Password Re-user? Get Ready to Get Busy

Security reporter Brian Krebs writes: In the wake of megabreaches at some of the Internet's most-recognized destinations, don't be surprised if you receive password reset requests from numerous companies that didn't experience a breach: Some big name companies -- including Facebook and Netflix -- are in the habit of combing through huge data leak troves for credentials that match those of their customers and then forcing a password reset for those users. Netflix.com, for example, sent out a notification late last week to users who made the mistake of re-using their Netflix password at Linkedin, Tumblr or MySpace. All of three of those breaches are years old, but the scope of the intrusions (more than a half billion usernames and passwords leaked in total) only became apparent recently when the credentials were posted online at various sites and services.

Both awesome and sad

[ausekilis]

Sad that theres so much password reuse that this sort of thing is needed... Awesome of these companies to take initiative and let people know their accounts aren't safe.

Re:Both awesome and sad

[Ravaldy]

Sad that theres so much password reuse

It isn't sad, it's unfortunate that we have to avoid reusing of passwords.

I just finished moving all my accounts from one email to another. That was 53 different accounts I had to manage. Can you imagine keeping track of 53 different passwords. I have 4-5 passwords I use. One for my banking, one that I don't care if they take my account, one for entities I trust, one for entities I trust less.

If we could trust all entities to secure their shit then we could all use one password but we all know it's impossible to secure everything so this strategy will have to hold for now;.

Depends on the data you want to protect

[DidgetMaster]

Everyone seems so worried about passwords getting hacked on sites that couldn't care less about. Anything that has information that I want to protect (e.g. bank accounts) has a strong password that I never repeat. But I also have a ton of accounts on news sites and other places that make you get an account just to see anything. I can set all those account passwords to "12345" and couldn't care less if they get hacked. There is nothing in there of any value for someone to steal. I usually use a fake name and address when I set up the account in the first place.

Re:Finally security done the right way

[khasim]

Not exactly "security done the right way".

This is mitigation.

Netflix gets the username/password list AFTER the bad guys have put it up for sale. What other bad guys have also purchased it? What other sites have you used that password on?

Running widespread password lists against your own password database is a good security practice and you are indeed helping your users much more than trying to enforce a stupid password policy.

Not really. The users will just keep modifying their passwords until they pass your checks. Then they'll have a "good" password that they'll re-use on multiple sites.

It all comes down to how the password will be cracked by the bad guys. That's why re-use is the main concern. Because that means that the bad guys only need to try ONE password for your account on other sites.

And they've scripted those attacks. They can hit thousands of sites in seconds once they have your re-used password.

That's why more secure systems use things like the RSA key fobs. So that your password CANNOT be re-used.

Re:Finally security done the right way

[internerdj]

This is a little disturbing. I got a password reset from Netflix. I thought it was something general. I also thought my netflix password was unique among my accounts. Now I've got no clue what actually was breached.