Increasingly, it seems like you can’t read the news without seeing a headline about a security issue exposing customer account information for criminals to exploit.
As a guy who works every day to keep the Microsoft account system (formerly Windows Live ID) secure, each time I read something like this my heart goes out first to the people whose accounts are victimized by these criminals, and secondly to my colleagues at the compromised companies. Bad guys only have to be right once, defenders have to be right 100% of the time – and I’ve been impressed by the competence and dedication of my peers across the industry.
Of course, as has been extensively covered, these attacks shine a spotlight on the core issue – people reuse passwords between different websites. This highlights the longstanding security advice to use unique passwords, as criminals have become increasingly sophisticated about taking a list of usernames and passwords from one service and then “replaying” that list against other major account systems. When they find matching passwords they are able to spread their abuse beyond the original account system they attacked.