Decimation (and then a nice afternoon off)

A slice of bad luck: one is edible, but which one?

So just how well does your service provider look after you(r password and your cybersecurity)?

This time, a proportional view.

(tl;dr: only one of those slices is good for you.)

Sure, you don't care, you only used that password once (the others won't, but I believe you) and there's nothing really private about you on that site anyway (does that mean your social media profile really is worthless? hhhm - another topic) but maybe somebody you know reuses his password all the time on all sorts of sites.

Yes, that guy (not you, I know), that guy, really does care if the service provider is storing the keys to his identity safely. What's the chances of him getting caught out?

Fight Club
So, we recall the first rule of password storage is: don't talk about passwords... well, a variant of that: don't store them as plain text.

We don't want those nasty hackers taking wholesale user-authentication databases, looking at each row (and it really is just like excel) and seeing your password in plain text right there next to your signin email address. We'd much rather have a situation where our hacker sees gobbledygook next to your email[2] and is forced to crack that gobbledygook into the plain text of your password.

Vigilantes
Keen at Vigilante.pw has this amazing data-breach directory here which you can root around. It has over 3bn breaches, and it turns out that around 2.5bn of those came with passwords. That's fairly awful, but we probably suspected as much (why steal them otherwise?).

How many were encrypted then? Unfortunately, I've bad news for us there: c1.4bn of those passwords are associated with plaintext.[3]

That's nearly half of the records (and a fifth of the planet). Personally, I can't bring myself to believe that half of my passwords are stored as plaintext on various servers but I'm kidding myself: it's as likely to be true for me as it is for you.

Gulp... I've over 100 user accounts (you probably do too).

Benign Intervention (or just chillax, take the afternoon off)?
Now, you, dear reader, are a kind citizen and you might think, well, maybe that first rule isn't right, and that plaintext storage isn't so bad. Maybe it's really tricky to obscure these things, let's not be so tough on our lovely web providers, they give us such shiny toys.

But no, it's absolutely not the case, the mechanical process of encrypting those passwords is really quite simple. Really important to get right, yes, but unduly arduous? No. It's perhaps a score of code lines. A couple of hours' worth of work, an afternoon.

Half a glass of milk
Maybe instead, I'm judging the results too harhsly: heck, over a billion of the remaning passwords were encrypted. Nearly, 40% were well protected, and that's a 'D' grade (and a 'D' is a pass, isn't it?).

If only that were the case.[4]

Read your recipe books
One of the first things you learn about storing passwords is not to do this stuff yourself; read widely, learn how little you know, use widely accepted approaches and use algorithms that have been publically acknowledged as safe (certain hashing algorithms are known to be broken).

As we've covered elsewhere, "do not use weak algorithms, such as MD5 or SHA1." is publically available advice[5]. And this brings us neatly back to our data cache...

Buckets of Shame
Coming in at #2 in the bucket size of shame is SHA1 comprising some 620mm records, followed at #4 by MD5 (another 140mm records).

So 1.4bn plus 760mm is 2.2bn out of a total of 2.5bn... hold on, are you telling me that I've only got a 1 in 8 chance of using services that protect my secrets appropriately?

Lullabies
There's all sorts of reasons why searching through already-breached databases (selection pressure; older databases etc.) might not provide universal truths regarding the level of cybersecurity protection your service provider affords you, and this may give you some comfort.

Unfortunately - having seen the negligence shown elsewhere - I personally think this is one waking nightmare: 1 in 8 feels about right.

It might be true, but that makes it no less disappointing. Most providers don't take the time to protect our records, and then those that do make an awful hash (awful pun intended) of it.

I have to confess to some consternation at not really knowing which group to be most upset by: the negligents or the donkeys.

[1] For the pendants: it's ok, I know the Romans used decimation the opposite way round.
[2] Sorry, that bird has long flown the nest; little need for encryption there, consider your email addresses public knowledge.
[3] For speed, I've been crude in the counting, but it's about right, and gets the flavour.
[4] A 'D' is not a pass by the way.
[5] We mentioned them before; look to this excellent page by OWASP.

Posted in cyber security.