Skip to main content

Russia hack is not that scary

By Chester Wisniewski
August 7, 2014 -- Updated 1539 GMT (2339 HKT)
STORY HIGHLIGHTS
  • New York Times says 1.2 billion usernames and passwords were hacked by Russians
  • Chester Wisniewski: This is not as scary as it seems, carry on
  • He says company that found the hack may have a commercial interest in the reactions
  • Wisniewski: Of course, it's always good practice to use strong passwords

Editor's note: Chester Wisniewski is a senior security adviser at Sophos Inc., Canada. He researches computer security and privacy issues and is a regular contributor to the Naked Security blog. The opinions expressed in this commentary are solely those of the author.

(CNN) -- At least 1.2 billion usernames and passwords hacked. Is this truly scary or corporate fearmongering?

The New York Times published an article this week that has shocked the public. The article says that a Russian cybercrime group by the name of CyberVor has amassed this astoundingly large number of credentials from upwards of 420,000 distinct web sites.

My immediate response was: Yeah, so?

Chester Wisniewski
Chester Wisniewski

In the context of the story it would seem that countless passwords are now known to this criminal group, and we should be panicking and changing all of our passwords.

But wait a minute. Hold Security, the company that found this hack, may have a commercial interest in this reaction. Hold Security offers to tell companies if their usernames and passwords were compromised for the princely sum of $120. Arguably, Hold Security stood to make more money out of this story than the Russian hackers themselves.

Rather than go down the rabbit hole, let's focus on what this really means and how we should react.

While 1.2 billion is a big number, it appears that many of these credentials could have been obtained from previous large-scale breaches such as Adobe, Sony, LinkedIn, RockYou.com and eBay. The totals from these sites alone adds up to close to half a billion.

We can also assume that many of the 420,000 hacked websites were Mom and Pop blogs, forums and other places where people often consider using a "throwaway" password. The concept is that things like your email, social media and bank require secure, unique passwords. But all the other junk in our lives can just use a simple, less secure password.

The criminals don't have the passwords in most cases. They have cryptographic representations of the passwords known as hashes. These hashes come in a lot of varieties with varying degrees of security associated with them. The purpose of a hash is to slow down an attacker from being able to acquire your password if a password database is stolen.

This hashing is most effective if you follow good security practices, like not using dictionary words, and making sure to include numbers and symbols in your password. People in general are bad at choosing passwords. That means hashing is often only a speedbump for a determined attacker.

But the hashes bring out the truth of the matter. The criminals don't necessarily even have your password. They have a hash that could result in them discovering your password, especially if it is poorly chosen like password123 or qwrtyasdfg.

Read: Cyberattacks: Why you're the weakest link

Many of these stolen hashes may have been obtained some time ago, which means they are less useful to the crooks now. Of course, we don't know the truth and can't analyze what is known because Hold Security is trying to figure out how to monetize the knowledge, leaving even the experts a bit in the dark about how serious a discovery this truly is.

My advice? Keep calm and carry on. It is always a good practice to use strong passwords and different passwords on the different sites we use and change them if we have reason to believe they might be compromised.

There are many tools available to assist with automating this task, making it only a minor inconvenience to keep track of your new stronger passwords. Many are available at no cost. And if we have learned anything during our first 20 years of web surfing, it's that we need a helping hand with our passwords.

Hold Security's findings are interesting. If the research community gains access to the information we will all jump in with both feet to determine how it happened, what it means for Internet security going forward and possibly even who is behind the attacks.

But for the rest of the world? It's business as usual. Think before you click, do your best to follow best practices with regard to your privacy and safety and enjoy your online experience. It's not as scary as it looks.

Read CNNOpinion's new Flipboard magazine

Follow us on Twitter @CNNOpinion.

Join us on Facebook.com/CNNOpinion.

ADVERTISEMENT
Part of complete coverage on
December 27, 2014 -- Updated 0127 GMT (0927 HKT)
The ability to manipulate media and technology has increasingly become a critical strategic resource, says Jeff Yang.
December 26, 2014 -- Updated 1617 GMT (0017 HKT)
Today's politicians should follow Ronald Reagan's advice and invest in science, research and development, Fareed Zakaria says.
December 26, 2014 -- Updated 1319 GMT (2119 HKT)
Artificial intelligence does not need to be malevolent to be catastrophically dangerous to humanity, writes Greg Scoblete.
December 26, 2014 -- Updated 1505 GMT (2305 HKT)
Historian Douglas Brinkley says a showing of Sony's film in Austin helped keep the city weird -- and spotlighted the heroes who stood up for free expression
December 26, 2014 -- Updated 1303 GMT (2103 HKT)
Tanya Odom that by calling only on women at his press conference, the President made clear why women and people of color should be more visible in boardrooms and conferences
December 26, 2014 -- Updated 1312 GMT (2112 HKT)
When oil spills happen, researchers are faced with the difficult choice of whether to use chemical dispersants, authors say
December 25, 2014 -- Updated 0633 GMT (1433 HKT)
Danny Cevallos says the legislature didn't have to get involved in regulating how people greet each other
December 23, 2014 -- Updated 2312 GMT (0712 HKT)
Marc Harrold suggests a way to move forward after the deaths of NYPD officers Wenjian Liu and Rafael Ramos.
December 24, 2014 -- Updated 1336 GMT (2136 HKT)
Simon Moya-Smith says Mah-hi-vist Goodblanket, who was killed by law enforcement officers, deserves justice.
December 24, 2014 -- Updated 1914 GMT (0314 HKT)
Val Lauder says that for 1,700 years, people have been debating when, and how, to celebrate Christmas
December 23, 2014 -- Updated 2027 GMT (0427 HKT)
Raphael Sperry says architects should change their ethics code to ban involvement in designing torture chambers
December 24, 2014 -- Updated 0335 GMT (1135 HKT)
Paul Callan says Sony is right to call for blocking the tweeting of private emails stolen by hackers
December 23, 2014 -- Updated 1257 GMT (2057 HKT)
As Christmas arrives, eyes turn naturally toward Bethlehem. But have we got our history of Christmas right? Jay Parini explores.
December 23, 2014 -- Updated 0429 GMT (1229 HKT)
The late Joe Cocker somehow found himself among the rock 'n' roll aristocracy who showed up in Woodstock to help administer a collective blessing upon a generation.
December 23, 2014 -- Updated 2115 GMT (0515 HKT)
History may not judge Obama kindly on Syria or even Iraq. But for a lame duck president, he seems to have quacking left to do, says Aaron Miller.
December 23, 2014 -- Updated 1811 GMT (0211 HKT)
Terrorism and WMD -- it's easy to understand why these consistently make the headlines. But small arms can be devastating too, says Rachel Stohl.
December 22, 2014 -- Updated 1808 GMT (0208 HKT)
Ever since "Bridge-gate" threatened to derail Chris Christie's chances for 2016, Jeb Bush has been hinting he might run. Julian Zelizer looks at why he could win.
December 20, 2014 -- Updated 1853 GMT (0253 HKT)
New York's decision to ban hydraulic fracturing was more about politics than good environmental policy, argues Jeremy Carl.
December 20, 2014 -- Updated 2019 GMT (0419 HKT)
On perhaps this year's most compelling drama, the credits have yet to roll. But we still need to learn some cyber lessons to protect America, suggest John McCain.
December 22, 2014 -- Updated 2239 GMT (0639 HKT)
Conservatives know easing the trade embargo with Cuba is good for America. They should just admit it, says Fareed Zakaria.
December 20, 2014 -- Updated 0112 GMT (0912 HKT)
We're a world away from Pakistan in geography, but not in sentiment, writes Donna Brazile.
December 19, 2014 -- Updated 1709 GMT (0109 HKT)
How about a world where we have murderers but no murders? The police still chase down criminals who commit murder, we have trials and justice is handed out...but no one dies.
December 18, 2014 -- Updated 2345 GMT (0745 HKT)
The U.S. must respond to North Korea's alleged hacking of Sony, says Christian Whiton. Failing to do so will only embolden it.
December 19, 2014 -- Updated 2134 GMT (0534 HKT)
President Obama has been flexing his executive muscles lately despite Democrat's losses, writes Gloria Borger
ADVERTISEMENT