[Owasp-leaders] Password Reuse Attacks

Sen UENO sen.ueno at owasp.org
Fri Jun 24 01:57:00 UTC 2016


the password reuse attacks attract attention in Japan.
in Japan called "password list attacks".
The success rate of the attack is about 1% in the same way.

Sen UENO
OWASP Japan Chapter Leader

On 2016/06/24 1:41, Michael Coates wrote:
> Leaders,
> 
> I just sent a related note to the top 10 list, but thought it was warranted for discussion here too.
> 
> I feel like we have a major gap in our discussion of application risks. Specifically we think about implementation bugs and often forget design flaws.
> 
> The main example here is password reuse attacks. From my vantage point in my day job (and just watching the news of my peers) this is a major concern.
> 
> Here are 3 recent stories on this issue
> http://www.csoonline.com/article/3086942/security/linkedin-data-breach-blamed-for-multiple-secondary-compromises.html
> http://krebsonsecurity.com/2016/06/password-re-user-get-to-get-busy/
> https://blog.twitter.com/2011/keeping-your-account-safe
> 
> What do others think? Is this getting the focus, discussion and attention it deserves? Are you talking about it at your companies or with your clients?
> 
> 
> Quick note on the technical side of the password reuse attack
> 
>   * With password reuse attacks a breach anywhere on the web can mean a breach of millions of users who reuse passwords
>   * These attacks are always done with automation 100million breached in site A with a reusue rate on site B of 1% means 1million breached on site B
>   * There aren't "easy" answers here - The attacks always come from a variety of IP addresses. Rate limiting isn't effective because it's 1 attempt per account from a new ip
>   * You have to rely on additional authentication information or anti-automation (tradeoffs to both)
>   * Making this a "user problem" and walking away is not realistic
> 
> 
> 
> --
> Michael Coates | @_mwc <https://twitter.com/intent/user?screen_name=_mwc>
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 


More information about the OWASP-Leaders mailing list