[Owasp-leaders] Password Reuse Attacks

Ken Belva owasp at silverbackventuresllc.com
Fri Jun 24 10:11:53 UTC 2016

1% sounds about right. I tested the Rockyou password file against a standard US corporate policy to see how many matched. Here are some stats:

Rockyou is 139.9MG in size (uncompressed)
It has 14.34 million password
Goal was to select passwords between 6 & 15 in length
Password must match most Corporate password policies
    - Contain an Upper Case, Number and Special Character

68,953 records of 14,344,392 matched
That's less than 0.5 percent matched criteria

You can use the project I donated to OWASP for these types of password reuse tests & research as well as easily creating password manipulation rules for custom dictionaries:

--------- Original Message --------- Subject: Re: [Owasp-leaders] Password Reuse Attacks
From: "Sen UENO" <sen.ueno at owasp.org>
Date: 6/23/16 9:57 pm
To: owasp-leaders at lists.owasp.org

the password reuse attacks attract attention in Japan.
 in Japan called "password list attacks".
 The success rate of the attack is about 1% in the same way.
 OWASP Japan Chapter Leader
 On 2016/06/24 1:41, Michael Coates wrote:
 > Leaders,
 > I just sent a related note to the top 10 list, but thought it was warranted for discussion here too.
 > I feel like we have a major gap in our discussion of application risks. Specifically we think about implementation bugs and often forget design flaws.
 > The main example here is password reuse attacks. From my vantage point in my day job (and just watching the news of my peers) this is a major concern.
 > Here are 3 recent stories on this issue
 > http://www.csoonline.com/article/3086942/security/linkedin-data-breach-blamed-for-multiple-secondary-compromises.html
 > http://krebsonsecurity.com/2016/06/password-re-user-get-to-get-busy/
 > https://blog.twitter.com/2011/keeping-your-account-safe
 > What do others think? Is this getting the focus, discussion and attention it deserves? Are you talking about it at your companies or with your clients?
 > Quick note on the technical side of the password reuse attack
 > * With password reuse attacks a breach anywhere on the web can mean a breach of millions of users who reuse passwords
 > * These attacks are always done with automation 100million breached in site A with a reusue rate on site B of 1% means 1million breached on site B
 > * There aren't "easy" answers here - The attacks always come from a variety of IP addresses. Rate limiting isn't effective because it's 1 attempt per account from a new ip
 > * You have to rely on additional authentication information or anti-automation (tradeoffs to both)
 > * Making this a "user problem" and walking away is not realistic
 > --
 > Michael Coates | @_mwc <https://twitter.com/intent/user?screen_name=_mwc>
 > _______________________________________________
 > OWASP-Leaders mailing list
 > OWASP-Leaders at lists.owasp.org
 > https://lists.owasp.org/mailman/listinfo/owasp-leaders
 OWASP-Leaders mailing list
 OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160624/36f7e233/attachment-0001.html>

More information about the OWASP-Leaders mailing list