Leaked passwords – where does it end?

17.07.2012 by Dave Kearns

One of these days I’ll be able to stop railing against password problems. Today, however, is not that day. It was just last month that I wrote (“Lessons Learned from the LinkedIn fiasco”) about the problems that LinkedIn had with their recent password breach:

  1. No salt for hashed passwords is bad practice;
  2. No immediate response to the breach is bad PR;
  3. No plan to deal with information leaks through hacking, insider theft, inadvertent exposure and the like violates your users trust.

I ended by saying “One of the more painless ways of learning is through others’ mistakes (rather than our own), so take heed and learn from LinkedIn – as they evidently did not learn from others’ previous breaches.”

Well evidently one of their Silicon Valley neighbors learned the wrong lesson.

Sunnyvale, California’s Yahoo (or “Yahoo!” as they style themselves) appears to have decided to go for a minimalist security scheme for their password files. According to a story in the Washington Post, the usernames and passwords of over 400,000 accounts were taken by a hacking group last week. Incredibly, the file was stored in clear text!

John Kostier, writing for Venture Beat, surmises that the file taken was probably a backup, or archive, of usernames and passwords from Yahoo Voices, the new name for the 2010 acquisition Associated Content, and probably represents accounts from before the Yahoo acquisition. His argument is convincing. He even tried to login with the credentials a few times but all were rejected. He deduces that this is because Yahoo had changed the login procedure (as they’ve done with all other acquisitions) to only take the service-wide Yahoo credentials for login (you may remember that this caused some consternation when Yahoo acquired Flickr and forced Flickr users without Yahoo credentials to create a Yahoo account).

In an official statement, Yahoo! said: “less than 5% of the Yahoo! accounts had valid passwords,” and they are “changing the passwords of the affected Yahoo! users.” Well, that’s the least they can do. What they don’t address is why this no longer useful, unencrypted file was still around!

Here’s the real problem for you and others who might have information contained in this breached file: while the username/password combinations were no longer usable to login to a Yahoo! Voices account, it’s quite possible, even probable, that some of them are the same username/password combinations in use at other sites. Yahoo, of course, is offering no help for that. In fact, it would be simplicity itself for Yahoo to email all of the affected users (the login names were almost all, evidently, email addresses) telling them that: a) their information had been released into the wild, and b) this was the password associated with their username. At least in that way you and I would know (hopefully) which other accounts – the ones using that combination of username and password – were at the greatest risk of being accessed by the hackers. Expecting users to remember which username/password combination they’d used to access Associated Content – and that perhaps only once, many years ago – is quite the opposite of good customer service!

This was, in many ways, much worse than the LinkedIn breach where passwords which were unassociated with any particular account were taken. Username/password combinations that were actually used by real people were harvested and could be used to attack other web sites by anyone with the ability to read and type (or even to cut and paste).

How realistic is it that username/password combinations leaked from one site could be used to access accounts at another site? Ping Identity’s John Fontana reports: “After months of Best Buy customers reporting compromised accounts, the company has finally confirmed hackers are attacking its online retail site using credentials stolen from other sites.”

If you’re a malicious hacker and you have access to what you know are valid username/password combinations that were used on one site, wouldn’t you be willing to give them a try at other, high value, sites such as Best Buy, other on-line retailers, or banks? Yes, you would. We know it because there’s convincing evidence it’s been done.

AS a user there’s not much you can do. But using a different username/password combination for every site that requires them is a good start. Use strong passwords (combining uppercase/lowercase, numerals, symbols, etc.) and a secure password storage package (Lastpass, MyKey, etc.) to “remember” them. Change the passwords frequently, at a minimum once a month. It’s not much, really, but it might be enough. As an old African proverb puts it, when chased by a lion you do not have to be the fastest runner, only faster than the slowest runner. If cracking your password is harder than cracking someone else’s, then yours will be that much safer.

But, really, it’s the companies which use a username/password combination that need to do more, much more.

Here’s just a few things to get them started.

  • Always use hashed passwords that have been treated with a random salt value;
  • Never store usernames or passwords in an unencrypted form;
  • Require strong passwords, while not limiting them (see this Credit Union’s rules which, to my mind, make hacking easier, not harder!);
  • Don’t keep archived or backup copies of login credentials on line;
  • Review all on-line files for critical, valuable or personal information. If found, either move off line or encrypt them;
  • Require all files moved to laptops, netbooks, tablets and other “semi-connected” and portable devices to be encrypted.

There’s more, but that’s a good start. And that only covers the data protection aspect of information leakage. How will you tell when information has been leaked? Here’s a clue, don’t rely on your customers, competitors, reporters or security agencies to tell you – which are the more common ways for leakages to be surfaced today.

Thirdly, what are you going to do when the information leaks – and it will, eventually. Do you have a plan? How will you handle the adverse publicity? What will you do to secure your customers? Indeed, how will you manage to stay in business? DigiNotar didn’t have a plan, and they are no longer in business.

As Jon Heimerl wrote for the Cloud Security Alliance: “these days we need constant vigilance to help protect ourselves and companies from peril.” It’s a good article, not directly connected to Information Security, but its conclusions are applicable to the issues we’re discussing:

  1. “Where can I find my cool information, systems and resources?
  2. What are the major threats to those things identified in #1?
  3. What can I do to minimize the impact that those threats have on me?

After that, it just takes a little vigilance.”


  • Jonathan Sander

    I'm surprised you don't mention federation here. For low value targets that can eliminate passwords all together. As I type, I see the little WordPress logo telling me I will be commenting using those credentials & attributes, which means there is one less site – yours – that has any useful username/password combinations to be stolen and perhaps tried elsewhere. Even a high value site like Best Buy or the hapless credit union you mention could use federation combined with some OTP to have better security I bet. But there's a whole discussion about user acceptance of OTP on the internet, I know.

    There is also a matter of the user being a little complicit here. Yahoo is the one mainly at fault, no doubt. But if users weren't using the exact same username/password combinations at site after site, then there would be a lot less risk for them. Heck, even little tweaks between sites (add a couple of letters of the site's name at the end of the password, etc.) woudl save them from the bulk of copy/paste style attacks that these breaches yield.

Services
© 2014 Dave Kearns, KuppingerCole