More than a billion plaintext passwords from third-party data breaches are freely available on the internet, and the human tendency to reuse passwords across multiple services means these credentials, some of them years old, remain a serious threat, especially for smaller organizations.
For years password dumps have been traded on criminal forums, but in the last six months the sheer volume of passwords has driven the price down, to the point that, in 2017, someone dumped a collection of 1.4 billion previously exposed credentials online — for free.
The credentials remain available at no charge to anyone who knows how to use a search engine and a torrent client, no need to bother with Tor.
“This has never happened before in history,” J. Tate, co-founder of Bits & Digits, says. “People used to say, where do you find the breach data? On the dark net. Now here it is publicly; use it for what you want to use it for.”
While researching this story, CSO uncovered in the breached data thousands of work email addresses and old passwords belonging to current and former employees of IDG (CSO’s parent company), as well as IDG affiliates. CSO worked with IDG’s IT departments to determine if the exposed passwords were accurate at the time of breach and to potentially identify incidents of password reuse.
The trove of data also includes email addresses and passwords for people working at all levels of government in countries around the world including police, military, and spies. Even users with @nsa.gov email accounts appear in these data dumps, although the National Security Agency (NSA) assured CSO that the agency is not affected by these exposed credentials. But, then, few organizations, if any, consume the volume or quality of threat intel that the NSA does.
The Department of Homeland Security and Department of Justice, both with email addresses and passwords in the dump, told CSO their agencies were unaffected, as did Bank of America and Wells Fargo. Likewise, Google and Apple said that the hundreds of millions of Gmail and iCloud email accounts in the dump were unaffected, since both companies proactively search for this kind of breach data and make their users change their passwords.
Small to medium-sized businesses, though, do not typically consume the same kind of threat intel as major banks or government agencies or large tech companies, even to do basic things like using a torrent client to download third-party breach data and cross-referencing against a list of current employees.
This leaves large swaths of businesses and local governments at risk of password reuse attacks — known as “credential stuffing” attacks — well within reach of unsophisticated attackers. Defending against these trivial yet devastating attacks begins with accepting the realities of human nature and recognizing that blaming employees or customers for reusing passwords is futile. Far better to appreciate that people are terrible at choosing and remembering strong passwords and go from there.
The password problem
Single-factor authentication based on “something you know” (e.g., a password) is no longer an acceptable best practice. “I’m pretty well convinced passwords are a horrible system,” Professor Douglas W. Jones of the University of Iowa, says. “If someone knows your old passwords, they can catch onto your system. If you’re in the habit of inventing passwords with the name of a place you’ve lived and the zip code, for example, they could find out where I have lived in the past by mining my Facebook posts or something.”
Indeed, browsing through third-party password breaches offers glimpses into the things people hold dear — names of spouses and children, prayers, and favorite places or football teams. The passwords may no longer be valid, but that window into people’s secret thoughts remains open.
These massive dumps of free passwords lower the cost of an attack dramatically. Password reuse or password guessing attacks are script kiddie stuff. Defending your organization against such threats is basic due diligence.
What does that due diligence look like?
Defending against credential stuffing attacks
Here are five basic steps every organization should follow.
1. End mandatory password rotation
Last year, standards body NIST set new password best practices (SP 800-63B): Stop forcing users to change their passwords every 30, 60, or 90 days, and stop forcing users to include a mixture of uppercase, lowercase, and special characters
Forcing users to change their passwords should only happen if there is reason to believe an organization has been breached, or if a new third-party data breach affects employees or users.
Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
If you force people to frequently change their passwords, they will use bad passwords.
2. Use a password manager
Randomly generated 40-character passwords stored in a local KeePassX database renders all known password reuse attacks moot. If every password is different, there are no passwords to reuse. A user need only remember the master password for the password manager — preferably something like a seven-word diceware passphrase, easy to remember, hard to crack.
Verifiers SHOULD permit claimants to use ‚”paste” functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets.
3. Blacklist all breached passwords
Download the billions of breached passwords and blacklist them all. Attackers have a copy; so should you. No one in your organization should be allowed to use any of those passwords, forever and ever amen.
NIST again lays down the law:
When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to:
- Passwords obtained from previous breach corpuses.
- Dictionary words.
- Repetitive or sequential characters (e.g.‚ ‘aaaaaa’, ‘1234abcd’).
- Context-specific words, such as the name of the service, the username, and derivatives thereof.
Blacklisting every password in these password dumps is a simple, relatively painless way to raise the bar for attackers. These password dumps cost nothing to download, and a modest amount of time to analyze. Grepping for IDG passwords took a couple of hours. Alerting users took a couple of days.
4. Never reuse passwords
Ensuring that users can never use the same password twice is now a best practice. That means storing old password hashes forever, not just the last five to ten password changes, as is common practice today. Deleting old password hashes means users can reuse their really old passwords, the aforementioned ones that are windows into their souls, the ones they really like … the ones available in third-party data breach dumps.
5. Make 2FA mandatory
The best and most important of all these recommendations, however, is to use two-factor authentication, preferably with a hardware token. Password reuse is worthless if a user has 2FA enabled, and a hardware token is more secure than an app on a user’s phone. 2FA all the things.
Take it seriously
Credential stuffing is a serious attack vector that is underrated because of its unintuitive nature. The good news is, mitigation is cheap and effective, but security admins, with the support of management, have to do the work. That means following NIST guidelines and deploying well-understood best practices.
This isn’t rocket science. It’s due diligence. Let’s get to work.