All Passwords have been lost: What's next?

Published: 2014-08-06. Last Updated: 2014-08-06 11:40:45 UTC
by Johannes Ullrich (Version: 1)
Some of it may be hype. But no matter if 500 Million, 1.5 Billion or even 3.5 Billion passwords have been lost as yesterday's report by Hold Security states, given all the password leaks we had over the last couple years it is pretty fair to assume that at least one of your passwords has been compromised at some point. [1]

yes. we have talked about this many times, but it doesn't seem to get old sadly.

So what next? Password have certainly been shown to "not work" to authenticate users. But being cheap, they still are used by most websites (including this one, but we do offer a 2-factor option). 

For web sites:

  • review your password policies. There is no "right" policy, but come up with something that rejects obvious weak passwords and on the other hand, allows users to choose passwords that they can remember (so they can have a unique password for your site).
  • Make sure your site works with commonly used password managers. The only real way for the user to have a unique password for each site is a password manager.
  • lock accounts that haven't been used in a long time, and delete their password from your database forcing a password reset if they try to reactivate it
  • consider two factor authentication, at least as an option and maybe mandatory for high value accounts (e.g. administrators). Google authenticator is probably the easiest one to implement  and it is free. We talked about other alternatives in the past as well.

For users:

  • Have a unique password for each site. As an alternative, you may have a single "throw away" password for sites that you don't consider important. But be aware that at one point, a site that is not important now, may become important as you are doing more business with them.
  • Use a password safe, if possible one that allows syncing locally without having to send your password collection to a cloud service.
  • For important sites that don't allow for two factor authentication, consider a "two-part password": One part will be kept in your password safe, while the second part you type in. The password safe part is unique to the site while the additional second part can be the same for different sites or at least easy to remember. This will give you some protection against a compromised password safe.
  • Change passwords once in a while (I personally like every 6 months... ) in particular the "static" part of these high-value passwords.
  • Ask sites that you consider important to implement 2-factor authentication.

That's at least what I can come up with while sipping on my first cup of coffee for the day. 


Johannes B. Ullrich, Ph.D.

If the issue is SQL injection grabbing of usernames and passwords (or password hashes).

Website owners need to use better password hashing. Too many sites use one round of MD5 (no really they do).

Users need unique passwords per website so if one website stores plain text or uses weak hashing then other sites aren't compromised.

Users need a password complex enough that an aggressive dictionary attack won't try it (estimates vary from 11 to 12 random characters, but 16 should be fine). This means that even if they can steal the password hash, they can't reasonably get the password to login from the hash.

With SQL injection they may be able to reset passwords they can't guess, but then all bets are off, and nothing the user can do will necessarily help (they might even be able to disable 2FA on the account record at that point if 2FA is not mandatory).

Probably everyone needs to do more security testing, but most sites taking money should have routine testing that might detect some SQL injection issues due to PCI compliance requirements.
I call bull. An unknown group, who around 2011, were a bunch of spammers? As I say: once a s'kiddie, always a s'kiddie.

These guys don't even have a name, and don't release any details about the hack -- not even website names.

This sounds like a group that's trying to establish cred or is just outright trolling.
Is there a bank or credit card company that implements two-factor authentication? None of mine does.

Perhaps there is a regulation or something that makes it easier for banks to stay with whatever they have than implement a two-factor option? The "it ain't broke" rule?

My preference is to tell banks, credit card companies, and other finance organizations that they may NOT use the word "secure" or its synonyms on their web site anywhere at any time unless they offer a standards-based two factor authentication method. They can continue doing business without using the word secure if they want, or they can implement two-factor.

Anyone know how to get banks to take this seriously?
For web sites the questions to ask should be:

- Do you really, really need the users to log in? E.g. most blogs on the net manage just fine without needing the user to log in, so why would the ICS site need users to log in just to leave a comment.

- Do you really, really need to give the user a password? Either the user uses a trivial/standard password, but this should be avoided/discouraged, otherwise the user will probably have forgotten their password when trying to log-in again and will therefor need to use a password recovery mechanism. Therefore, it makes no sense to give (or allow the user to choose) a password. Let the user enter a mail and send a login-link (that would otherwise have been in the recovery-mail). (If the user starts on a desktop, but checks mail on a mobile device, the desktop should should be offered to be logged in)
What I find odd about this breach is the amount of Domains.. >400k.. and close to a billion PW's? Your reference to the Target Breach as example, >40 million on one "swipe". If this is true, then I would say they breached a domain register company at some level. If that is the case, then "Houston we have a problem"

As one poster stated, there is yet confirmed data of major sites.. just a vacuum. Read nothing on Krebs,(who was on-top of Target Breach) nothing of FierceItSecurity (good article on HeartBleed and Backoff) and other sites I visit.

I am scratching, but no "odor" is coming up...
About password hashing, the most critical thing most site owners forget to do is strong salting. For each one of your users, and preferably each time to generate or update a password, you want to create a long, unique, random salt string. And then yes, do use strong hashing, preferably sha512

These guys have good write-ups and frameworks for password hashing:
[quote=comment#31701]I call bull. An unknown group, who around 2011, were a bunch of spammers? As I say: once a s'kiddie, always a s'kiddie.
These guys don't even have a name, and don't release any details about the hack -- not even website names.[/quote]

You can always question each individual report of a potential breach.

There is little doubt that for every password loss that has been peppered through the news, there were 100 that we never learned about.
Possibly the site that was compromised didn't even learn about it yet.

So it's a great idea to assume at least one of your passwords was already lost.

Stronger hashing could help, but it's not entirely a solution, either; store your passwords using Bcrypt and a high work factor, or PBKDF2 and lots of rounds, and then:
encrypt your hashes with a key stored in a different system

E.g. load the decrypt key into RAM from a file on a special NFS mount which must be disconnected during boot, before server can connect to the internet.

Make your "authentication service" a separate program running on a separate server which sanity checks inputs from your frontend server sent in simple ASCII ---
don't consume the user SQL database directly with SQL code directly on the frontend server.
[quote=comment#31703]Is there a bank or credit card company that implements two-factor authentication? None of mine does.

Perhaps there is a regulation or something that makes it easier for banks to stay with whatever they have than implement a two-factor option? The "it ain't broke" rule?

My preference is to tell banks, credit card companies, and other finance organizations that they may NOT use the word "secure" or its synonyms on their web site anywhere at any time unless they offer a standards-based two factor authentication method. They can continue doing business without using the word secure if they want, or they can implement two-factor.

Anyone know how to get banks to take this seriously?[/quote]

It's irrelevant, at least in the US. Banks (and many companies) only care about compliance and peer performance. If everyone is doing the same thing and it meets "government standards", even if it's poor, you will not be found negligent. And that is all that matters.

The feds do not require that banks have two-factor authentication, just "multi-factor" and the two are not the same. Requiring two passwords is not compliant but requiring one password and device fingerprinting meets the multi-factor requirement even though the device fingerprint is effectively a non-changing password.
In other words, to get banks to use real two-factor authentication, including at least one non-reusable password, there must be a change in bank regulations. So who can get the regulators to fix that?
I see Krebs is now acknowledged the breach.

Still no data though, but given they want you to register and see where you stand. Time to spin up the proxy and encrypted email to see if we are on the list. If so, with these numbers even though I have a separate PW with complex strings, and they have breached all 6, does not matter does it?

