ReignOfComputer's profile
Hubbernauts

Hubbernauts

 • 

477 Messages

 • 

1 Point

Sat, Jan 30, 2021 7:42 PM

Password Hygiene and Learning Points from the 2020 RedMart's Data Breach

Password Hygiene and Learning Points from the 2020 RedMart's Data Breach

On 30 October 2020, CNA reported that online shopping platform RedMart, owned by the Lazada Group, suffered a data breach. I've published an article into my findings and their significance and implications on the general public, which you can find here: https://research.reignofcomputer.com/2021/01/29/of-passwords-and-personal-information-investigating-the-redmart-data-breach/

While the above article is meant for a more general-tech audience, there is one segment I want to highlight: password hygiene. We hear a lot about not reusing passwords and adding some complexity to them, but how much does that actually help?

Password Length vs Complexity

Complexity isn't always the best strategy to use when coming up with a strong password. A longer password is always better, even if it does not contain symbols. This is best illustrated by xkcd's Password Strength strip:

Generally, a service that is storing your passwords will do it in a Hashed format (e.g. MD5, SHA1, SHA256). Some are easier to crack than others, such as in the case from RedMart using weak MD5. Hashing converts a plaintext password into a stored format so that the service owner and attackers cannot see it. This one way process turns an input like "starhub" into "7ce623e65f5177bfac08a2d90f0bf36d" (MD5). When a user logs in with their password, it is hashed again and compared with the one stored by the database to see if it matches. The problem is given enough compute power, an attacker may be able to bruteforce combinations of plaintext and find their corresponding hash, especially in weaker hash algorithms like MD5 and with short passwords below 9 characters.

As what format the service uses is unknown to us, it is best to ensure passwords are strong enough to withstand a database breach. For example, if I had a long password in the RedMart database breach, even if I reused my password elsewhere, it would be harder for a hacker to get the plaintext of my password.
Therefore, it is better to use a long password that one can remember, instead of one with various substitutions and symbols that would be shorter and causes you to reset your password each time.

Password Management

Unfortunately, having a long, strong password does not solve the problem of password reuse. Services may store passwords in plaintext, some exploit may exist that results in the password getting captured, or a dedicated attacker may eventually be able to crack the hash of a long password. Having too many variations of passwords is also not feasible unless one has a good system of memorizing them (writing them down on pen and paper is not considered good practice).

For myself, I use the password manager LastPass to help me manage my passwords. It can generate passwords on my behalf with all the bells and whistles (e.g. 64 characters long with symbols), and I don't have to remember it. LastPass also has a mobile application so your passwords can follow you on the go.

More than Passwords

There was a lot of focus on passwords in the RedMart data breach, but unfortunately most overlook the more important aspects of the database. Passwords can be changed, but personal information cannot. The database also contained details such as phone numbers and addresses which are far more permanent.

As society goes digital, cybersecurity becomes imperative to the safety of the general public. Other companies should treat the attack on RedMart as a warning of more cyberattacks to come from various troublemakers and channel more resources into beefing up their cybersecurity.

Consumers should ensure good password hygiene and take care not to leave personal data lying around the Internet. While PDPA in its amended form brings more protections, there are many services worldwide that do not fall under its purview. The Cambridge Analytica scandal proves that even major corporations like Facebook are not infallible.

-----
Windows Developer | @ReignOfComputer
Carla_P

Moderator

 • 

5.5K Messages

 • 

3.2K Points

9 m ago

This was a nice read, @ReignOfComputer. 😉

1 Message

 • 

1 Point

9 m ago

Definitely informative article!

Get Started

Get Started