
Password reuse and credential stuffing - deverton
https://www.troyhunt.com/password-reuse-credential-stuffing-and-another-1-billion-records-in-have-i-been-pwned/
======
graystevens
We see credential stuffing quite a lot, with attacks varying from the
blatantly obvious (1000s of requests in a minute, to the login page, from the
same IP, with a scripting UserAgent like python-requests) to highly
distributed attacks across 100s of IPs with a random but current useragent.
While some malicious folk do this all manually and write their own scripts,
tools like those mentioned in Troy's post are pretty common. One mentioned
that I'd like to call out is SentryMBA - this tool is easily adapted to any
business via a shareable config, written by anyway. Want to know if your
service is probably affected or targeted? Google "Sentry MBA" \+ your
businesses name. There are trading forums for these configs, and they range
from banks and big businesses, to CRMs and utility services.

SentryMBA also has the ability to scare certain information on a successful
login, helping to identify those key accounts that'll earn you more on the
black market, such as recent successful orders on Amazon, or a high number of
points on Starbucks accounts.

If you've got a business with an online login page, it's well worth checking
the logs these types of attacks, to see if any of your users or even employees
need to have their passwords reset after being successfully popped from a
credential stuffing attack.

~~~
sasas
> We see credential stuffing quite a lot

Thanks for sharing. Super interested to know what line of work you are in?

~~~
graystevens
I work in the UK for a large telecoms provider, who I'd like to think are
pretty good when it comes to security and monitoring. Take a look through the
Sentry MBA configs and I'm sure you'll see a tonne of names you recognise,
including my employer.

In regards to my side project, as mentioned below, it's something which should
hopefully helps businesses spot when their user data has been leaked, so that
they can be proactive in their investigations and alerting customers to take a
look at their passwords. Hope to get a first draft out soon!

------
alkonaut
Shouldn't we just stop using email/password or username/password entirely?
It's already relying on the single point of failure being the users email
account, because that is where you send your password reset emails. Just add a
simple requirement to passwords: 1) user can't choose them and 2) they are
single use. Now you don't need to store them in a database.

If an attacker controls my email account then they basically control all my
other accounts too.

So how many here tend to not even try to remember passwords, and instead just
always hit "forgot password" to log into a site?

Why isn't that the default? I.e. why aren't _all_ passwords single use? I just
enter my email, the site generates a secret and sends it to my email account
and that's it. It might sound like a hassle - but personally I think it's
_less of a hassle than using a password manager_ (I use LastPass and their
browser integration is more cumbersome than a copy & paste from inbox!)

~~~
a_imho
Medium did this and it is horrible. Your suggestion solves nothing as you
already considered, email bring a single point of failure. So why would anyone
sign into a completely different service (for most people that being signed
into Google which has its own baggage) just to use an app?

1\. Sending emails is not very secure

2\. Delegating your authentication to a 3rd party is probably not a very good
idea

3\. You still need to use a password somewhere e.g. accessing your emails, it
can't be mitigated all the way down

4\. Increasing the importance of social media accounts / email and allowing
walled gardens to act as gatekeepers to services is annoying at best and very
harmful at worst if you are concerned about your data

~~~
crummy
Isn't Oauth delegating your authentication to a third party, and which is
generally regarded as a good idea?

~~~
paulryanrogers
It's all about trust. If you trust the 3rd party more then it's good. That
could be because the authentication provider has more resources to devote to
things like intrusion detection. A separate service also isolates your
credentials from the various services.

Downsides include telling that 3rd party every time you sign in and putting
all your access rights in one place.

------
djhworld
I use a password manager, have done over the past 6 or so years, but
definitely had poor password habits before that.

There are probably a number of websites I used between 2000-2010 that I no
longer access, so that's somewhat worrying.

This is a really interesting article though, I think Troy is doing the world a
service with the work he's doing.

~~~
StavrosK
Why is it worrying? If you have good password habits now, nobody will be able
to get into your current sites using the old password, and you presumably
don't care about the old sites any more.

~~~
brainfire
There are possible reputational effects if they're linked to your current
identity somehow.

~~~
WorldMaker
If they are still linked to your current identity than change the passwords
now (or better yet, yesterday) or delete the accounts altogether.

------
darkkindness
> treat it as a reminder that your data is out there circulating around and
> that you need to go and get yourself a password manager and create strong,
> unique passwords.

I think that the real solution to the problem is not to tell people to use
password managers, but to make it easy for people to do so.

Unless they've been pwned, the person you're trying to convince probably
doesn't prioritize password security during account creation. They just want
to make an account. Telling them to do so with no other reason than "don't
endanger yourself like everyone else!!" might not have the best success.

Meanwhile, when Google Smart Lock (Google's password manager) was built into
Chrome, Now suddenly people who would never think about installing a password
manager is using a password manager. It became the default option.

But the security of password managers comes from secure password generators,
and Chrome does not provide this by default; it exists under `chrome://flags`.
And no one I know uses this. Even the effort of changing a single flag is too
much to ask people to do!

There is a similar story for Safari -- one needs to enable iCloud Keychain
Support to generate passwords. (*EDIT: this is false, it is enabled by
default!!) And while Firefox can store passwords, it has no built-in password
generator. There are many great Firefox add-ons, but then we are back to our
original problem of convincing others to actually install and use them.

Now, consider that, just like password storage, password generation was
default. I'd argue that if password generation was also default, /people will
use it/.

Instead, rather than go the path of default built-in password generators,
browsers -- recklessly blind to the discussed issue of password reuse --
recommend 'secure' passwords like "#Hihas4ei:YtB"[1] and "sPo0kyh@ll0w3En"[2].

Security shouldn't be a question of convincing others. It should be a default
option.

[1]([https://support.mozilla.org/en-US/kb/create-secure-
passwords...](https://support.mozilla.org/en-US/kb/create-secure-passwords-
keep-your-identity-safe))
[2]([https://support.google.com/accounts/answer/32040?hl=en](https://support.google.com/accounts/answer/32040?hl=en))

~~~
csydas
> There is a similar story for Safari -- one needs to enable iCloud Keychain
> Support to generate passwords. And while Firefox can store passwords, it has
> no built-in password generator. There are many great Firefox add-ons, but
> then we are back to our original problem of convincing others to actually
> install and use them.

Wait, is that true? I don't use iCloud on my machine (macOS 10.10.5 with
Safari 10.0.3) and it does password management automatically, generating and
storing passwords. I forget what update it was, but just out of the blue
Safari started recognizing password creation fields and offering generated
passwords.

~~~
darkkindness
Just tried it myself and you are right!

That's good news, perhaps I should go back to Safari.

------
cyberferret
Interesting to see that some companies do proactive audits by running a list
of their current user emails against HIBP. I guess that was bound to become a
thing sooner rather than later.

However, I also note that if such a company detects that an email address used
by one of their users has been compromised on another site, that this fact is
communicated carefully. Specifically I can see the confusion with the Digital
Ocean case in the OP - it _could_ sound like their email address in DO itself
was compromised, when all DO did was check it against HIBP and discovered it
was pwned previously probably from another web app...

------
peteretep
I would love Apple to start rejecting apps that didn't integrate with Password
Managers. Or at least failing those which disable paste in password fields.

------
jwcrux
Troy does great work running HIBP.

It's an incredibly useful service - I highly recommend sending over a few
dollars to help with infrastructure costs if you feel inclined to do so:
[https://haveibeenpwned.com/Donate](https://haveibeenpwned.com/Donate)

------
awinter-py
is rate limiting a defense against this? I get that these attacks could come
from a botnet, but it at least increases the necessary size of the botnet.

Is there a service for correlating failed login attempts across sites?

~~~
mikey_p
It's only a deterrence, not a defense. The attacked can always wait it out, or
attack multiple sites at once to slow things down.

You also have to watch out for rate limiting becoming a way for attackers to
DDoS your legitimate users.

------
universenz
Also don't forget HIBP has a Domain search functionality which is great if you
want to find out which employee accounts have been breached. The service lets
you download a spreadsheet. Troy is doing the lord's work.
[https://haveibeenpwned.com/DomainSearch](https://haveibeenpwned.com/DomainSearch)

------
monochromatic
If I use a password manager, I'm trusting some random company with all of my
credentials. What company deserves that level of trust?

~~~
scrollaway
Don't use an online password manager then.

[https://www.keepassx.org/](https://www.keepassx.org/)

~~~
NeededToPost
KeepassX hasn't been updated in a while.
[https://keepassxc.org/](https://keepassxc.org/) is the maintained and updated
version.

~~~
FLUX-YOU
>KeepassX hasn't been updated in a while.

Is it broken somehow?

~~~
lucideer
"broken" is highly subjective, but here's a list of the issues that originally
motivated the fork:

[https://github.com/keepassx/keepassx/pulls](https://github.com/keepassx/keepassx/pulls)

Discussion for context:
[https://github.com/keepassxreboot/keepassxc/issues/43](https://github.com/keepassxreboot/keepassxc/issues/43)

