3

Everybody knows that a strong password is very important. However, I can't find any citable public example of any kind where a user or users suffered a heavy loss from using bad passwords, or their service provider handling them badly.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
D__
  • 147
  • 2
  • 1
    You really cannot find examples where the service provider handled passwords badly? How about doing some [simple search](https://www.google.com/search?q=password+leak&oq=password+leak&aqs=chrome..69i57j0l5.2381j1j7&sourceid=chrome&ie=UTF-8)? – Steffen Ullrich Apr 06 '16 at 15:38
  • 1
    I may have been unclear: I am not looking only for leaks, but an estimated or even the actual value of damages done. – D__ Apr 06 '16 at 15:40
  • 1
    Big famous leaks from Adobe, Playstation, Ashley Madison, etc all come to mind... Estimates of damages done in $$ is very likely not public (but I'm sure you can pay any number of consulting firms to do these estimates for you). – Mike Ounsworth Apr 06 '16 at 15:41
  • 1
    Sony is a pretty good example for one, thanks! They got [fined](https://en.wikipedia.org/wiki/2011_PlayStation_Network_outage#Legal_action_against_Sony) for £250,000, and the free game compensations must have also been a bit costly. – D__ Apr 06 '16 at 15:48
  • The problem with measuring losses from password breaches is that they're not reported. A stolen password often compromises another account elsewhere, which makes it hard to track the initial breach point unless it's highly publicised. There's also the reselling market for personal information to consider, where consumer costs are even less measurable. You're much better off looking at data breaches in terms of cost-to-business, particularly in relation to regulatory fines (e.g. fines handed out by the ICO in the UK), without limiting yourself to breaches of passwords. – Polynomial Apr 06 '16 at 15:51
  • Yes, that kind of makes sense. – D__ Apr 06 '16 at 16:12
  • Are you just interested in losses associated with bad password choices, or any losses due to password sharing, theft, and other poor practices? There are several [stories in my index](http://passwordresearch.com/stories/storyindex.html) showing monetary losses due to password misuse, but we often don't know if it was guessed, stolen, or related to a poor choice. – PwdRsch Apr 06 '16 at 16:21
  • More like both. This link is like the treasure trove I have been looking for, thanks a lot! – D__ Apr 06 '16 at 16:23
  • How about suicide? Is that a sort of damage that you are looking for? Or are you only looking at monetary damages? – schroeder Apr 06 '16 at 16:35
  • @schroeder If you are refering to the Ashley Madison suicides, those were the result of the data being leaked, not the password. Had the passwords not been included in the breach, the damage would still have been the same. I interpret the question as being specifically about passwords. – Anders Apr 06 '16 at 16:49

2 Answers2

2

There was a study conducted by the Ponemon Institute and IBM in 2015 which estimated that the average information breach costs a business $3.79M, with an additional $1.57M in reputational damage.

Source: http://www.csoonline.com/article/2926727/data-protection/ponemon-data-breach-costs-now-average-154-per-record.html

However, it's really hard to determine whether these are caused purely by password security, or whether the incident was caused by some other vector of badness. There's one identifiable case of a bad password being used to cause reputational damage to NATO countries here:

https://www.schneier.com/blog/archives/2009/03/choosing_a_bad.html

Jesse K
  • 1,068
  • 6
  • 13
1

Wikileaks wents through a lot of effort to redact the diplomatic cables. They also released an a big insurance file that contained all of the unredacted diplomatic cables in an encrypted container. Unfortunately they reused a password for this purpose that Wikileaks also used when sharing files with the Guardian. David Leigh, a journalist of the Guardian then published that password in his book about Wikileaks not knowing that the password is the password for the insurance file.

A bit earlier Daniel Domscheit-Berg and other individuals left Wikileaks. In the process of leaving Wikileaks they took the database of documents with them. Among them alledgly the No Fly List and a huge trove of documents from Bank of America.

Julian Assange demanded that they give the data back to Wikileaks. Daniel and people around him argued that Julian Assange and the current Wikileaks team weren't capable of keeping the data safe. A bit later Daniel or people around him allegedly told a newspaper about the fact that the password published in the book of the Guardian journalist is indeed the password for the insurance file.

This inturn lead to the data about the diplomatic cables being out their in the open in an unredacted fashion. Wikileaks then decided to publish everything in an redacted form. Names of sources in the diplomatic cables became public. Daniel and the people who left Wikileaks then reportedly decided to delete the trove of data they took with them and the Bank of America data never saw the light of day. The whole fiasco produced a lot of bad will with Daniel Domscheit-Berg being thrown out of the Chaos Computer Club.

It's a story of how even people who are highly versed in computer security can still get password management wrong with grave consequences.

Christian
  • 1,876
  • 1
  • 14
  • 23
  • 1
    This is a great answer ... but **completely unrelated to the question**. A history of wikileaks does not answer a question about the dollar value of corporate damages as a result of weak passwords. – Mike Ounsworth Apr 06 '16 at 19:39
  • 1
    @MikeOunsworth : The question as it exists doesn't speak about "corporate damage", so it's irrelevant whether my answer addresses concerns about "corporate damage". – Christian Apr 06 '16 at 19:46
  • [This comment](https://security.stackexchange.com/questions/119665/are-there-any-examples-of-huge-damages-done-by-password-leaks-or-bad-password-m/119689?noredirect=1#comment217643_119665) and [this comment](https://security.stackexchange.com/questions/119665/are-there-any-examples-of-huge-damages-done-by-password-leaks-or-bad-password-m/119689?noredirect=1#comment217640_119665) make it clear that he's interested in hard numbers for monetary damages (though you're right about "corporate", I inferred that) – Mike Ounsworth Apr 06 '16 at 19:50
  • I see no evidence that he's only interested in monetary damages. People in Iran who gave the US information and had their names in the cables certainly suffered damages from their identity being public because of the password management in this case. – Christian Apr 06 '16 at 19:55
  • ... have you read the comment thread on the question? It's completely about monetary damages. – Mike Ounsworth Apr 06 '16 at 19:57
  • 1
    Monetary damages are certainly one kind of damage that's important, but I see no reason why it should be the only one of interest. The original question doesn't specify that only one kind of damage counts. That said the monetary value of the US state department losing all the names of sources they wrote into their cables is likely substantial even if it's hard to estimate. – Christian Apr 06 '16 at 20:04
  • In general, I think being too specific here ignores the larger points about damage. It's far more helpful in a response to be BROAD in your thinking rather than narrow it down to the specific point. Remember, these are supposed to be answers for everyone, not just one person. Multiple answers to this question with different perspectives should be encouraged, not discouraged. – Steve Sether Apr 06 '16 at 20:47