[Owasp-leaders] Password Reuse Attacks

johanna curiel curiel johanna.curiel at owasp.org
Fri Jun 24 13:32:49 UTC 2016


Michael,

I think the only thing that can avoid reuse of passwords is to create a
plugin-add on (example Mozilla add-on) that checks if users are reusing
passwords.Or creating a plugin/add-on that blocks the reuse of passwords
through the browser.

As you mentioned, browsers allow you to save the password/login
credentials.
It is unfeasible to check logins between sites  however the browse knows
everything the client does and maybe this way, if companies or individuals
would like to avoid this problem, we should create a project called 'Add-on
Password Reuser-blocker/checker' and once a client saves passwords or logs
on 2 sites at the same time using the same passwords , the plugin/add-on
would create an alert.

Just an idea.

On Fri, Jun 24, 2016 at 6:11 AM, Ken Belva <owasp at silverbackventuresllc.com>
wrote:

> 1% sounds about right. I tested the Rockyou password file against a
> standard US corporate policy to see how many matched. Here are some stats:
>
> --------------
> Rockyou is 139.9MG in size (uncompressed)
> It has 14.34 million password
> Goal was to select passwords between 6 & 15 in length
> Password must match most Corporate password policies
>     – Contain an Upper Case, Number and Special Character
>
> Result:
> 68,953 records of 14,344,392 matched
> That's less than 0.5 percent matched criteria
> --------------
>
> You can use the project I donated to OWASP for these types of password
> reuse tests & research as well as easily creating password manipulation
> rules for custom dictionaries:
>
> https://www.owasp.org/index.php/OWASP_Basic_Expression_%26_Lexicon_Variation_Algorithms_%28BELVA%29_Project
>
> Cheers,
> Ken
>
>
> --------- Original Message ---------
> Subject: Re: [Owasp-leaders] Password Reuse Attacks
> From: "Sen UENO" <sen.ueno at owasp.org>
> Date: 6/23/16 9:57 pm
> To: owasp-leaders at lists.owasp.org
>
> the password reuse attacks attract attention in Japan.
> in Japan called "password list attacks".
> The success rate of the attack is about 1% in the same way.
>
> Sen UENO
> OWASP Japan Chapter Leader
>
> On 2016/06/24 1:41, Michael Coates wrote:
> > Leaders,
> >
> > I just sent a related note to the top 10 list, but thought it was
> warranted for discussion here too.
> >
> > I feel like we have a major gap in our discussion of application risks.
> Specifically we think about implementation bugs and often forget design
> flaws.
> >
> > The main example here is password reuse attacks. From my vantage point
> in my day job (and just watching the news of my peers) this is a major
> concern.
> >
> > Here are 3 recent stories on this issue
> >
> http://www.csoonline.com/article/3086942/security/linkedin-data-breach-blamed-for-multiple-secondary-compromises.html
> > http://krebsonsecurity.com/2016/06/password-re-user-get-to-get-busy/
> > https://blog.twitter.com/2011/keeping-your-account-safe
> >
> > What do others think? Is this getting the focus, discussion and
> attention it deserves? Are you talking about it at your companies or with
> your clients?
> >
> >
> > Quick note on the technical side of the password reuse attack
> >
> > * With password reuse attacks a breach anywhere on the web can mean a
> breach of millions of users who reuse passwords
> > * These attacks are always done with automation 100million breached in
> site A with a reusue rate on site B of 1% means 1million breached on site B
> > * There aren't "easy" answers here - The attacks always come from a
> variety of IP addresses. Rate limiting isn't effective because it's 1
> attempt per account from a new ip
> > * You have to rely on additional authentication information or
> anti-automation (tradeoffs to both)
> > * Making this a "user problem" and walking away is not realistic
> >
> >
> >
> > --
> > Michael Coates | @_mwc <https://twitter.com/intent/user?screen_name=_mwc
> >
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160624/cfb3719a/attachment.html>


More information about the OWASP-Leaders mailing list