[Owasp-leaders] Password Reuse Attacks

Ryan Barnett ryan.barnett at owasp.org
Thu Jun 23 16:58:17 UTC 2016


I agree with you Michael that this is an issue.  We recently did an “Account Takeover Campaign” spotlight in our SOTI report - https://blogs.akamai.com/2016/06/web-application-defenders-field-report-account-takeover-campaigns-spotlight.html - that demonstrates this exact attack scenario.  To summarize for scale, in one campaign, we identified ~1M attacking IP address and they were checking >427M credential combos.

 

Some OWASP Top 10 discussions points –

 

1.       It is difficult for an individual web application owner to have any insights into password reuse as it pertains to an individual user.  What I mean is that if user Alice (userid = alice at someemail.com) has a password set (password = $omePa$$word123) – how is Site A supposed to know if that userid/password combo has been re-used by Alice on Site B and Site C?

2.       I do agree that this is more of an Automation issue when we talking defensively about this.  We need to be able to identify if/when/how attackers are cycling through credentials.

3.       As a side note – while “User Laziness” is the primary culprit for why password re-use is an issue, we also have a technical misunderstanding component here.  There is quite often a misunderstanding by end users when applications force the user to use an email address as their userID.  I understand why web app owners like this as it prevents collisions however the unintended consequence is that many users believe that there is some type of SSO happening behind the scenes.  When they register their account or login, they put in their email address and the think that they have to put in the password that matches for the email domain vs. the local password on the site they are logging into.  

 

Good discussion topic.

 

-Ryan

 

 

From: <owasp-leaders-bounces at lists.owasp.org> on behalf of Michael Coates <michael.coates at owasp.org>
Date: Thursday, June 23, 2016 at 12:41 PM
To: OWASP Leaders <owasp-leaders at lists.owasp.org>
Subject: [Owasp-leaders] Password Reuse Attacks

 

Leaders,

 

I just sent a related note to the top 10 list, but thought it was warranted for discussion here too.

 

I feel like we have a major gap in our discussion of application risks. Specifically we think about implementation bugs and often forget design flaws.

 

The main example here is password reuse attacks. From my vantage point in my day job (and just watching the news of my peers) this is a major concern.

 

Here are 3 recent stories on this issue

http://www.csoonline.com/article/3086942/security/linkedin-data-breach-blamed-for-multiple-secondary-compromises.html

http://krebsonsecurity.com/2016/06/password-re-user-get-to-get-busy/

https://blog.twitter.com/2011/keeping-your-account-safe
 

What do others think? Is this getting the focus, discussion and attention it deserves? Are you talking about it at your companies or with your clients?

 

 

Quick note on the technical side of the password reuse attack

With password reuse attacks a breach anywhere on the web can mean a breach of millions of users who reuse passwords
These attacks are always done with automation 100million breached in site A with a reusue rate on site B of 1% means 1million breached on site B
There aren't "easy" answers here - The attacks always come from a variety of IP addresses. Rate limiting isn't effective because it's 1 attempt per account from a new ip
You have to rely on additional authentication information or anti-automation (tradeoffs to both)
Making this a "user problem" and walking away is not realistic
 

--
Michael Coates | @_mwc

 

 

 

 

_______________________________________________ OWASP-Leaders mailing list OWASP-Leaders at lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-leaders 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160623/70ad14bc/attachment-0001.html>


More information about the OWASP-Leaders mailing list