Encryption isn’t the answer: It’s part of the answer

Yet another lesson from the Ashley Madison hack: If you’re counting on encryption of sensitive data to save the day, you may wind up regretting that decision. 

By now the story is familiar: Ashley Madison provided its users a way to carry out affairs in secret (allegedly – many agree that the company was so far stacked in male users that there was very little matchmaking actually occurring).

But then all hell broke loose: Hackers put users’ names, billing addresses and more online causing untold embarrassment.

The one silver lining, if the company was to be believed, is that passwords were absolutely safe, protected by strong encryption.

Cue the sad trombone.

Wasn’t set up correctly

While the passwords were protected by strong encryption for the most part, there was a file among the leaked information that contained millions of passwords that were stored with a much weaker version of encryption.

These weak passwords even eliminated upper- and lower-case letters, a huge security shortcoming.

Once this file was discovered, it was relatively easy for hackers to experiment and crack the passwords using brute-force methods.

And the rest is history. Millions of passwords shared online by researchers, most of which are, as always, pretty terrible.

Lessons for IT

It’s not clear why this file did away with many of the protections encryption offers. It’s possible it was an oversight that failed to be removed when the stronger encryption was implemented.

It’s also possible it was a workaround that was designed for speed and convenience, rather than security.

Regardless of the situation, the overall message is the same: You can’t rely on security tools alone to protect your company’s data. They need to be properly implemented and well-maintained. After all, human error is the cause nearly one-fifth of data breaches.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy