Insights from Sony Pictures' WikiLeaks leak on password security

The Sony Pictures breach, widely attributed to North Korean hackers, has served as a stark reminder of the failures of the current password-based security approach. The incident, which held Sony Pictures to ransom for months, resulted in the leak of terabytes of internal data to journalists.

WikiLeaks published the leaked data in full as a searchable online archive, revealing a tawdry world of movie making that Sony would rather keep behind closed doors. The documents contained marketing secrets, gossipy emails about producers trashing actors, and cozy links with the US Democratic Party.

One of the most concerning aspects of the breach was the use of very easy-to-guess admin passwords for systems on Sony's servers. Shockingly, 1,100 of the 30,287 Sony Pictures documents in the WikiLeaks haul contained the word 'password'. Passwords were continuously recycled and misused by users, and disclosures like the Sony Pictures breach show the poor implementation of password policies.

Passwords of 'password' and passwords which were identical to the username were found in the documents, underscoring the need for a more robust security system. Security expert Graham Cluley points out that the public relations nightmare could have been avoided with better password management.

Cluely argues that passwords are not suitable for securing networks and data in these types of use cases. The password, as a single point of authentication, is considered a poor choice for achieving security for critical data and resources.

The strategy of relying on end users to secure data, including the use of passwords, is being criticized as failing. The advent of smartphones has opened the door to the wider use of multi-factor authentication methods. The use of multi-factor authentication methods is proposed as a replacement for passwords, making it more difficult for accounts to be breached.

The cybersecurity team, IT department, system administrators, and key stakeholders including management and legal/compliance officers should be involved in implementing multi-factor authentication at Sony Pictures to ensure passwords are not the sole authentication method. The use of expensive specialised hardware tokens is no longer necessary with the advent of smartphones and multi-factor authentication.

Cluely believes that the adoption of advanced multi-factor authentication will accelerate as a result of these developments. The hackers' actions have underscored the need for businesses to rethink their security strategies and move away from the outdated and insecure password-based approach.