Data breaches are a huge and growing cybersecurity issue which affects pretty much everyone who lives in modern society. Just recently I wrote about a 41GB dump file database with 1.4 billion credentials acquired from 252 data breach incidents. The impact of data breaches and how they affect web security are staggering. We’re basically all compromised.
I have a confession to make: I use passwords for my various online services which are very difficult to crack, but I do reuse some passwords for multiple accounts. It’s my worst security habit. It’s also a habit that millions of people engage in because it can be overwhelming to have to remember a unique password for each and every online service we have.
I alone have accounts with Google, Twitter, LinkedIn, Netflix, Funimation, PlayStation, Peerlyst, Steam, and Medium. And there are definitely many other accounts that I have which I can’t remember off the top of my head right now. I’m completely typical that way. You may have at least as many online accounts as I do, each with a username and password.
The problem is if one of my account passwords is leaked in a data breach, an attacker can try the same password with some of my other accounts and they’ll have access to those too. Cyber attackers know that a lot of us reuse passwords.
Joe DeBlasio, Stefan Savage, Geoffrey M. Voelker and Alex C. Snoeren from the University of California San Diego have an exciting research project named Tripwire, not to be confused with the cybersecurity solutions company that’s based in Portland, Oregon.
The researchers wrote the following in their report:
“While there are a range of vectors by which account credentials can be compromised—including phishing, brute force and malware— perhaps the most pernicious arises from the confluence of data breaches and account reuse… In one recent study, Das et al. estimated that over 40% of users reuse passwords and our own anecdotal experience with stolen bulk account data suggests that up to 20% of stolen credentials may share a password with their primary email account.”
DeBlasio created a bot which registered online accounts with 2,300 different web services and websites. Each account is associated with a unique email address, and the passwords used for each account are the same passwords that are used to authenticate with the email accounts.
Basically, DeBlasio’s bot replicates what many of us human beings do. The researchers then watched to see if any unauthorized parties used the passwords to break into the associated email accounts.
In order to make sure that the email accounts were being breached due to one of the 2,300 web services and not through vulnerabilities directly related to the email services, the researchers created a control group. About 100,000 email accounts were created with the same email provider that was used in the Tripwire project, and those email accounts weren’t used by the bots to register for online services.
Nineteen of the websites used in the study were compromised. One of those websites is very popular, and based in the United States with over 45 million users. The breached websites and companies have not been publicly named by the researchers. I can understand - doing so may be legally risky.
“The reality is that these companies didn’t volunteer to be part of this study. By doing this, we’ve opened them up to huge financial and legal exposure. So we decided to put the onus on them to disclose,” said Alex C. Snoeren.
When the researchers discovered the account breaches, they contacted the companies about them. “I was heartened that the big sites we interacted with took us seriously,” said Snoeren, but the companies didn’t inform their customers about them. “I was somewhat surprised no one acted on our results.”
The researchers found that the breached email accounts were only rarely used for spam. The attackers generally just monitored the inboxes, possibly looking for useful information such as sensitive financial data.
The researchers also wanted to see the relationship between password complexity and account breaches. They created two accounts per website, one with a simple password, and one with a more complex password. The simple passwords consisted of seven-character words with their first letter capitalized and followed by a single digit. The complex passwords were random ten character strings of numbers and letters, both in lower and upper case, without special characters.
If both the accounts with simple and complex passwords on a website were compromised, that may indicate that the site stores passwords in plaintext. If only the simple password account was breached, then it may indicate that the site likely stores passwords with hashes, a cryptographic technique for enhanced security.
“In eight cases (categories of online services), our system registered for both an ‘easy’ and a ‘hard’ account at a site, but logins only occurred on the ‘easy’ accounts. This behavior suggests that these sites hash passwords sufficiently to at least delay the compromise of accounts with stronger passwords, or are leaking account credentials due to large-scale brute-forcing,” DeBlasio et al. wrote in their paper.
“Despite well-known security practices, we observed logins using ‘hard’ passwords on ten sites. These sites appear to have stored account passwords in the clear or used easily-reversed hashes. Our methodology only registered for accounts with easy passwords after it estimated that a hard registration succeeded. This biases our results to under-report compromises, as ‘easy’ passwords are more frequently compromised. Subsequent invocations of a Tripwire system should avoid this pitfall.”
The researchers advise users to use password managers, use unique passwords for each account, and to be careful about what sort of information we disclose online.
“Websites ask for a lot of information. Why do they need to know your mother’s real maiden name and the name of your dog?” Snoeren said.