The FriendFinder Network breach is a perfect example of how poor password storage can exacerbate the impact of a breach and expose accounts to further exploitation. Storing passwords in clear-text, or using weak hashing schemes, will make it far easier for attackers to exploit the stolen data.
FriendFinder Networks owns several adult-only websites where individuals input their own details in the hope of finding a match, and this is not the first time it has been hit by a data breach. In May 2015, the details of four million users were leaked. Unfortunately, it seems that FriendFinder has not learnt its lesson, as this recent attack is very similar to the one it suffered the previous year. It would seem that it has done very little to improve its security, with many newly registered accounts having passwords still stored in clear-text.
The latest leak, which included 412 million FriendFinder users’ personal information, is the largest breach of its kind and just one more in a long list of high profile attacks to occur in the past few years. Customers who had previously deleted their accounts have also found their details to have been stolen, bringing to light the fact that FriendFinder is storing deleted customer account details without permission. It has become apparent that FriendFinder also did not store passwords using secure methods. In total, 99%of the passwords, including those hashed with SHA-1 or stored in plain visible format, were discovered by LeakedSource, a data breach monitoring service.
Furthermore, the effect of the breach of passwords was not limited to accounts on FriendFinder, as it is still a common practice for people to use the same password multiple times. This makes a hacker’s job far easier, as once they have successfully discovered a password they will try to use it on all other sites requiring one, potentially gaining access to numerous accounts.
Best practice for protecting passwords
FriendFinder is far from the only company to fall short when it comes to password best practice however, and there are a number of steps all companies should be taking to prevent themselves becoming the next headline.
When it comes to protecting sensitive information on websites, users should be advised on how to create strong passwords. Traditionally, the usage of a mixture of upper and lower case letters, words, numbers and symbols has been suggested. General advice is also to avoid using easily guessed combinations of words or numbers, especially consecutive ones or ones which someone could easily deduce, for example dates of birth or well known names connected to you. Words found in the dictionary can also be easy to hack, and there are password-cracking tools readily available on the internet that often contain dictionary and common word or name lists.
The National Cyber Security Centre (previously CESG) has recently published more modern advice on how to choose strong passwords. These guidelines encourage the usage of long, memorable phrases rather than short passwords that expire often. These are more difficult to crack for attackers.
But protecting passwords is not just a user’s responsibility. It is also essential that companies take appropriate measures to store user credentials. The current preferred way to store passwords is by using adaptive one-way functions that support the configuration of salts and work factors. Cryptographically strong salt values augment entropy and prevent dictionary attacks based on pre-computed lookup tables. Moreover, work factors allow us to impose long verification times on the attackers, making them less effective at cracking passwords at scale. Examples of such algorithms that should be used today to store passwords include: Argon2, PBKDF, scrypt and bcyrpt.
We must assume that, even with strong passwords and appropriate storage, an attacker could still in some cases manage to retrieve some passwords, such as through key loggers. In such cases, an additional defence-in-depth control should be considered in the form of multi-factor authentication as an obvious step to increase account security and mitigate the exposure of accounts whose passwords have been compromised.
Preventing password theft
Finally, it is also important to build processes and controls that help reduce the probability of credentials being stolen. The FriendFinder breach was reportedly caused by a Local File Inclusion (LFI) vulnerability. Introducing security activities from the very beginning in the Software Development Lifecycle and ensuring all developers are properly trained on security topics are good controls that would have helped prevent and/or detect this type of vulnerability before the application went live.
Given the number of large scale attacks we have seen in a relatively short space of time –TalkTalk and The Panama Papers, to name just two – it is more important than ever to ensure that organisation’s make data security a priority. They must implement software that will store all passwords following the most updated security guidelines. They also need to advise users on how to create strong passwords or passphrases that are difficult to guess or decipher using brute force methods. Every extra character used makes it an order of magnitude harder to crack.