Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Re-user? Get Ready to Get Busy (krebsonsecurity.com)

Posted by msmash on from the security-measures dept.

Security reporter Brian Krebs writes: In the wake of megabreaches at some of the Internet's most-recognized destinations, don't be surprised if you receive password reset requests from numerous companies that didn't experience a breach: Some big name companies -- including Facebook and Netflix -- are in the habit of combing through huge data leak troves for credentials that match those of their customers and then forcing a password reset for those users. Netflix.com, for example, sent out a notification late last week to users who made the mistake of re-using their Netflix password at Linkedin, Tumblr or MySpace. All of three of those breaches are years old, but the scope of the intrusions (more than a half billion usernames and passwords leaked in total) only became apparent recently when the credentials were posted online at various sites and services.

16 of 119 comments (clear)

  1. Re:How do they know they are the same? by OzPeter · · Score: 4, Informative

    Surely everyone is hashing the passwords, using different salt etc?

    Bwhahahahahahaha You're assuming that these companies have good security practices. How do you think they got hacked in the first place?

    --
    I am Slashdot. Are you Slashdot as well?
  2. Both awesome and sad by ausekilis · · Score: 3, Interesting

    Sad that theres so much password reuse that this sort of thing is needed... Awesome of these companies to take initiative and let people know their accounts aren't safe.

    1. Re:Both awesome and sad by Ravaldy · · Score: 4, Interesting

      Sad that theres so much password reuse

      It isn't sad, it's unfortunate that we have to avoid reusing of passwords.

      I just finished moving all my accounts from one email to another. That was 53 different accounts I had to manage. Can you imagine keeping track of 53 different passwords. I have 4-5 passwords I use. One for my banking, one that I don't care if they take my account, one for entities I trust, one for entities I trust less.

      If we could trust all entities to secure their shit then we could all use one password but we all know it's impossible to secure everything so this strategy will have to hold for now;.

    2. Re:Both awesome and sad by TechyImmigrant · · Score: 2

      Sad that theres so much password reuse

      It isn't sad, it's unfortunate that we have to avoid reusing of passwords.

      I just finished moving all my accounts from one email to another. That was 53 different accounts I had to manage. Can you imagine keeping track of 53 different passwords. I have 4-5 passwords I use. One for my banking, one that I don't care if they take my account, one for entities I trust, one for entities I trust less.

      If we could trust all entities to secure their shit then we could all use one password but we all know it's impossible to secure everything so this strategy will have to hold for now;.

      I keep track of over 200 passwords, using a password manager. Why aren't you?

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    3. Re:Both awesome and sad by pla · · Score: 4, Insightful

      I keep track of over 200 passwords, using a password manager. Why aren't you?

      You mean a password manager like KeePass, where the developer has explicitly and publicly chosen ad revenue over security?

      Or just one like LastPass, that "only" suffered a plain ol' fashioned data breach?

      Hey, I'll admit carrying all those eggs in the same basket looks a lot more convenient than carrying them one by one. But some of us would rather only risk dropping them one at a time, than all 200 at once.

  3. Finally security done the right way by Guybrush_T · · Score: 4, Insightful

    It is about time security is done from the attacker perspective. Yes, it is a good idea to think that "if an attacker can do it, we can do it too and disable accounts we can compromize". Running widespread password lists against your own password database is a good security practice and you are indeed helping your users much more than trying to enforce a stupid password policy.

    1. Re:Finally security done the right way by khasim · · Score: 3, Interesting

      Not exactly "security done the right way".

      This is mitigation.

      Netflix gets the username/password list AFTER the bad guys have put it up for sale. What other bad guys have also purchased it? What other sites have you used that password on?

      Running widespread password lists against your own password database is a good security practice and you are indeed helping your users much more than trying to enforce a stupid password policy.

      Not really. The users will just keep modifying their passwords until they pass your checks. Then they'll have a "good" password that they'll re-use on multiple sites.

      It all comes down to how the password will be cracked by the bad guys. That's why re-use is the main concern. Because that means that the bad guys only need to try ONE password for your account on other sites.

      And they've scripted those attacks. They can hit thousands of sites in seconds once they have your re-used password.

      That's why more secure systems use things like the RSA key fobs. So that your password CANNOT be re-used.

    2. Re:Finally security done the right way by internerdj · · Score: 4, Interesting

      This is a little disturbing. I got a password reset from Netflix. I thought it was something general. I also thought my netflix password was unique among my accounts. Now I've got no clue what actually was breached.

    3. Re: Finally security done the right way by BlytheBowman · · Score: 3, Insightful

      How do I use one of those fobs with my Android phone?

    4. Re:Finally security done the right way by Anonymous Coward · · Score: 2, Informative

      Easy enough to find out. Check your email at haveibeenpwned.com
      It will tell you what breaches have contained your email

  4. Re:How do they know they are the same? by __aaclcg7560 · · Score: 2

    Surely everyone is hashing the passwords, using different salt etc?

    Table salt? Kosher salt? Sea salt? Bathroom salt? What kind of salt?

  5. Re:How do they know they are the same? by Anonymous Coward · · Score: 2, Funny

    I think you meant "dadada"

  6. Re:How do they know they are the same? by Anonymous Coward · · Score: 5, Informative

    Surely everyone is hashing the passwords, using different salt etc? Obtaining a dump of encrypted data is pretty useless you have the resources to brute-force them.

    The password lists aren't encrypted. They are in the form of: login_id:password (ie: bob@example.com:example)

    What Netflix, et. el. are doing is taking the list, noticing that they have a user with the same login_id (bob@example.com), and taking the password (example) and hashing it in the same way that their authenticator does. If the hashes match, then they send the user an email saying "Reset your password"

  7. Depends on the data you want to protect by DidgetMaster · · Score: 4, Interesting

    Everyone seems so worried about passwords getting hacked on sites that couldn't care less about. Anything that has information that I want to protect (e.g. bank accounts) has a strong password that I never repeat. But I also have a ton of accounts on news sites and other places that make you get an account just to see anything. I can set all those account passwords to "12345" and couldn't care less if they get hacked. There is nothing in there of any value for someone to steal. I usually use a fake name and address when I set up the account in the first place.

  8. Re:How do they know they are the same? by Anubis+IV · · Score: 4, Informative

    At least in the case of the MySpace and LinkedIn leaks, the passwords themselves were posted online, so it'd be fairly trivial for Netflix et al. to run the lists through their hashing algorithm and see if it gets any hits against their users.

    LinkedIn was employing a fast hashing algorithm with no salt back in 2012 when their database was stolen. Which is about one step better than plaintext, given that an attacker can hit it at full speed and can crack them en masse because of the lack of salt.

    MySpace apparently began employing doubled-salted hashes in 2013, but the login credentials that leaked were ones that hadn't been used past that time, so MySpace hadn't been able to update them to be more secure since it sounds like they were employing simple hashing prior to that.

    As for Tumblr, they said they employed hash+salt on the database that was leaked, so it should indeed take awhile before anything besides commonly-used passwords start showing up from it.

  9. Re:Centralized password management by houstonbofh · · Score: 2

    Funny you should mention facebook first. It has the most value. It can be used for spearfishing you friends or spamming sunglasses, or directing everyone you know to malware. Netflix is just resold so people can watch free movies.