Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Facebook Security

Password Re-user? Get Ready to Get Busy (krebsonsecurity.com) 119

Security reporter Brian Krebs writes: In the wake of megabreaches at some of the Internet's most-recognized destinations, don't be surprised if you receive password reset requests from numerous companies that didn't experience a breach: Some big name companies -- including Facebook and Netflix -- are in the habit of combing through huge data leak troves for credentials that match those of their customers and then forcing a password reset for those users. Netflix.com, for example, sent out a notification late last week to users who made the mistake of re-using their Netflix password at Linkedin, Tumblr or MySpace. All of three of those breaches are years old, but the scope of the intrusions (more than a half billion usernames and passwords leaked in total) only became apparent recently when the credentials were posted online at various sites and services.
This discussion has been archived. No new comments can be posted.

Password Re-user? Get Ready to Get Busy

Comments Filter:
  • by Anonymous Coward

    Surely everyone is hashing the passwords, using different salt etc? Obtaining a dump of encrypted data is pretty useless you have the resources to brute-force them.

    Granted, Sony were caught using plaintext passwords in one of their three SQL injection attacks. But these others?

    • by Anonymous Coward

      Surely everyone is hashing the passwords, using different salt etc?

      HA HA HA HA

      • Re: (Score:2, Funny)

        by Anonymous Coward

        I think you meant "dadada"

    • by OzPeter ( 195038 ) on Tuesday June 07, 2016 @11:09AM (#52267827)

      Surely everyone is hashing the passwords, using different salt etc?

      Bwhahahahahahaha You're assuming that these companies have good security practices. How do you think they got hacked in the first place?

    • Surely everyone is hashing the passwords, using different salt etc?

      Table salt? Kosher salt? Sea salt? Bathroom salt? What kind of salt?

    • by Bengie ( 1121981 )
      Seems Netflix is not one of them

      Netflix.com, for example, sent out a notification late last week to users who made the mistake of re-using their Netflix password at Linkedin,

      • by Anonymous Coward

        You got it backwards. Linkedin's passwords could be decrypted, Netflix would just have to compare them to what they have on file since they can hash it with their own salt.

      • by AK Marc ( 707885 )
        So if my username is "user" and my password is "password", Netflix has no way of knowing whether my username/password combination is correct.

        No, that seems silly, Netflix can verify a username/password combination as "valid" or "invalid" while their passwords are salted and hashed.
    • by Anonymous Coward on Tuesday June 07, 2016 @11:25AM (#52267973)

      Surely everyone is hashing the passwords, using different salt etc? Obtaining a dump of encrypted data is pretty useless you have the resources to brute-force them.

      The password lists aren't encrypted. They are in the form of: login_id:password (ie: bob@example.com:example)

      What Netflix, et. el. are doing is taking the list, noticing that they have a user with the same login_id (bob@example.com), and taking the password (example) and hashing it in the same way that their authenticator does. If the hashes match, then they send the user an email saying "Reset your password"

    • by Anubis IV ( 1279820 ) on Tuesday June 07, 2016 @11:51AM (#52268203)

      At least in the case of the MySpace and LinkedIn leaks, the passwords themselves were posted online, so it'd be fairly trivial for Netflix et al. to run the lists through their hashing algorithm and see if it gets any hits against their users.

      LinkedIn was employing a fast hashing algorithm with no salt back in 2012 [arstechnica.com] when their database was stolen. Which is about one step better than plaintext, given that an attacker can hit it at full speed and can crack them en masse because of the lack of salt.

      MySpace apparently began employing doubled-salted hashes in 2013 [myspace.com], but the login credentials that leaked were ones that hadn't been used past that time, so MySpace hadn't been able to update them to be more secure since it sounds like they were employing simple hashing prior to that.

      As for Tumblr, they said they employed hash+salt on the database that was leaked [inc.com], so it should indeed take awhile before anything besides commonly-used passwords start showing up from it.

      • At least in the case of the MySpace and LinkedIn leaks, the passwords themselves were posted online, so it'd be fairly trivial for Netflix

        When I started getting email from Linkedin from friends who were on it, I thought okay. But when I went ot sign up they said they needed my email login and password,

        Apparently a lot of people are stupid, and at least with Linkedin, you already gave them the keys to the kingdom.

  • This might push most people to centralized password management. Yes, i know about Keepass, but tell that to my mother. :) (And is keepass safe now with the latest news?) I do not think this will be a good thing, because now all of your security will be in one very attractive place.
    • And is keepass safe now with the latest news?

      Depends whether you put the whitespace before or after the "p".

    • This might push most people to centralized password management. Yes, i know about Keepass, but tell that to my mother. :) (And is keepass safe now with the latest news?) I do not think this will be a good thing, because now all of your security will be in one very attractive place.

      Keep Ass? Sounds great!

  • Both awesome and sad (Score:4, Interesting)

    by ausekilis ( 1513635 ) on Tuesday June 07, 2016 @11:16AM (#52267893)
    Sad that theres so much password reuse that this sort of thing is needed... Awesome of these companies to take initiative and let people know their accounts aren't safe.
    • by Ravaldy ( 2621787 ) on Tuesday June 07, 2016 @11:34AM (#52268065)

      Sad that theres so much password reuse

      It isn't sad, it's unfortunate that we have to avoid reusing of passwords.

      I just finished moving all my accounts from one email to another. That was 53 different accounts I had to manage. Can you imagine keeping track of 53 different passwords. I have 4-5 passwords I use. One for my banking, one that I don't care if they take my account, one for entities I trust, one for entities I trust less.

      If we could trust all entities to secure their shit then we could all use one password but we all know it's impossible to secure everything so this strategy will have to hold for now;.

      • Sad that theres so much password reuse

        It isn't sad, it's unfortunate that we have to avoid reusing of passwords.

        I just finished moving all my accounts from one email to another. That was 53 different accounts I had to manage. Can you imagine keeping track of 53 different passwords. I have 4-5 passwords I use. One for my banking, one that I don't care if they take my account, one for entities I trust, one for entities I trust less.

        If we could trust all entities to secure their shit then we could all use one password but we all know it's impossible to secure everything so this strategy will have to hold for now;.

        I keep track of over 200 passwords, using a password manager. Why aren't you?

        • by pla ( 258480 ) on Tuesday June 07, 2016 @12:28PM (#52268479) Journal
          I keep track of over 200 passwords, using a password manager. Why aren't you?

          You mean a password manager like KeePass, where the developer has explicitly and publicly chosen ad revenue over security [engadget.com]?

          Or just one like LastPass, that "only" suffered a plain ol' fashioned data breach [krebsonsecurity.com]?

          Hey, I'll admit carrying all those eggs in the same basket looks a lot more convenient than carrying them one by one. But some of us would rather only risk dropping them one at a time, than all 200 at once.
          • by bmo ( 77928 )

            >Or just one like LastPass, that "only" suffered a plain ol' fashioned data breach?

            They lost control of the password reminders and email addresses. My email addresses are out there and have been since forever, and the next oldest (the oldest was on conan.ids.net) is still active, BTW, on TMOK, which forwards to gmail, which forwards to protonmail.

            My password reminder is simply "printer"

            Guessing which brand and model number is impossible.

            I'm going to continue using Lastpass.

            --
            BMO

            • by pla ( 258480 )
              I would give you a bit more credit in that regard than the average user.

              For Joe User, a password "hint" often means either the password itself, or something so trivial as to make it as good as cracked (like "wife's birthday") with publicly available information.
            • Comment removed based on user account deletion
          • You mean a password manager like KeePass, where the developer has explicitly and publicly chosen ad revenue over security?

            Apparently... This issue has been addressed [keepass.info] now by the developer, a testing version of the fix is available and is undergoing testing, and the security recommendations made will be included in the next version of software. There is already a digital signature included in any update that should raise a flag if anyone were to download a bad file from an insecure source.

            I'm not sure what the whole story is (and don't really care enough to read through the endless internet commentary to find out), but it sou

            • by pla ( 258480 )
              but his original recommended fix of actually verifying the legitimacy of any updates to security software is actually a BETTER policy than just depending on the fix to KeePass itself.

              As a geek, I would agree with you. As a human - The solution people actually use will always beat the "best" one they don't.

              Not only don't most people check signatures, but when an automated system explicitly warns that the signature doesn't match, most people just swear at the vendor for their buggy crap and click "do it
        • I keep track of over 200 passwords, using a password manager. Why aren't you?

          Technology people who think security challenges should be unreasonably transferred over to end users live in a bubble. It's our responsibility to provide reasonable solutions to large problems such as security. Expecting end users to manage password lists is unreasonable. Teaching them how to use a mobile device to receive authorization codes is probably the most reasonable compromise I think of. Facebook, Google, Microsoft have all applied this option to account authentication and I find it reasonably simp

          • You are talking about what might be, rather than what is. Most web sites don't support federated logins or biometrics or anything other than a password that they may or may not handle well.

            I dislike passwords as much as anyone else and I'm aware of better solutions that lead to vendors making god security choices by default. But they are not being deployed and will not because there are strong forces of industry, government and laziness preventing that happen.

            In the meantime, a password manager is an effect

            • You are talking about what might be, rather than what is.

              The point is that it doesn't have to be this way. Accounting departments have been using key generators since the 90s for dealing with banking. This tech is available now we just need to force it down end user's throat. The first step is to introduce it as OPTIONAL and move towards MANDATORY as the users opting in increases. This will reduce the learning curve since the initial users will help those newly introduced to the new method.

              But they are not being deployed and will not because there are strong forces of industry, government and laziness preventing that happen

              You nailed it.

              In the meantime, a password manager is an effective tool.

              And as long as that's the means, only a small percentage of

              • You are talking about what might be, rather than what is.

                The point is that it doesn't have to be this way. Accounting departments have been using key generators since the 90s for dealing with banking. This tech is available now we just need to force it down end user's throat. The first step is to introduce it as OPTIONAL and move towards MANDATORY as the users opting in increases. This will reduce the learning curve since the initial users will help those newly introduced to the new method.

                But they are not being deployed and will not because there are strong forces of industry, government and laziness preventing that happen

                You nailed it.

                In the meantime, a password manager is an effective tool.

                And as long as that's the means, only a small percentage of users will comply with "the correct way to secure yourself".

                This is the way the world is. It's not good. The results are apparent.

                Maybe we can go to the IETF and get the browser vendors to uniformly adopt an auth scheme with cipher elimination, ZK, blinding and support for cards and biometrics to replace passwords? Oh wait, that's already been tried time and again and nothing has happened. It's been long enough that it looks more deliberate than mere organizational inefficiency.

      • If we could trust all entities to secure their shit then we could all use one password

        I like the idea of being able to use one password even though it's a terrible idea.

        • I like the idea of being able to use one password even though it's a terrible idea.

          Human nature fails to allow computer security to work even if every single device and service is 100% safe. I would never recommend one password for all but I think most people can easily manage 3 - 5 passwords. Biometric offers the best "password" available with the most ease of use. Injuries = failure to login but that's why the good biometric solution I've seen offer two biometric signatures.

          Password input will be a story of the past within 15 years. Unfortunately we are still dealing with a large number

          • by catprog ( 849688 )

            And what happens when the biometric 'password' is leaked. You cannot change it.

            • I know I didn't mention it in this post but I did mention in other posts that authentication codes are critical to any password protection. The usage of said code can be partially automated. I see the mobile device being the point of authentication. It's the most logical place for it at the moment.

    • Tell me where I can go to upgrade my brain so I can remember passwords for 10s or even 100s of sites (especialy "good" passwords such as 13fFxs_-90)xZZq) instead of having to reuse a small pool of passwords or worse, keeping them on post it notes or a plain .txt file. And no, I dont use platform specific or cloud based password 'wallets'. The only other solution is to keep all passwords in a text file zipped into an encrypted zip file (encrypted by Pkzip ir info zip) that most systems, even phones can open
    • by AmiMoJo ( 196126 )

      It's a shame most of them don't support Two Factor Authentication, or if they do it's via their own app only which I don't want to install on my phone. Support RFC 6238.

    • by GTRacer ( 234395 )
      I have no idea if I'm smart or dumb or both, but I have technically unique passwords for over 100 sites and work logins. I have a "core" password which I change rarely, plus 3-5 chars pertinent to that website. Have done this for years on the assumption that eventually a big enough site (like say, Slashdot in 2002) would get hit and the attackers would try my /. password everywhere.
    • I re-use passwords all the time. The problem is that people don't know an important password from an unimportant one.

      Tumblr? MySpace? Forums? I use irrelevant, weak passwords. There's nothing there that I really care about. Even LinkedIn falls under that rubric--I'm not sure I'd care if someone else were getting that spam instead of me.

      Some sites I prize a little more highly. They get a better password, maybe shared, maybe not.

      Then there are sites that hold information that I'd rather keep to myself--credit

    • Sad that theres so much password reuse that this sort of thing is needed... Awesome of these companies to take initiative and let people know their accounts aren't safe.

      In this day and age, there's no excuse for password reuse because why not use a password manager. That said, password reuse *shouldn't* be a problem. Client-side salt + hash, encrypted session so the hashed password doesn't go down the wire in plain text, second hash server-side for storage + verification. The server you're connecting to shouldn't be able to TELL what your password is, the salt makes it so that an unscrupulous employee can't use a rainbow table to figure it out (or even determine if the

  • by Guybrush_T ( 980074 ) on Tuesday June 07, 2016 @11:16AM (#52267897)
    It is about time security is done from the attacker perspective. Yes, it is a good idea to think that "if an attacker can do it, we can do it too and disable accounts we can compromize". Running widespread password lists against your own password database is a good security practice and you are indeed helping your users much more than trying to enforce a stupid password policy.
    • by khasim ( 1285 ) <brandioch.conner@gmail.com> on Tuesday June 07, 2016 @11:43AM (#52268141)

      Not exactly "security done the right way".

      This is mitigation.

      Netflix gets the username/password list AFTER the bad guys have put it up for sale. What other bad guys have also purchased it? What other sites have you used that password on?

      Running widespread password lists against your own password database is a good security practice and you are indeed helping your users much more than trying to enforce a stupid password policy.

      Not really. The users will just keep modifying their passwords until they pass your checks. Then they'll have a "good" password that they'll re-use on multiple sites.

      It all comes down to how the password will be cracked by the bad guys. That's why re-use is the main concern. Because that means that the bad guys only need to try ONE password for your account on other sites.

      And they've scripted those attacks. They can hit thousands of sites in seconds once they have your re-used password.

      That's why more secure systems use things like the RSA key fobs. So that your password CANNOT be re-used.

      • How do I use one of those fobs with my Android phone?
        • by aix tom ( 902140 )

          You would use the fob the same way you use it with a computer. You enter your password, and you enter the number displayed on the fob to log in to the system the fob is configured for.

          There is even an app that turns your android phone into an RSA key fob:

          https://play.google.com/store/... [google.com]

      • That's why more secure systems use things like the RSA key fobs. So that your password CANNOT be re-used.

        Two factor authentication does not prevent password reuse. It may prevent an attacker from using compromised credentials, but "password reuse" refers to a person who chooses to use the same password across multiple accounts.

    • by Anonymous Coward

      Try talking to average users. You will soon stop caring about helping them.

    • by internerdj ( 1319281 ) on Tuesday June 07, 2016 @11:54AM (#52268231)
      This is a little disturbing. I got a password reset from Netflix. I thought it was something general. I also thought my netflix password was unique among my accounts. Now I've got no clue what actually was breached.
      • Re: (Score:2, Informative)

        by Anonymous Coward

        Easy enough to find out. Check your email at haveibeenpwned.com
        It will tell you what breaches have contained your email

    • Running widespread password lists against your own password database is a good security practice and you are indeed helping your users much more than trying to enforce a stupid password policy.

      Krebs suggests that Facebook et al are checking for password reuse, but this isn't necessarily the case. They can simply force a reset on the account with the same email (or other ID, I suppose) without bothering to check their own hash for reuse of the compromised password.

      This has several added benefits: It gives them an excuse to force their users to update their passwords and it provides an additional channel of communication to affected users that they might want to check all their accounts.

  • Comment removed based on user account deletion
  • sites didn't make the "mistake" of woeful security, either.
  • by DidgetMaster ( 2739009 ) on Tuesday June 07, 2016 @11:26AM (#52267987) Homepage
    Everyone seems so worried about passwords getting hacked on sites that couldn't care less about. Anything that has information that I want to protect (e.g. bank accounts) has a strong password that I never repeat. But I also have a ton of accounts on news sites and other places that make you get an account just to see anything. I can set all those account passwords to "12345" and couldn't care less if they get hacked. There is nothing in there of any value for someone to steal. I usually use a fake name and address when I set up the account in the first place.
    • by idji ( 984038 )
      Except if a hacker slanders or vilifies someone or uploads child porn in your name and you then have to defend yourself. The burden of proof is then upon you.
      • by Anonymous Coward

        how is the burden of proof on you anymore than if someone created a fake account in your name?

  • ...Obvious question is, are they going to also forbid any other passwords that have ever been leaked elsewhere? And what happens when every major site has been compromised and all its accounts shared online? Will every password from our past life suddenly be verboten, everywhere? That seems... pretty unworkable.

    • by tomhath ( 637240 )

      It really only applies to major sites that you want to protect. You really should be using unique and hard passwords on sites like Facebook and Netflix or anyplace that might have your credit card number (and change them on a regular interval). Password safes are your friend

      Other sites where all you provide is a user handle so you can comment on someone's blog, who cares?

    • Will every password from our past life suddenly be verboten, everywhere? That seems... pretty unworkable.

      Why will it be unworkable? For 32 character passwords, and 100 possible characters (upper, lower, numbers, punctuation) the number of possible passwords is a billion times the number of atoms in the sun. Even if you stick to passwords that are mnemonic, the number of possibilities is still astronomical.

  • ...At some point, having a password exposed one place will make it ineligible to be a password--anywhere, for anyone. I'm sure that won't be too massive of a pain in the ass. Not at all.

  • Hold on a second:

    Wouldn't that mean that facebook and netflix are keeping their users passwords in plain text instead of salted hashes?

    How could they find out who used the same credentials at linkedin?

    Or is everyone using the same salt???

    • For LinkedIn, the problem with the credentials that were leaked by hackers is that they were not stored securely with proper salt. Within a few days of starting on it, security researchers cracked 78% of the passwords resulting in almost 50 million unique passwords. Attackers undoubtedly did the same over the years since the breach. This gave attackers millions of actual passwords to use in future attacks. As for how Netflix and Facebook can tell you are using the same password, they could get the list of c

  • How the hell does Netflix know you re-used your password on other sites? The salted hashes should be different for each site, even if the same password is used.

  • by Anonymous Coward

    Today I had to sign up for an online pay account at my State's version of the IRS.

    I tried to use a normal complex password like I normally do, which is anywhere between 20 and 30 random characters, numbers, and symbols. The website threw an error and said the password had to be between 6 and 10 characters long, and contain only upper and lower case letters and numbers.

    What the fuck kind of shit is that? I canceled the sign up and wrote them a paper letter stating that I would use their online e-pay system w

    • Yeah, until recently, one of my credit card accounts didn't allow special characters. You'd think a bank would do better than that.

  • Not every site that I use is important enough to need a secure password.

You know you've landed gear-up when it takes full power to taxi.

Working...