Summary: Your password has been compromised. Probably multiple times. Use a different, complex password on each site to minimize the risk of credential stuffing attacks and offline cracking.

If you use a computer today, you have no doubt received advice on how to create a “secure” password. It may have been in the form of a lengthy narrative or a complexity meter that turned green if your registration entry met all of the criteria for a secure password. Today, most of the advice we receive is dated or has become irrelevant. It’s up to you to stay informed on current best practices. To help, here are some recent findings related to the utility of stolen passwords.

Billions of accounts with personal details and login credentials are traded on criminal marketplaces and forums. A majority of the accounts are stolen from websites that were hacked specifically to steal user data and sell it online. Myspace, LinkedIn, and Dailymotion are among the largest U.S.-centric breaches that have resulted in user data now being traded publicly. Perhaps more disturbing, many small websites and forums never publicly disclose their security breaches, which means user data can be traded without any warning to the users of the sites.

Password marketplace 1

Most websites store user passwords in cryptographic hashes that require the criminals to crack the passwords in order to login as the victims. There are many ways to store passwords, and some are better than others at resisting cracking attempts. Often, criminal enterprises use malware to steal login details saved in applications such as web browsers and file transfer clients. Some malware will inject scripts into the login page of a bank, for example, or transparently redirect users to a look-alike page to collect login details. The hackers can then use the obtained login details to transfer funds to a so-called “drop” account, from which they can cash out.

Criminals use these collections of leaked and stolen credentials to launch credentials stuffing attacks where they take the login details from a compromised site and try them on another site in an automated way. The attackers hope to monetize access using credentials stuffing, making this approach particularly relevant to sites and services that have some financial component where payment information may be stored or used. If the access cannot be directly monetized, the account itself may be sold on marketplaces for a small amount of money.

Password marketplace 2

Another related problem is that users of sites and services that store login details have little or no control over the sites’ security. Some site operators choose to store login credentials in clear text. Once a site storing clear text passwords is compromised, cyber criminals have an excellent source of passwords to use without having to spend any time doing password cracking. The clear text passwords also make a great dictionary for cracking password hashes collected from other compromised websites. This is one of the main reasons why it is so important to have unique passwords on every site. You may have chosen a very difficult-to-crack password, but the site operator could have stored it in a way that nullified the complexity.

Recommendations for Individuals:

  • Delete or disable accounts on services that are no longer used (e.g., old email accounts)
  • Use a password manager to generate and keep a unique complex password for every site and service
  • Use a payment service to purchase items online whenever possible instead of giving payment card details to every new site or service. If that is not possible, consider using a pre-paid credit card

Recommendations for Enterprises:

  • Use two-factor authentication for remote access and elevated rights at a minimum
  • Use adaptive authentication or two-factor authentication (like your bank might already do) for access that is provided to customers and third parties
  • If your application stores user passwords, make use of a hashing algorithm that is computationally expensive and resistant to brute force attacks such as bcrypt or SHA256
  • Avoid the use of applications and protocols that do not support the use of strong passwords

About the author: Brian Carter is an experienced analyst who has split his career between intelligence and computer network defense. Brian is a published author, frequent presenter, and regular attendee at information security conferences. He has performed in a variety of intelligence and security disciplines in defense, financial services, and health benefits. He is now an information security principal at a fortune 50 company based in Indianapolis, where he lives with his wife and two children.