There are now over a billion owned accounts with credentials sold online. In the age of stolen passwords, compromised credentials are the easiest way in, simpler than phishing, malware or exploits. “Password confirmation” tools are now readily available to find reused passwords matching any website. This trend of large scale verification of stolen passwords is not new and has been ongoing for at least 2 years.
Imagine a world where millions of keys capable of unlocking bank safe-deposit boxes are just lying on the ground everywhere. All you need is to pick them up and find a match to open any box you would like. Well, this is exactly where we are with passwords today. In fact, it is worse, because for most people, this same key is used to open their office, car, and house.
Passwords are the new exploit, but even better – credentials have become the number one attack methodology today. According to Verizon’s 2016 Data Breach Investigations Report, 63% of confirmed data breaches involved leveraging weak, default or stolen passwords, and the problem is only getting worse.
The market is already so saturated with usernames and passwords that it is hard to tell whether a new password batch is a result of a new breach or re-filtering existing stolen passwords on a new website. Attackers mine the exposed username, email and password data, leverage automation, and then attempt to automatically test this login data and passwords against all top websites.
If a person used the same username and password on multiple sites then attackers could, in some situations, automatically take over their account. That’s why a breach of passwords associated with website X could result in compromised accounts at unrelated website Y. For instance, a hacker can take the Tumblr stolen dataset and use an automated “password confirmation” tool on Dropbox and within hours get millions of “new” Dropbox passwords, which is what happened in June, according to Brian Krebs.
There are dozens of “password confirmation” tools available for this, for instance – SentryMBA.
There are many other such tools, that test stolen passwords on many websites to confirm passwords. Of course, the websites try to prevent this activity, by rate limiting logins. So attackers utilize large sets of proxies and botnets to win. They even use OCR software to bypass CAPTCHAs.
The economics are as follows: stolen credentials get packaged into batches of 1,000 and resold underground for prices between a penny and a nickel – roughly $50 dollars per million. Attackers then use sites like iOne.club to find a tool they like to test passwords and only pay 1 cent for each working password, pay nothing for the non-working passwords.
As I mentioned in 2015, most of your passwords are likely already leaked and out there. And changing your password does not make you more secure either. For one, statistically you will likely just change it to 123456789 or ‘dadada’ a la Zuckerberg or something equally bad.
But even if you pick a good, hard to remember password, it is only a matter of short time before another SQL injection attack will pwn a service that you used the new password on, and you are back to square one.
Another option is to use two factor by default all the time. Many services already do this.
Most people can’t be bothered to make up complex passwords or to remember to use unique passwords per service. So, websites must assume attackers already know most passwords. The rampant password re-use on many websites means there is essentially now a single point of failure for the entire online identity. It is time to change this situation and start retiring passwords as the primary authentication mechanism.