Day: September 20, 2018

Don’t reuse passwords: The anatomy of a password breach

Posted on

By Greg Hluska

Everyone has heard the phrase “don’t reuse your password”, but that is such an abstract warning that it’s hard to understand why password reuse is such a dangerous thing. However, I know a lot about security and password reuse is honestly one of the threats that keeps me awake at night. I would like to take this opportunity to help provide a better understanding of how a password breach can occur and how criminals exploit the information obtained with a view to encouraging everyone to use best practices with their passwords, so we can all sleep a little bit better.

Despite the fact that we are all told not to reuse passwords, we are all, in the interests of short-term convenience, tempted to do exactly that. Many websites impose rather onerous password requirements. You need a password that is at least eight characters with at least one upper and lowercase letter, a number and a special character. It is hard enough to come up with and remember one password like that. It’s nearly impossible to do that for 25 different websites.

Passwords themselves aren’t even a very logical way to secure a system. Good passwords are good because they’re hard to guess, but to be hard to guess, a good password must be hard to remember. Following the best practices (set out below) for password management is hard, but it is vital to lessening the ever-growing risk. Fortunately, there are ways to make implementing best practices more manageable.

But first, let’s look at an example of a major password breach and how criminals gain access to an exploit personal information.

LinkedIn Breach – 2012/2016

LinkedIn was hacked on June 5, 2012 and cybercriminals were able to steal what was first reported as 6.5 million passwords. This leak was particularly dangerous for two reasons:

1.) Because of LinkedIn’s nature, many people use their work addresses to sign up for their LinkedIn accounts.

2.) LinkedIn used a very weak hashing algorithm to scramble their passwords so they did not appear in plaintext. They used an algorithm called SHA-1, which was deprecated by the United States National Institute of Standards and Technology (NIST) in 2011. However, SHA-1 was considered unsafe against well-funded opponents as early as 2005.
Because LinkedIn stored their passwords using a very weak hashing algorithm, the net effect was that by June 6, 2012 cybercriminals had access to millions of plain text passwords alongside work email addresses.

Then things got much worse. In 2016, the mainstream security community learned that the attack on LinkedIn was far worse than feared. Researchers discovered that criminals had actually stolen over 100 million email addresses and password combinations. A massive file of greater than 100 million email addresses and poorly hashed passwords had been available for almost four years. This was an absolute disaster from a security perspective.

Exploiting the Data

How would criminals respond to a breach like that? First off, they’re keenly aware that 80 percent of people reuse one password across multiple sites. Armed with a set of work email addresses and passwords, they would likely start trying to access those work email accounts with the plaintext passwords from the LinkedIn breach.

To illustrate the danger of this, let’s consider a fictitious example. John Smith is an IT Coordinator with a major national law firm. His email address is john.smith@made.up.firm.ca. John Smith wanted to be able to network, so he set up a LinkedIn account under that email address, and he secured it with a really good password – 123+pa$$worD. Because it was a really good password, John Smith also used that password on his email account.

Then, the LinkedIn attack happened.

A criminal started off by finding the webmail login for the firm and tried to access the account using that email address and password – success. John Smith used the same password for LinkedIn that he used for his email account. That one hack however, lead to other types of equally dangerous information. You see, John Smith used john.smith@made.up.firm.ca to sign up for a web hosting account, a domain registration account and for administrative access to the firm’s Office 365 subscription.
With that one breach, criminals would have complete access to the firm’s website, domains and every single email that the entire organization received. Thankfully, this is only a made-up example, but it demonstrates the power that one password can yield when it is used across multiple platforms.

How can we protect ourselves?

In general, there are a few best practices that you can employ to protect yourself from this kind of an attack.

1.) Do not reuse or duplicate your passwords across platforms. Using different passwords across platforms will ensure that if one platform is breached (be it LinkedIn or your fitness tracker) the damage will be contained to the data lost in that breach, and it will not be able to be reused to further compromise other platforms.

2.) Do you really need that account? Here is an unfortunate truth about data and data breaches. The more accounts that you sign up for, the higher the probability that one account will be breached. And, the more breaches that your data is caught up in, the higher the probability that one will yield dangerous information, like a plaintext password. Consequently, before you sign up for anything, ask yourself if you really need to sign up for that service. If the answer is no, you might be happier (and you will be significantly more secure) if you don’t sign up for it. And it will be one less password you have to remember.

3.) Use multiple email addresses. The LinkedIn breach would have been much less dangerous if people did not use their work email accounts. If you decide that you do need to sign up for a new service, ask yourself if you need to use your work email account. In some cases, yes you should. In other cases, it’s just as useful if you sign up with an alternate email account that you use for less sensitive information.

4.) Use a password manager. Critics rightly point out that password managers do not protect against every kind of attack. However, all password managers make it easy to use strong, unique passwords on every website and service that you use.

5.) Change your passwords regularly. Most organizations will force password resets every two or three months on their systems. Why not force password resets on all your accounts every two or three months? Good password managers can automate this process for you. The point of changing your passwords regularly is that if you are breached (and you will be), the probability that you will be victimized in a new breach is relatively low.

6.) Use two factor authentication for extra sensitive accounts. Two factor authentication (2FA) is a system where you will enter something you know (ie – a password) and then receive another challenge. Most commonly, this second challenge is that you will receive a temporary PIN number to your mobile device. Or, other services use an app called Google Authenticator to generate a unique six-digit PIN number on your mobile phone. The point of 2FA is to make it more difficult for criminals to gain access to your most sensitive accounts.

7.) Hack yourself…sort of. A security researcher and educator named Troy Hunt runs a wonderful service called “Have I Been Pwned”. The premise is simple. You can go to their website, type in an email address and find out if that email address is included in an ever-growing collection of breaches. The address is https://haveibeenpwned.com/ and I strongly encourage everyone to try it out, particularly with highly sensitive accounts.

Password reuse is such a major issue in our society because hackers can easily steal passwords from data breaches and use that information to get access to many other services. Because of this, it is important to use unique, strong passwords for every service that you sign up for. It’s hard to come up with a good password for every website that you use, creating a need for password managers, which make it easier to track your passwords and change them regularly. You can also use a second factor to authenticate for access into particularly sensitive accounts. By applying these practices and by simply being aware of the associated risks the likelihood of a breach will not cease to exist but can be minimized by a considerable amount.