FOOD FULFILLMENT AND CYCLIST EMPLOYER Deliveroo has let off a warning to customers about the obvious risks of using bad passwords.
Seems fair, everyone else is at it, and everyone should be choosing their passwords carefully, even when ordering a cheeky Chinese.
In an email, the firm explains how it was not it that felt the touch of the breacher, but some other place. Deliveroo has stepped up, or cycled up, with its information because it suspects that some of its customers double or even triple up on simple-to-guess passwords.
An email is going out to registered users, it has not hit this one yet, but there is a blog about picking a professional password on the Deliveroo engineering blog.
"Passwords are a pivotal tool in customer account security, however they are frequently at risk from "reuse" - people choose one or two passwords and then use them everywhere, which brings a host of security problems…" said Alec Muffett, principal engineer for security at Deliveroo, from a tuffet.
"We want our customers to be safe online, and we — specifically the Deliveroo Infrastructure Security team — want to better protect our customers' accounts. Technically, we're starting from a good place: our passwords are hashed using the bcrypt algorithm, a robust and industry-standard password hash. The Rails default for bcrypt is to run at strength 10, meaning 210 = 1024 rounds of hashing, a reasonable work factor for a modern password hash."
That's all cool, according to Muffett, but there are other elements in the password problem and they are people who reuse and recycle what were probably bad passwords to start with. Muffett has something to say to those guys.
"Sometimes customers reuse their passwords at other sites, and sometimes those sites do not store their passwords under a robust password hashing algorithm. Worse, sometimes those sites get "popped" — bad people hack into them and exfiltrate password data, often sharing their findings with the world through pastebin sites and bulletin-boards," he continued.
"These actions put at risk any site where the owner has reused the same login name and password… From today, we will be informing our customers when we determine that the password which they use for Deliveroo is publicly known in some way. We will contact the impacted customers to request that they change their password, and advise that they also change that password at other sites where it is also used."
Robert Capps, VP at NuData Security,said that this is a good move from the company and a proactive approach to a perennial problem, which should please Deliveroo.
"It's a positive development to see a company such as Deliveroo taking such a proactive approach to consumer account security. While forced resets of known vulnerable accounts can create confusion and apprehension for consumers, it's a necessary step to keep consumers safe. Lack of standardisation of authentication techniques, along with an ever confusing array of password strength requirements, has conditioned consumers to actually degraded password security, not made it better," he said.
"Consumers are notoriously bad at password security and reuse the same credentials on multiple sites, to make compliance with password policies easier. This creates a perfect storm, where hackers know that the theft of usernames and passwords at one site, will allow them to commit fraud or steal money from consumers on another, totally unrelated site." µ
You can't fault them for speed
Investigation reveals that malicious code was injected into the firm's payment page
Plus the three-for-free
And it's not just on Ubuntu, neither