Ruhr-Uni-Bochum

Billions of Users Affected by Password Leaks

History is full of unprecedented crimes. In the age of digitalisation, the scope has widened even more. Alena Naiakshina gives an example in the series "The greatest crimes".

Photo Alena Naiakshina

Copyright: Damian Gorczany

"New password leaks: A total of 2.2 billion accounts affected" was the headline on the news website "heise online" on 25 January 2019. This was just one of many headlines on password leaks that could be read at regular intervals in recent years. Attacks on databases can lead to user passwords with associated email addresses being openly distributed on the network and used for further cybercrimes. Often, users do not even notice this and carelessly continue to use their access data.

Password leaks can affect individuals, ruin entire companies and even have global repercussions, as members of the Bundestag are also regular victims of hacker attacks; for example, their data appeared in the password collection Collection #1. To ensure the security of access data, passwords should not be stored in plain text in a database. Why do software developers sometimes store passwords insecurely?

Why passwords are stored insecurely

Studies with software developers have shown that a lack of security requirements, a lack of IT security expertise and the high complexity of this task can lead to passwords being stored insecurely. Software developers use programming interfaces, so-called APIs (application programming interfaces), to develop software. However, if these APIs lack usability, even the most experienced software developers can fail at security-critical tasks. Instead of expecting software developers to have expert IT security knowledge on every single security-critical task, they should be adequately supported by APIs, tools and frameworks. Vendors need to adapt these regularly to ensure that they always match the latest security standards. Only then can it be ensured that today's passwords do not jeopardise tomorrow's data.

General note: In case of using gender-assigning attributes we include all those who consider themselves in this gender regardless of their own biological sex.