Skip navigation

Effective October 28, 2019 Duo Security will be transitioning to Cisco's Privacy Statement. View the Duo Privacy Data Sheet.

Industry News

Password Plight: Despite a Compromise, Two Factor Protects Data

A recent breach forced a video streaming and gaming community to reset all of their users’ passwords, forcing users to choose a new password after their next login, according to ArsTechnica.com. Twitch, acquired last year by Amazon for $970 million, also recommended that users change their passwords on any other websites if they used a similar or the same password as the one used for their Twitch account. The company also disconnected user accounts from YouTube and Twitter.

Similar change-your-password prompts have been seen from eBay last May when they experienced an attack that compromised a database containing encrypted user passwords and other data, as KrebsonSecurity.com reported. A small number of employee login credentials were compromised, giving attackers access to eBay’s corporate network. The information included name, password, address, phone number and date of birth, with no evidence of financial data.

Back in 2013, yet another password breach hit 38 million Adobe users, with some email addresses tied to government institutions. Despite hashing their passwords, Adobe had left users’ email addresses and password hints unencrypted, the NYTimes.com reported. Even worse, proprietary source code was also stolen from Adobe’s software, including Adobe Acrobat, Reader and ColdFusion.

And just last month, Raptr, a social networking website and instant messenger client targeted at gamers urged their users to reset their passwords after an attack similar to other attacks targeting services like Xbox Live and Sony’s PlayStation Network. Usernames, email addresses, first and last names may have been stolen, in addition to hashed passwords. Raptr.com noted that even though they were hashed, it’s possible that users with weak passwords were vulnerable to unauthorized access (which is really the case at all times).

So it’s clear that Twitch isn’t alone in their password plight, but they seem to have run into user password problems - due to complaints of over-restrictive password policies, the company relaxed their password requirements to an eight character minimum, as seen on their blog. This is a classic problem, balancing usability and security, that is, strengthening access controls without annoying your end users.

Plus, it appears as though their password policies and controls are not very strong - as Ars Technica noted, Twitch was allowing users to change their password to the same exact password they had reset after the possible compromise.

Taking the focus off of required, complex, long-character strings of passwords is easier with a cloud-based two-factor authentication solution that doesn’t require an extra device to carry around. A two-factor solution that uses your smartphone to authenticate means that your users don’t need to be as concerned about remembering complicated passwords, especially if they use a password manager (like LastPass) that can generate and remember your passwords for you.

According to Venturebeat, another email sent by Twitch only to people that were possibly affected by the attack includes the disclaimer:

While we store passwords in a cryptographically protected form, we believe it’s possible that your password could have been captured in clear text by malicious code when you logged into our site on March 3rd.

Could this mean that the attackers had legitimate privileged or administrator access to decrypt Twitch’s encrypted passwords? It’s possible that the attackers stole valid credentials and were able to move around the company’s system freely and steal plaintext data. Learn more about better security controls in Smarter Security: Logs & Context-Aware Access Controls.

Raptr also emphasized the importance of using two-factor authentication, and how it can protect user data:

It's important to note that our two-factor authentication system used for redeeming Raptr Reward Points ensures that even if your Raptr account was among those compromised, the points you've earned as a Raptr member are protected.

To find out which two-factor authentication solution could protect you from a compromise, download our free Two-Factor Authentication Evaluation Guide.