Combatting password re-use
A recent article on The Register discussed an academic paper proposing that high-profile websites cooperate to stop users re-using passwords. If sites like Twitter and Facebook share users’ credentials, it suggests, they can then work together to make sure users don’t use the same password across different sites.
The premise of the paper is founded on good intention: it encourages collaboration at the enterprise level to protect users from credential theft, and theoretically makes account takeovers and dictionary attacks more difficult to implement.
However, in practical terms there are a couple of major problems we thought it was worth highlighting.
Having a centralized database where all passwords related to a specific person or entity is a dangerous idea from a security perspective, whether the passwords are hashed or not. The consequences of a breach of this database could potentially be more severe simply because so many different users’ credentials stored there.
From a privacy perspective, it may not be that a user, corporate or personal, would even want to share their credentials used to login to one site with another. For instance, different sites use email addresses for different reasons, so you might find your email shared with a non-desirable site. Furthermore, both sharing and storing this sort of information after GDPR comes into force is entering murky waters legally. We present some ideas about personal data breach in our GDPR whitepaper here.
Even if this theoretical central database is shared across networks securely, danger remains. Any print of your passwords, even if they are protected by a one-way encryption algorithm, could be susceptible to as-yet-undiscovered vulnerabilities. Take the MD5 or SHA1 hashing algorithm vulnerabilities, for example.
On the technical level, passwords should be hashed using a slow hashing algorithm (for example, ARGON2, BCRYPT, PBKDF2) and using a UNIQUE salt for each password. This process makes any lookup very difficult in the way described in the article. The only way would be to present passwords in pure text, and, as we have seen last week with Twitter, this is just about the worst thing that can be done.
It is our opinion that account providers should focus on protecting their infrastructure and applications to avoid data breaches rather than transferring this resilience on to their end users.
Good practices, such as avoiding password reuse or using one-time passwords (OTP) or two- or multi-factor authentication (2FA, MFA) are to be encouraged. However, even the strongest passwords can be compromised whether the victim was re-using passwords or not.
Social engineering techniques such as phishing are still worryingly effective, while malware types (stealers, keyloggers, form-grabbers etc.) use ever-more sophisticated techniques to harvest credentials. Many stealers employ advanced obfuscation techniques making their activities very difficult to trace. Therefore, monitoring whether login credentials have been stolen is often key to discovering whether an account, and more broadly, a corporate infrastructure, has been compromised.
The number of data breaches arising from weak or stolen passwords has rocketed from 63% to 81% over the past few years. You can reduce chances of suffering a breach using targeted intelligence. Our Credentials module provides intelligence around leaked, stolen and sold user credentials. We find them in close-to real-time on the open, deep and dark web, along with information about relevant malware used to steal the information.