

Password Exhaustion: Predicting the End of Password Usefulness (PDF) - Chirael
http://nsrc.cse.psu.edu/tech_report/NAS-TR-0030-2006.pdf

======
patio11
I think it is even worse than they suggest. Suppose you compromise a username
and password combination anywhere on the Internet, or offline compromise the
dump you got from some random forum. This gives you a list of username =>
password entries.

You then farm that out to your favorite botnet and begin hitting low security
consumer sites, like Facebook, Twitter, what have you. You should be able to
recover email addresses in a _totally automated_ fashion doing this. You can
then probably remote compromise those email accounts instantly, using the
exact same password.

Then, again in a totally automated fashion, you search their mail archives for
the signatures of mails from your list of 50 high-value target sites: banks,
brokerages, domain name registrars, WoW (don't laugh -- best dollar to
security tradeoff of any of the above, since an account compromise can be
worth $2k+, it is trivially cashable remotely, and it poses no risk of
criminal prosecution), etc. You then use their recover password functionality,
probably totally automated.

Then you just check your botnet for the new credentials for high-value sites,
and start cashing.

~~~
RK
What exactly does your bingo startup do again? ;)

I finally broke down recently and made a compendium of all my
username/passwords combinations in an encrypted file. It was eye opening when
I finally saw how many passwords I actually use and (mostly) remember. The
repetition frequency was higher than I would like, but I'm careful to never
use the same password for a site account and the associated email address(es).
Unfortunately, I can't say the same for my relatives and friends...

