All Passwords have been lost: What's next? - SANS Internet Storm Center

All Passwords have been lost: What's next?
Some of it may be hype. But no matter if 500 Million, 1.5 Billion or even 3.5 Billion passwords have been lost as yesterday's report by Hold Security states, given all the password leaks we had over the last couple years it is pretty fair to assume that at least one of your passwords has been compromised at some point. [1] yes. we have talked about this many times, but it doesn't seem to get old sadly. So what next? Password have certainly been shown to "not work" to authenticate users. But being cheap, they still are used by most websites (including this one, but we do offer a 2-factor option). For web sites: review your password policies. There is no "right" policy, but come up with something that rejects obvious weak passwords and on the other hand, allows users to choose passwords that they can remember (so they can have a unique password for your site). Make sure your site works with commonly used password managers. The only real way for the user to have a unique password for each site is a password manager. lock accounts that haven't been used in a long time, and delete their password from your database forcing a password reset if they try to reactivate it consider two factor authentication, at least as an option and maybe mandatory for high value accounts (e.g. administrators). Google authenticator is probably the easiest one to implement and it is free. We talked about other alternatives in the past as well. For users: Have a unique password for each site. As an alternative, you may have a single "throw away" password for sites that you don't consider important. But be aware that at one point, a site that is not important now, may become important as you are doing more business with them. Use a password safe, if possible one that allows syncing locally without having to send your password collection to a cloud service. For important sites that don't allow for two factor authentication, consider a "two-part password": One part will be kept in your password safe, while the second part you type in. The password safe part is unique to the site while the additional second part can be the same for different sites or at least easy to remember. This will give you some protection against a compromised password safe. Change passwords once in a while (I personally like every 6 months... ) in particular the "static" part of these high-value passwords. Ask sites that you consider important to implement 2-factor authentication. That's at least what I can come up with while sipping on my first cup of coffee for the day. [1] http://www.holdsecurity.com/news/cybervor-breach/ --- Johannes B. Ullrich, Ph.D. STI\|Twitter\|LinkedIn I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022	Johannes 4473 Posts ISC Handler Aug 6th 2014
Thread locked Subscribe	Aug 6th 2014 7 years ago
If the issue is SQL injection grabbing of usernames and passwords (or password hashes). Website owners need to use better password hashing. Too many sites use one round of MD5 (no really they do). Users need unique passwords per website so if one website stores plain text or uses weak hashing then other sites aren't compromised. Users need a password complex enough that an aggressive dictionary attack won't try it (estimates vary from 11 to 12 random characters, but 16 should be fine). This means that even if they can steal the password hash, they can't reasonably get the password to login from the hash. With SQL injection they may be able to reset passwords they can't guess, but then all bets are off, and nothing the user can do will necessarily help (they might even be able to disable 2FA on the account record at that point if 2FA is not mandatory). Probably everyone needs to do more security testing, but most sites taking money should have routine testing that might detect some SQL injection issues due to PCI compliance requirements.	Anonymous
Quote	Aug 6th 2014 7 years ago
I call bull. An unknown group, who around 2011, were a bunch of spammers? As I say: once a s'kiddie, always a s'kiddie. These guys don't even have a name, and don't release any details about the hack -- not even website names. This sounds like a group that's trying to establish cred or is just outright trolling.	Darron Wyke 19 Posts
Quote	Aug 6th 2014 7 years ago
Is there a bank or credit card company that implements two-factor authentication? None of mine does. Perhaps there is a regulation or something that makes it easier for banks to stay with whatever they have than implement a two-factor option? The "it ain't broke" rule? My preference is to tell banks, credit card companies, and other finance organizations that they may NOT use the word "secure" or its synonyms on their web site anywhere at any time unless they offer a standards-based two factor authentication method. They can continue doing business without using the word secure if they want, or they can implement two-factor. Anyone know how to get banks to take this seriously?	Terry 2 Posts
Quote	Aug 6th 2014 7 years ago
For web sites the questions to ask should be: - Do you really, really need the users to log in? E.g. most blogs on the net manage just fine without needing the user to log in, so why would the ICS site need users to log in just to leave a comment. - Do you really, really need to give the user a password? Either the user uses a trivial/standard password, but this should be avoided/discouraged, otherwise the user will probably have forgotten their password when trying to log-in again and will therefor need to use a password recovery mechanism. Therefore, it makes no sense to give (or allow the user to choose) a password. Let the user enter a mail and send a login-link (that would otherwise have been in the recovery-mail). (If the user starts on a desktop, but checks mail on a mobile device, the desktop should should be offered to be logged in)	Anonymous
Quote	Aug 6th 2014 7 years ago
What I find odd about this breach is the amount of Domains.. >400k.. and close to a billion PW's? Your reference to the Target Breach as example, >40 million on one "swipe". If this is true, then I would say they breached a domain register company at some level. If that is the case, then "Houston we have a problem" As one poster stated, there is yet confirmed data of major sites.. just a vacuum. Read nothing on Krebs,(who was on-top of Target Breach) nothing of FierceItSecurity (good article on HeartBleed and Backoff) and other sites I visit. I am scratching, but no "odor" is coming up...	ICI2Eye 52 Posts
Quote	Aug 6th 2014 7 years ago
About password hashing, the most critical thing most site owners forget to do is strong salting. For each one of your users, and preferably each time to generate or update a password, you want to create a long, unique, random salt string. And then yes, do use strong hashing, preferably sha512 These guys have good write-ups and frameworks for password hashing: http://www.openwall.com/phpass/	ChrisHolland 3 Posts
Quote	Aug 6th 2014 7 years ago
Quoting Darron Wyke:I call bull. An unknown group, who around 2011, were a bunch of spammers? As I say: once a s'kiddie, always a s'kiddie. These guys don't even have a name, and don't release any details about the hack -- not even website names. You can always question each individual report of a potential breach. There is little doubt that for every password loss that has been peppered through the news, there were 100 that we never learned about. Possibly the site that was compromised didn't even learn about it yet. So it's a great idea to assume at least one of your passwords was already lost. Stronger hashing could help, but it's not entirely a solution, either; store your passwords using Bcrypt and a high work factor, or PBKDF2 and lots of rounds, and then: encrypt your hashes with a key stored in a different system E.g. load the decrypt key into RAM from a file on a special NFS mount which must be disconnected during boot, before server can connect to the internet. Make your "authentication service" a separate program running on a separate server which sanity checks inputs from your frontend server sent in simple ASCII --- don't consume the user SQL database directly with SQL code directly on the frontend server.	Mysid 146 Posts
Quote	Aug 6th 2014 7 years ago
Quoting Terry:Is there a bank or credit card company that implements two-factor authentication? None of mine does. Perhaps there is a regulation or something that makes it easier for banks to stay with whatever they have than implement a two-factor option? The "it ain't broke" rule? My preference is to tell banks, credit card companies, and other finance organizations that they may NOT use the word "secure" or its synonyms on their web site anywhere at any time unless they offer a standards-based two factor authentication method. They can continue doing business without using the word secure if they want, or they can implement two-factor. Anyone know how to get banks to take this seriously? It's irrelevant, at least in the US. Banks (and many companies) only care about compliance and peer performance. If everyone is doing the same thing and it meets "government standards", even if it's poor, you will not be found negligent. And that is all that matters. The feds do not require that banks have two-factor authentication, just "multi-factor" and the two are not the same. Requiring two passwords is not compliant but requiring one password and device fingerprinting meets the multi-factor requirement even though the device fingerprint is effectively a non-changing password.	Anonymous
Quote	Aug 6th 2014 7 years ago
In other words, to get banks to use real two-factor authentication, including at least one non-reusable password, there must be a change in bank regulations. So who can get the regulators to fix that?	Terry 2 Posts
Quote	Aug 6th 2014 7 years ago
I see Krebs is now acknowledged the breach. https://krebsonsecurity.com/ Still no data though, but given they want you to register and see where you stand. Time to spin up the proxy and encrypted email to see if we are on the list. If so, with these numbers even though I have a separate PW with complex strings, and they have breached all 6, does not matter does it?	ICI2Eye 52 Posts
Quote	Aug 6th 2014 7 years ago
I think the news story is pure hysterical hype (just like the recycled USB vuln tripe of two days before), but the underlying issue is still in scope for an ISC Diary entry. My small-ish regional bank uses a form of two-factor authentication. After typing username and pw, an automated dialer calls a phone number already on record with a random-ish PIN that is required to complete the process. Yes, it's crude, and I can think of several possible ways to beat it, depending on whether and how the system exposes the PIN and/or the phone number, but at least it uses a second channel. Regarding steps that must be taken by web sites, you skipped the most rudimentary one. There are still any number of sites I log into (including some surprisingly prominent names) that allow a low maximum number (as few as 6) of password characters, allow only 2 character types, or commit both cardinal sins. There might actually be benefit to relaxing some of the traditional "best practice" rules. For example I regard the restrictions on similar passwords or time factors on reuse to be failed and futile attempts to substitute control over less important aspects of user behavior for control of more important aspects. Such attempts just annoy the user and result in greater efforts to circumvent policy.	ICI2Eye 10 Posts
Quote	Aug 6th 2014 7 years ago
Some banks offer it, some do not (yet). Excellent and updated lists of both banking and non-banking sites and their two factor authentication status: http://twofactorauth.org/ http://evanhahn.com/2fa/	flink 1 Posts
Quote	Aug 7th 2014 7 years ago
Quoting ICI2Eye:I see Krebs is now acknowledged the breach. https://krebsonsecurity.com/ Still no data though, but given they want you to register and see where you stand. Time to spin up the proxy and encrypted email to see if we are on the list. If so, with these numbers even though I have a separate PW with complex strings, and they have breached all 6, does not matter does it? Registered.. no response to access of list... From another security site.. Of course, today Google said it was going to INCREASE the Crypto on sites and their spiders. Gee thanks Google.. once again from where I sit, the more pieces of the pie they get into, their care less about the ingredients for it. The use of botnets by cybercriminals to steal credentials is on the rise, Gaffan tells FierceITSecurity. A disturbing 61.5 percent of all web traffic now comes from bots, and botnet activity has soared 240 percent in the last year, according to Incapsula data. Search engine bots are being used by cybercriminals to carry out web attacks. "Criminals are disguising themselves as Googlebot, so you presume it's a legitimate search of your site to index it. But it turns out the attackers are posing as Googlebot, and they are using this as a technique to get into sites. Web masters are terrified of blocking Googlebot because their rankings will plummet," Gaffan says. Once the attackers get into sites, they launch SQL injection attacks, cross-site scripting attacks, or insert malware through backdoors. They can then carry out distributed denial of service (DDoS) attacks, send spam, steal content and engage in other nefarious activities. The report about the Russian crime syndicate "looks a lot like that, where thieves are increasingly automating their attacks using bots," Gaffan says. Incapsula recently conducted a study that found around 4 percent of bots using the Googlebot's user agent, or ID, are fake. A whopping 66 percent of fake Googlebots are used to carry out DDoS attacks. Attackers will go after "anybody and everybody ... The thing about using bots is the whole thing is automated, so they don't care who they're going after," Gaffan concludes.	ICI2Eye 52 Posts
Quote	Aug 7th 2014 7 years ago

Some of it may be hype. But no matter if 500 Million, 1.5 Billion or even 3.5 Billion passwords have been lost as yesterday's report by Hold Security states, given all the password leaks we had over the last couple years it is pretty fair to assume that at least one of your passwords has been compromised at some point. [1]

yes. we have talked about this many times, but it doesn't seem to get old sadly.

So what next? Password have certainly been shown to "not work" to authenticate users. But being cheap, they still are used by most websites (including this one, but we do offer a 2-factor option).

For web sites:

review your password policies. There is no "right" policy, but come up with something that rejects obvious weak passwords and on the other hand, allows users to choose passwords that they can remember (so they can have a unique password for your site).
Make sure your site works with commonly used password managers. The only real way for the user to have a unique password for each site is a password manager.
lock accounts that haven't been used in a long time, and delete their password from your database forcing a password reset if they try to reactivate it
consider two factor authentication, at least as an option and maybe mandatory for high value accounts (e.g. administrators). Google authenticator is probably the easiest one to implement and it is free. We talked about other alternatives in the past as well.

For users:

Have a unique password for each site. As an alternative, you may have a single "throw away" password for sites that you don't consider important. But be aware that at one point, a site that is not important now, may become important as you are doing more business with them.
Use a password safe, if possible one that allows syncing locally without having to send your password collection to a cloud service.
For important sites that don't allow for two factor authentication, consider a "two-part password": One part will be kept in your password safe, while the second part you type in. The password safe part is unique to the site while the additional second part can be the same for different sites or at least easy to remember. This will give you some protection against a compromised password safe.
Change passwords once in a while (I personally like every 6 months... ) in particular the "static" part of these high-value passwords.
Ask sites that you consider important to implement 2-factor authentication.

That's at least what I can come up with while sipping on my first cup of coffee for the day.

[1] http://www.holdsecurity.com/news/cybervor-breach/

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022

Johannes

4473 Posts
ISC Handler

Aug 6th 2014

If the issue is SQL injection grabbing of usernames and passwords (or password hashes).

Website owners need to use better password hashing. Too many sites use one round of MD5 (no really they do).

Users need unique passwords per website so if one website stores plain text or uses weak hashing then other sites aren't compromised.

Users need a password complex enough that an aggressive dictionary attack won't try it (estimates vary from 11 to 12 random characters, but 16 should be fine). This means that even if they can steal the password hash, they can't reasonably get the password to login from the hash.

With SQL injection they may be able to reset passwords they can't guess, but then all bets are off, and nothing the user can do will necessarily help (they might even be able to disable 2FA on the account record at that point if 2FA is not mandatory).

Probably everyone needs to do more security testing, but most sites taking money should have routine testing that might detect some SQL injection issues due to PCI compliance requirements.

Anonymous

I call bull. An unknown group, who around 2011, were a bunch of spammers? As I say: once a s'kiddie, always a s'kiddie.

These guys don't even have a name, and don't release any details about the hack -- not even website names.

This sounds like a group that's trying to establish cred or is just outright trolling.

Darron Wyke

19 Posts

Is there a bank or credit card company that implements two-factor authentication? None of mine does.

Perhaps there is a regulation or something that makes it easier for banks to stay with whatever they have than implement a two-factor option? The "it ain't broke" rule?

My preference is to tell banks, credit card companies, and other finance organizations that they may NOT use the word "secure" or its synonyms on their web site anywhere at any time unless they offer a standards-based two factor authentication method. They can continue doing business without using the word secure if they want, or they can implement two-factor.

Anyone know how to get banks to take this seriously?

Terry

2 Posts

For web sites the questions to ask should be:

- Do you really, really need the users to log in? E.g. most blogs on the net manage just fine without needing the user to log in, so why would the ICS site need users to log in just to leave a comment.

- Do you really, really need to give the user a password? Either the user uses a trivial/standard password, but this should be avoided/discouraged, otherwise the user will probably have forgotten their password when trying to log-in again and will therefor need to use a password recovery mechanism. Therefore, it makes no sense to give (or allow the user to choose) a password. Let the user enter a mail and send a login-link (that would otherwise have been in the recovery-mail). (If the user starts on a desktop, but checks mail on a mobile device, the desktop should should be offered to be logged in)

Anonymous

What I find odd about this breach is the amount of Domains.. >400k.. and close to a billion PW's? Your reference to the Target Breach as example, >40 million on one "swipe". If this is true, then I would say they breached a domain register company at some level. If that is the case, then "Houston we have a problem"

As one poster stated, there is yet confirmed data of major sites.. just a vacuum. Read nothing on Krebs,(who was on-top of Target Breach) nothing of FierceItSecurity (good article on HeartBleed and Backoff) and other sites I visit.

I am scratching, but no "odor" is coming up...

ICI2Eye

52 Posts

About password hashing, the most critical thing most site owners forget to do is strong salting. For each one of your users, and preferably each time to generate or update a password, you want to create a long, unique, random salt string. And then yes, do use strong hashing, preferably sha512

These guys have good write-ups and frameworks for password hashing:

http://www.openwall.com/phpass/

ChrisHolland

3 Posts

Quoting Darron Wyke:I call bull. An unknown group, who around 2011, were a bunch of spammers? As I say: once a s'kiddie, always a s'kiddie.
These guys don't even have a name, and don't release any details about the hack -- not even website names.

You can always question each individual report of a potential breach.

There is little doubt that for every password loss that has been peppered through the news, there were 100 that we never learned about.
Possibly the site that was compromised didn't even learn about it yet.

So it's a great idea to assume at least one of your passwords was already lost.

Stronger hashing could help, but it's not entirely a solution, either; store your passwords using Bcrypt and a high work factor, or PBKDF2 and lots of rounds, and then:
encrypt your hashes with a key stored in a different system

E.g. load the decrypt key into RAM from a file on a special NFS mount which must be disconnected during boot, before server can connect to the internet.

Make your "authentication service" a separate program running on a separate server which sanity checks inputs from your frontend server sent in simple ASCII ---
don't consume the user SQL database directly with SQL code directly on the frontend server.

Mysid

146 Posts

Quoting Terry:Is there a bank or credit card company that implements two-factor authentication? None of mine does.

Perhaps there is a regulation or something that makes it easier for banks to stay with whatever they have than implement a two-factor option? The "it ain't broke" rule?

My preference is to tell banks, credit card companies, and other finance organizations that they may NOT use the word "secure" or its synonyms on their web site anywhere at any time unless they offer a standards-based two factor authentication method. They can continue doing business without using the word secure if they want, or they can implement two-factor.

Anyone know how to get banks to take this seriously?

It's irrelevant, at least in the US. Banks (and many companies) only care about compliance and peer performance. If everyone is doing the same thing and it meets "government standards", even if it's poor, you will not be found negligent. And that is all that matters.

The feds do not require that banks have two-factor authentication, just "multi-factor" and the two are not the same. Requiring two passwords is not compliant but requiring one password and device fingerprinting meets the multi-factor requirement even though the device fingerprint is effectively a non-changing password.

Anonymous

In other words, to get banks to use real two-factor authentication, including at least one non-reusable password, there must be a change in bank regulations. So who can get the regulators to fix that?

Terry

2 Posts

I see Krebs is now acknowledged the breach.

https://krebsonsecurity.com/

Still no data though, but given they want you to register and see where you stand. Time to spin up the proxy and encrypted email to see if we are on the list. If so, with these numbers even though I have a separate PW with complex strings, and they have breached all 6, does not matter does it?

ICI2Eye

52 Posts

I think the news story is pure hysterical hype (just like the recycled USB vuln tripe of two days before), but the underlying issue is still in scope for an ISC Diary entry. My small-ish regional bank uses a form of two-factor authentication. After typing username and pw, an automated dialer calls a phone number already on record with a random-ish PIN that is required to complete the process. Yes, it's crude, and I can think of several possible ways to beat it, depending on whether and how the system exposes the PIN and/or the phone number, but at least it uses a second channel. Regarding steps that must be taken by web sites, you skipped the most rudimentary one. There are still any number of sites I log into (including some surprisingly prominent names) that allow a low maximum number (as few as 6) of password characters, allow only 2 character types, or commit both cardinal sins. There might actually be benefit to relaxing some of the traditional "best practice" rules. For example I regard the restrictions on similar passwords or time factors on reuse to be failed and futile attempts to substitute control over less important aspects of user behavior for control of more important aspects. Such attempts just annoy the user and result in greater efforts to circumvent policy.

ICI2Eye
10 Posts

Some banks offer it, some do not (yet).

Excellent and updated lists of both banking and non-banking sites and their two factor authentication status:

http://twofactorauth.org/

http://evanhahn.com/2fa/

flink

1 Posts

Quoting ICI2Eye:I see Krebs is now acknowledged the breach.

https://krebsonsecurity.com/

Still no data though, but given they want you to register and see where you stand. Time to spin up the proxy and encrypted email to see if we are on the list. If so, with these numbers even though I have a separate PW with complex strings, and they have breached all 6, does not matter does it?

Registered.. no response to access of list...

From another security site.. Of course, today Google said it was going to INCREASE the Crypto on sites and their spiders. Gee thanks Google.. once again from where I sit, the more pieces of the pie they get into, their care less about the ingredients for it.

The use of botnets by cybercriminals to steal credentials is on the rise, Gaffan tells FierceITSecurity. A disturbing 61.5 percent of all web traffic now comes from bots, and botnet activity has soared 240 percent in the last year, according to Incapsula data.

Search engine bots are being used by cybercriminals to carry out web attacks. "Criminals are disguising themselves as Googlebot, so you presume it's a legitimate search of your site to index it. But it turns out the attackers are posing as Googlebot, and they are using this as a technique to get into sites. Web masters are terrified of blocking Googlebot because their rankings will plummet," Gaffan says.

Once the attackers get into sites, they launch SQL injection attacks, cross-site scripting attacks, or insert malware through backdoors. They can then carry out distributed denial of service (DDoS) attacks, send spam, steal content and engage in other nefarious activities.

The report about the Russian crime syndicate "looks a lot like that, where thieves are increasingly automating their attacks using bots," Gaffan says.

Incapsula recently conducted a study that found around 4 percent of bots using the Googlebot's user agent, or ID, are fake. A whopping 66 percent of fake Googlebots are used to carry out DDoS attacks.

Attackers will go after "anybody and everybody ... The thing about using bots is the whole thing is automated, so they don't care who they're going after," Gaffan concludes.

ICI2Eye

52 Posts