[Owasp-leaders] Password Reuse Attacks

Michael Coates michael.coates at owasp.org
Thu Jun 23 16:41:25 UTC 2016


I just sent a related note to the top 10 list, but thought it was warranted
for discussion here too.

I feel like we have a major gap in our discussion of application risks.
Specifically we think about implementation bugs and often forget design

The main example here is password reuse attacks. From my vantage point in
my day job (and just watching the news of my peers) this is a major concern.

Here are 3 recent stories on this issue

What do others think? Is this getting the focus, discussion and attention
it deserves? Are you talking about it at your companies or with your

Quick note on the technical side of the password reuse attack

   - With password reuse attacks a breach anywhere on the web can mean a
   breach of millions of users who reuse passwords
   - These attacks are always done with automation 100million breached in
   site A with a reusue rate on site B of 1% means 1million breached on site B
   - There aren't "easy" answers here - The attacks always come from a
   variety of IP addresses. Rate limiting isn't effective because it's 1
   attempt per account from a new ip
   - You have to rely on additional authentication information or
   anti-automation (tradeoffs to both)
   - Making this a "user problem" and walking away is not realistic

Michael Coates | @_mwc <https://twitter.com/intent/user?screen_name=_mwc>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160623/079d9d2c/attachment.html>

More information about the OWASP-Leaders mailing list