsletter services free for 30 days. We Fools may not all hold the same opinions, but we all believe that considering a diverse range of insights makes us better investors. The Motley Fool has a disclosure policy.