Google’s Nest division of smart-home gadgets recently notified some users about a data breach that involved their credentials. For that, it deserves a pat on the back.
In a security notice sent to one user and published by the Internet Society, Nest told the user to change their password and turn on two-step verification (2SV), also known as multiple- or two-factor authentication (MFA or 2FA).
Whether you call it MFA, 2FA or 2SV, it’s an increasingly common security procedure that aims to protect your online accounts against password-stealing cybercrooks.
So why do we want to pat Nest on the back? Because the breach wasn’t a matter of Nest’s own password database getting breached or, say, from an employee being careless.
Rather, Nest spotted the password because it cropped up in a list of breached credentials, meaning two things: 1) the users whom Nest emailed have been reusing passwords, and 2) Nest’s been proactively keeping an eye out to protect them from their own password foibles.
As Online Trust Alliance Director Jeff Wilbur said in an Internet Society post on Thursday, it’s not clear how Nest figured out that the password had been compromised. Maybe Nest was alerted by security researcher Troy Hunt’s recently updated Pwned Passwords service (part of his “have i been pwned?” site)?
The service lets you enter a password to see if it matches more than half a billion passwords that have been compromised in data breaches. A hashed version of the full list of passwords can also be downloaded to do local or batch processing, Wilbur noted.
If we said it once, we’ve reused our don’t-reuse-passwords advice a thousand times. We’re not apologizing, though, since password reuse really is such an atrocious idea.
We know that cybercrooks use breached credentials to see if they work on a variety of third-party sites, be it Facebook, Netflix or many others – including online banking sites.
That, in fact, is why both Facebook and Netflix prowl the internet looking for your username/password combos to show up in troves of leaked credentials.
If those services do find customer credentials that match breached logins, they force users to change those reused passwords.
People are often discomfited by the notion: the thinking goes, how do services such as Facebook know enough about our passwords to know we’re reusing them?
The answer lies in comparing hashed passwords instead of comparing them in their plain-text form. As Facebook security engineer Chris Long explained in an official blog post back in 2014, what Facebook looks for are stolen credentials posted on the public “paste” sites. Once found, those stolen credentials are then run through the same code Facebook uses to check people’s passwords when they log in. If the hashed values match, bingo – you’ve found a password reuser, without having to look at the actual, plain-text password.
This is all according to what the National Institute of Standards and Technology (NIST) recommends in its Digital Identity Guidelines, published a year ago: the guidelines recommend that user passwords be compared against lists of known breached passwords so that users can be encouraged to create unique passwords not already known to bad actors.
Nice work, Nest! Wilbur said that the Internet Society gives Nest a thumbs-up for demonstrating best practices for how any organization providing online accounts should look out for its users.
As Wilbur noted, earlier this month, Twitter also suggested that all users reset their passwords, given that it had made a serious security mistake: namely, it had been storing unencrypted copies of passwords… as in, plaintext passwords, saved to internal, unhashed log files.
Gentle recommendations are one option. So too is locking users in a closet when you find that they’ve reused passwords/emails as Facebook did when it found matching credentials used on Adobe.
Want to come out of the closet? Switch to a unique set of credentials – one unique, strong set for every site, every service!
Whether you’re a Nest user or not, make sure your family, your friends, your colleagues and anybody else you can think of are choosing strong passwords, at least 12 characters long, that mix letters, numbers and special characters.