[Owasp-leaders] Password Reuse Attacks

Dave Wichers dave.wichers at owasp.org
Thu Sep 22 19:04:33 UTC 2016

Hey: http://money.cnn.com/2016/09/22/technology/yahoo-data-breach/index.html
- 500M Yahoo User Accounts compromised. Wonder how many new valid
username/password pairs are floating around the interweb.  All the more
reason why Michael's post is important/timely.

The breach is said to have occurred in late 2014. "The account information
may have included names, email addresses, telephone numbers, dates of
birth, hashed passwords (the vast majority with bcrypt) and, in some cases,
encrypted or unencrypted security questions and answers,"


On Thu, Jun 23, 2016 at 12:41 PM, Michael Coates <michael.coates at owasp.org>

> Leaders,
> I just sent a related note to the top 10 list, but thought it was
> warranted for discussion here too.
> I feel like we have a major gap in our discussion of application risks.
> Specifically we think about implementation bugs and often forget design
> flaws.
> The main example here is password reuse attacks. From my vantage point in
> my day job (and just watching the news of my peers) this is a major concern.
> Here are 3 recent stories on this issue
> http://www.csoonline.com/article/3086942/security/
> linkedin-data-breach-blamed-for-multiple-secondary-compromises.html
> http://krebsonsecurity.com/2016/06/password-re-user-get-to-get-busy/
> https://blog.twitter.com/2011/keeping-your-account-safe
> What do others think? Is this getting the focus, discussion and attention
> it deserves? Are you talking about it at your companies or with your
> clients?
> Quick note on the technical side of the password reuse attack
>    - With password reuse attacks a breach anywhere on the web can mean a
>    breach of millions of users who reuse passwords
>    - These attacks are always done with automation 100million breached in
>    site A with a reusue rate on site B of 1% means 1million breached on site B
>    - There aren't "easy" answers here - The attacks always come from a
>    variety of IP addresses. Rate limiting isn't effective because it's 1
>    attempt per account from a new ip
>    - You have to rely on additional authentication information or
>    anti-automation (tradeoffs to both)
>    - Making this a "user problem" and walking away is not realistic
> --
> Michael Coates | @_mwc <https://twitter.com/intent/user?screen_name=_mwc>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160922/dfff3b48/attachment.html>

More information about the OWASP-Leaders mailing list