[Owasp-egypt] Fwd: [Owasp-leaders] Password Reuse Attacks

Mohamed Alfateh mohamed.alfateh at owasp.org
Thu Jun 23 16:55:58 UTC 2016


---------- Forwarded message ----------
From: Michael Coates <michael.coates at owasp.org>
Date: Thu, Jun 23, 2016 at 6:41 PM
Subject: [Owasp-leaders] Password Reuse Attacks
To: OWASP Leaders <owasp-leaders at lists.owasp.org>


Leaders,

I just sent a related note to the top 10 list, but thought it was warranted
for discussion here too.

I feel like we have a major gap in our discussion of application risks.
Specifically we think about implementation bugs and often forget design
flaws.

The main example here is password reuse attacks. From my vantage point in
my day job (and just watching the news of my peers) this is a major concern.

Here are 3 recent stories on this issue
http://www.csoonline.com/article/3086942/security/linkedin-data-breach-blamed-for-multiple-secondary-compromises.html
http://krebsonsecurity.com/2016/06/password-re-user-get-to-get-busy/
https://blog.twitter.com/2011/keeping-your-account-safe

What do others think? Is this getting the focus, discussion and attention
it deserves? Are you talking about it at your companies or with your
clients?


Quick note on the technical side of the password reuse attack

   - With password reuse attacks a breach anywhere on the web can mean a
   breach of millions of users who reuse passwords
   - These attacks are always done with automation 100million breached in
   site A with a reusue rate on site B of 1% means 1million breached on site B
   - There aren't "easy" answers here - The attacks always come from a
   variety of IP addresses. Rate limiting isn't effective because it's 1
   attempt per account from a new ip
   - You have to rely on additional authentication information or
   anti-automation (tradeoffs to both)
   - Making this a "user problem" and walking away is not realistic



--
Michael Coates | @_mwc <https://twitter.com/intent/user?screen_name=_mwc>






_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-egypt/attachments/20160623/6f74ff8c/attachment.html>


More information about the Owasp-egypt mailing list