Deciphering Equifax’s failings after data hack should be lesson to us all on password protection

The US credit reporting agency did not act on US government advice to update its software and its Argentine operation were even more lax, using ‘admin’ as a username and password

Close-up of the hand of a man holding a mobile phone open to the web site of credit bureau Equifax, with text on the website reading "Equifax Cybersecurity Incident", providing steps for consumers to take following a security breach at the company, San Ramon, California, September 28, 2017. (Photo by Smith Collection/Gado/Getty Images)

As they take their seats on Monday, you can be sure every delegate at the international data security summit in Dubai will have left their phones on. They all know that any one of them could be out of a job by the coffee break.

Most nervous of all will be those with business cards bearing the title Chief Security Officer. Charged with keeping their company secure from the massed hordes of the world’s hackers, the job of every CSO is anything but secure. No one knows that better than Susan Mauldin, the ex-CSO of US credit reporting agency Equifax. It was on her watch that hackers broke into the company’s computers and stole critical personal data of more than 145 million US consumers, and countless more elsewhere.

The revelation last month of what the respected tech website Ars Technica called “very possibly the worst leak of personal info ever” was the denouement of a disturbingly long train of events.

Fully six months earlier, experts at the US government’s National Cyber Security Division found a vulnerability in widely used website software, and issued a “patch” to fix it.

Equifax’s own IT department was among those alerted but inexplicably failed to realise its significance, and didn’t bother with the patch.

Within days, hackers – perhaps alerted by the warning – had found that Equifax’s computers were still vulnerable, and broke in.

What they found was the cybercrime equivalent of a truck-load of gold bars: full names, addresses, dates of birth, social security numbers and more. Everything, in short, for endless fraud, scams and cons.

A monitor displays Equifax Inc. signage on the floor of the New York Stock Exchange (NYSE) in New York, U.S., on Friday, Sept. 8, 2017. The dollar fell to the weakest in more than two years, while stocks were mixed as natural disasters damped expectations for another U.S. rate increase this year. Photographer: Michael Nagle/Bloomberg

For the next four months, they went undetected until finally the company’s security department spotted suspicious activity on one of its website. Immediately, they shut it down and began investigating.

The rest is history – as are Mauldin and the company’s Chief Technology Officer, who both reportedly took “retirement” last month.

But the revelations kept coming. The website set up by Equifax to help customers concerned about the breach turned out to have security flaws. Then the company pulled its mobile apps, following concerns about their security as well.

It then emerged that customer data held by Equifax’s Argentine operation could be hacked by the simplest trick in the book: typing the word “Admin” for the login, and typing it again for the password.

Amid the recriminations, class action lawsuits and Congressional outrage, came what many saw as the most stunning revelation of all. As CSO of a billion-dollar company Mauldin might have been expected to hold at least a first degree in computer science from, say, the Massachusetts Institute of Technology. In fact, she studied music composition at the University of Georgia.

Doubtless some of those attending this week’s security summit, organised by IT advisory firm Gartner, will be glad they have suitably geeky CVs. But as they sit through the talks on malware, ransomware and “endpoint detection and response”, they’ll know that even the most tech-savvy can find their security measures undermined by simple human failings.

Just ask Bill Burr, of the US National Institute of Standards and Technology - and the brains behind the guidance on password management relied on by government agencies and corporations worldwide.


Read more: 


Chances are you’ve encountered his recommendations yourself – and been enraged by them. Burr’s masterwork – Appendix A of NIST Special Publication 800-63 – recommends that passwords should be a random mix of upper and lower case letters, numbers and special characters like # or /. It also suggests they are changed every 90 days.

And it makes perfect sense. The more varied the characters used, the more permutations have to be tried by hackers.

But you don’t need to be a security expert to know the problem with all this. For most people, remembering a password like K%&c31?D  is a big ask – while changing it regularly isn’t going to happen.

Still, many people like to do their bit, so they come up with passwords like Pa$$w0Rd!, which meets all the criteria, while being more memorable. But it’s also far less secure, as hackers use programmes that know all these little memory aids and test for them.

Burr, now retired, has offered a mea culpa about his eight-page document. As he told the Wall Street Journal recently: “It just drives people bananas and they don’t pick good passwords, no matter what you do.”

Now NIST has issued new guidance. And it’s good news for those of us with bad memories.

Forget all the special characters and random alphabet soup. It’s size that matters. A 16-character password made up of a crazy concatenation of capitalised words like

“StayBillCloudyTo” has over 10 trillion more permutations than a random eight-character mix like “G3de4HYw”.

As for regularly changing your password, don’t bother – unless you suspect it’s been compromised.

Is this latest advice on passwords guaranteed to protect us from hackers? No, but it could have a much bigger impact than one might think. According to a study by the communications corporation Verizon, about two-thirds of confirmed data breaches involve password issues.

Those CSOs and CIOs who don’t yet see the need to update their company guidance can always ponder the fate of their counterparts at Equifax. But if that doesn’t work, there’s a new incentive on the horizon.

From May next year, any organisation processing or storing data on residents from the European Union will be subject to the requirements of the General Data Protection Regulation. And those who fall short face penalties of up to 20 million euros, or up to 4 per cent of annual global turnover, whichever is greater.

If that doesn’t persuade people to change their password from 'Guest' to 'IdontWantTobeFired', nothing will.

Robert Matthews is Visiting Professor of Science at Aston University, Birmingham, UK