Password Problems 1: Ghosts of Breaches Past

Old data breaches fade from our memory like ghosts, but continue to haunt us on the internet.  The passwords, security questions, and personal information that were leaked in breaches become a data mine for all manner of fraudsters and hackers for many, many years.  Recent events continue to demonstrate the lingering impact of breaches and the undisputed value of basic – but all-too-often ignored – security steps, such as updating passwords and using multi-factor authentication!

In 2015, the US Office of Personnel Management (OPM) reported unknown hackers stole the personal information of 22 million active and potential US government employees and contractors.  Recapped on Defensive Security on Podcast #220, the breach was rumored to be the work of nation-state hackers, most government employees worried about the espionage ramifications of the breach.  However, recent events reveal a more mundane consequence.  In June 2018, Zeljka Zorz reported on HelpNetSecurity that a Maryland woman pleaded guilty to using data from the OPM breach to commit identity fraud.  Although the link between the fraudsters and the data has not yet been revealed, the conviction exposes the breadth and the long-lasting ramifications of all data breaches.  From an authentication standpoint, more sinister aspects are exposed when we consider that the information necessary to commit identity fraud heavily overlaps the data we use for security questions on websites.  Consider how often we are asked to use our mother’s maiden name or our high school mascot as a security question!

While the breadth of compromised data in the OPM breach may be unparalleled, other breaches make up for it in with sheer volume.  Yahoo.  LinkedIn.  Experian.  Ashley Madison.  These notorious breaches are only the beginning of the data leaks that include passwords, email addresses and the answers to security questions.  In its 2018 Identity Breach Report, Identities in the Wild: The Tsunami of Breached Identities Continues, 4iQ identified 8.7 billion raw records from 3,525 sources and found 3 billion distinct records.  Unfortunately, not all of the data they identified come from breaches – some data simply comes from the 188,916 FTP servers and 19,716 MongoDB servers that have Personally Identifiable Information (PII) improperly exposed!  Most people faithfully and truthfully answer the security questions because of the ease of remembering them, but that means that by now, most people’s security questions have been leaked.

Perhaps the fact that one must pass multiple hurdles to reach a stage where security questions become the gatekeeper for access will allow some to feel a sense of security.  However, for many people, a breach on one site is a breach on many sites.  In a 2017 survey of 1,000 respondents by Keeper Security, more than 81% of respondents older than 30 and 87% of respondents between 18 and 30 reuse the same password across multiple accounts.  But surely that reuse is limited to uneducated users?  Just last month proved otherwise.  As reported by Swati Khandelwal of TheHackernews.com, Gentoo’s GitHub Repository was breached because hackers guessed an Admin’s password.  This Admin was not foolish enough to reuse the exact password, but the hackers had identified the user and recognized a pattern in the way that user created passwords based upon previous breaches.  They used that password to guess the current password for the Admin on the repository and began to systematically lock out other admins and take over the repository!

Bad password habits cannot be changed so easily, and the continual issue of password hygiene for the last few decades indicates it will continue for decades to come.  Thankfully, practical countermeasures can be easily adopted.  Mike Garcia of the National Institute of Standards and Technology (NIST) blogged last year about the new NIST recommendations:

  • Use multi-factor authentication
  • Use pass-phrases instead of passwords
  • Protect your most important accounts with unique passphrases

To this list we add a few tips for security managers:

  • Either try to crack internal passwords regularly or enforce password changes every 60-90 days
  • Prohibit and reject reused passwords
  • Do not limit passwords to 8 characters

Once these basics are in place, consider more sophistication.  For passwords and security questions, consider using a password manager that will allow for unique answers to be used for each site.  For a professional environment, also consider authenticating devices, not just users.

Soliton’s products provide and support a rich variety of multi-factor authentication ranging from SecureShield’s support for Duo’s 2-factor authentication to certificates issued by the NetAttest EPS.  Hiring that exorcist will not remove the password ghosts that haunt the internet, but the science of existing technologies will minimize their impact on our future.

 

For information about Soliton products, please visit:

SecureShield data sheet
SecureShield video
NetAttest EPS product flyer

 

Defensive Security, Podcast #220 – Discussion of OPM Data Used in Fraud

Zorz, Z., HelpNetSecurity.com, Fraudster exploited US govt staff info stolen in 2015 OPM breach

4iq, Identities in the Wild: The Tsunami of Breached Identities Continues

Keep Security, Mobile Survey Finds Security Awareness is High, but Use of Security Apps is Lagging

Khandelwal, S., The Hacker News, Password-Guessing Was Used to Hack Gentoo Linux Github Account

Garcia, M., NIST, Easy Ways to Build a Better P@$5w0rd