mailing list archives
If you think just because you use different passwords for different services you're safe, think again
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 3 Jan 2014 19:57:36 -0700
According to the common wisdom on passwords, you should pick different
passwords for different accounts. But
if your way of remembering your passwords is to make them slight variations
of one another, you could be making hackers' lives easier than you might
Most people know it's bad practice to re-use passwords across multiple
accounts since hackers that steal a password database from one service can
use it to compromise the victim's other accounts. That's why Facebook
scoured Adobe's leaked customer credentials following a recent hack of its
user database and forced those who had employed the same email and password
combination on Facebook to change their passwords.
Those who were in Adobe's database of users whose credentials had been, but
who were wise enough not to re-use their passwords for Facebook, are
thought not to have got the same treatment.
However, new research shows there's a high chance non-identical passwords
only deviate slightly from one account to another — and they were probably
created using one of seven transformation rules that can be modeled to aid
an online password attack.
In a new research paper The Tangled Web of Password Reuse(PDF), Anupam Das,
a computer science PhD student at the University of Illinois, and his
fellow researchers compared password pairs linked to just over 6,000 email
addresses that appeared more than once in 10 major password leaks at
Gawker, Facebook, Hotmail, Yahoo, CSDN.net, militarysingles.com, myspace,
youporn.com, and porn.com.
The researchers found that for those addresses that appeared at least once,
43 percent of passwords were identical — they're the easiest pickings for
the hacker with a leaked password database.
But it turns out that around a third of the 57 percent that had
non-identical passwords are also vulnerable to having their account
hijacked. The researchers found that 19 percent of password pairs in the
dataset were based on a 'substring' of another: these include insertion or
deletion operations at the beginning or end of another password, so that
"password" at one account becomes "password1234" at another. Meanwhile, 38
percent of pairs were completely different.
"We weren't sure going in if most passwords would be identically re-used,
completely different, or slightly modified, and it turns out slight
modifications are an important category — about 20 percent of all passwords
are formed by adding or deleting characters from a password the user used
at another site," Joseph Bonneau, a Googler and security researcher who
co-authored the paper, told ZDNet.
"This is a significant fraction of all passwords, and for these most follow
one of a small number of predictable modification patterns. Most users said
this was simply to satisfying different websites' policies, but nearly as
often they said this was to increase security. So, users are trying to add
characters to a basic password for security. Unfortunately, our work
suggests this may not be working as well as users intend."
To demonstrate that slightly varied passwords could be guessed, the
researchers used common password transformation rules to create what they
claim is the world's first 'cross-site password-guessing algorithm'. The
top rules included insertions, deletions, capitalisations, leet speak
(writing 'password' as 'pa$w0rd', for example) and sub-word modifications,
where 'darkknight' on one account might become 'DarkKnight' on another.
They also wanted to show it could be designed for an online guessing
attack, which could but often don't face obstacles such as rate-limiting
login attempts. (The researchers note that most sites don't effectively
rate-limit incorrect guesses while Facebook and Google allow more than 10
guesses in some circumstances.)
According to the researchers, their prototype guessing algorithm was able
to crack approximately 10 percent of the nonidentical password pairs in
less than 10 attempts, which rose to 30 percent with fewer than 100
"This makes a real security impact as an attacker with a leaked,
non-identical password can mount an online guessing attack with orders of
magnitude higher success than an attacker without a leaked password," Das
and company note.
The researchers will present their paper at the NDSS conference in San
Diego in February 2014.
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
sales () riskbasedsecurity com
Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
- If you think just because you use different passwords for different services you're safe, think again Audrey McNeil (Jan 06)