[Owasp-leaders] Password Reuse Attacks

Michael Coates michael.coates at owasp.org
Fri Sep 23 22:04:04 UTC 2016

Here's a way to put the data breaches in perspective for your company.

Imagine if 2% of those 500M Yahoo Users have an account on your site.
That's 10M of your users that are potentially impacted. Now ask yourself
how many users reuse passwords across multiple websites (it could be a
strong password or a weak one, doesn't matter, is it reused?). Let's say
10% reuse passwords. 10% of 10M is 1M users that have passwords that are
now exposed, just waiting to be abused by an attacker. How will your site
handle 1 million compromised accounts?

You can change the numbers as you see fit. But the take away is that a
breach of an unrelated website can lead to millions of your users at risk
through automated reuse password attacks.

Michael Coates | @_mwc <https://twitter.com/intent/user?screen_name=_mwc>
OWASP Global Board

On Thu, Sep 22, 2016 at 12:04 PM, Dave Wichers <dave.wichers at owasp.org>

> Hey: http://money.cnn.com/2016/09/22/technology/yahoo-data-
> breach/index.html - 500M Yahoo User Accounts compromised. Wonder how many
> new valid username/password pairs are floating around the interweb.  All
> the more reason why Michael's post is important/timely.
> The breach is said to have occurred in late 2014. "The account information
> may have included names, email addresses, telephone numbers, dates of
> birth, hashed passwords (the vast majority with bcrypt) and, in some cases,
> encrypted or unencrypted security questions and answers,"
> -Dave
> On Thu, Jun 23, 2016 at 12:41 PM, Michael Coates <michael.coates at owasp.org
> > wrote:
>> Leaders,
>> I just sent a related note to the top 10 list, but thought it was
>> warranted for discussion here too.
>> I feel like we have a major gap in our discussion of application risks.
>> Specifically we think about implementation bugs and often forget design
>> flaws.
>> The main example here is password reuse attacks. From my vantage point in
>> my day job (and just watching the news of my peers) this is a major concern.
>> Here are 3 recent stories on this issue
>> http://www.csoonline.com/article/3086942/security/linkedin-
>> data-breach-blamed-for-multiple-secondary-compromises.html
>> http://krebsonsecurity.com/2016/06/password-re-user-get-to-get-busy/
>> https://blog.twitter.com/2011/keeping-your-account-safe
>> What do others think? Is this getting the focus, discussion and attention
>> it deserves? Are you talking about it at your companies or with your
>> clients?
>> Quick note on the technical side of the password reuse attack
>>    - With password reuse attacks a breach anywhere on the web can mean a
>>    breach of millions of users who reuse passwords
>>    - These attacks are always done with automation 100million breached
>>    in site A with a reusue rate on site B of 1% means 1million breached on
>>    site B
>>    - There aren't "easy" answers here - The attacks always come from a
>>    variety of IP addresses. Rate limiting isn't effective because it's 1
>>    attempt per account from a new ip
>>    - You have to rely on additional authentication information or
>>    anti-automation (tradeoffs to both)
>>    - Making this a "user problem" and walking away is not realistic
>> --
>> Michael Coates | @_mwc <https://twitter.com/intent/user?screen_name=_mwc>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160923/69c7f028/attachment-0001.html>

More information about the OWASP-Leaders mailing list