One of the most frustrating things to me is that the easiest way to secure yourself and your data is to not use the same incredibly insecure password for every account you have. No matter the amount of information on the web informing users to use different passwords for every account, or the password complexity rules that organizations use on their websites, users do not seem to understand the importance of proper password hygiene. Do users take all the blame, though? Have we as security professionals made password security too complicated, and failed to teach appropriate password security?
Users will inherently use the same password over, and over again because, quite frankly, there are too many passwords to remember for all the accounts we have access. When an organization is breached, and usernames and passwords are stolen, the combinations are sold on the dark web. When users are alerted that their information is taken in that breach, they may change their password on the site that was breached, but most of the time they do not change their passwords for other sites as well. When a user buys this information on the dark web, they can use these lists to attack other sites and find matches. This is called a credential stuffing attack. The Open Web Application Security Project defines credential stuffing as “the automated injection of breached username/password pairs to fraudulently gain access to user accounts” (OWASP, n.d.). When the username and password pair is compromised, and an attacker has access to another account they can take over the account, the user was not aware was compromised. The attacker then can drain stolen account of credit card numbers, personally identifiable information, or use the account to send spam, or make other transactions (OWASP, n.d.). If a user uses the same password for a corporate account that they use for breached accounts, corporate networks can be exploited. Need more proof of their popularity? Research a couple of breaches such as the Yahoo and Sony breaches in 2011 and 2012, both of which were the result of credential stuffing.
This is a prevalent type of attack, and many users are vulnerable to this type of attack, but how do users protect themselves from attacks? The most important way is to use a different password for every account, and keep them 24 characters in length and keep them as random characters. It’s that simple… Many users, dare I say all regular users, would have a challenging time remembering all of these random passwords. This is where technology can benefit the user.
First, multifactor authentication should be used on all accounts that prohibit it. While text messaging the password is not secure to sim swapping, it will help secure the average user. Applications such as Google Authenticator are much more secure, but it is not widely adopted currently. Other authenticators are physical authenticators such as YubiKey. These are USB devices that are plugged into phones or computers to authenticate the user. If the user does not have the device, then they are not able to access accounts. However, a targeted attack could leave a user vulnerable in this type of attack if they were to leave the Yubikey in their computer and walk away.
Another option for securing information is to use a password vault, such as LastPass. When using this type of program, a user only has to remember their password to the vault, which should be a very secure passphrase that is 16-24 characters in length, using substituted characters. The password vault can create randomized strings as passwords for each account. The user only has to remember the one password to vault. Both of these measures should be used together to secure accounts. However, there is not a foolproof method to secure an account.
If you would like to know if your account has been breached Troy Hunt’s website Have I been Pwned is a great resource to see which accounts have been breached. The website can be viewed here https://haveibeenpwned.com/
Security professionals should ensure that usernames and passwords do not show up on password lists when a user sets up a password for an organization. Have I been Pwned can help in securing corporate networks by ensuring breached passwords have not been used.
Credential Stuffing. (n.d.) Retrieved on July 8, 2019 from https://www.owasp.org/index.php/Credential_stuffing