My awareness on passwords weakness started in 1992 when a college mate published in the university weekly bulletin a list of the students – and probably staff as well, I can’t remember – whose system account password was a noun. This prehistorical hack said it all: 1/ The list was very long. 2/ He only had to get access to the database of hashed passwords, not to individual login sessions. 3/ That was easy for someone having a user account in the system (or maybe he just hacked one). 4/ Although a password can’t be directly reversed from its hashed version, finding collisions – and therefore most probably the right password – was extremely quick for simple passwords. 5/ Hackers, even when they’re not criminals, want an audience and a reward.
25 years have passed since that eye-opening moment. Hundreds of billions have probably been spent in cybersecurity in the meantime, most of it in the last 5 to 10 years (ballpark figures). Exoplanets have been discovered, the Higgs boson was observed, many species’ DNA have been sequenced, Fermat theorem and Langlands fundamental lemma have been proved, Mars exploration has started, etc. 25 years of scientific and technical progress that we have never experienced before. But with passwords, it seems this is still the same exact original story.
So, here’s the latest one (as far as I know): Yahoo, five hundred million accounts stolen. Much, if not all has been written and said, but since this is my industry now, I feel compelled to share some thoughts.
Yahoo user passwords
A broker known for previous similar facts has claimed he has 500 million Yahoo user accounts data for sale. Experts still debate whether that data is real, whether it’s a new breach or an aggregate of previous breaches that occurred at Yahoo and elsewhere (LinkedIn in particular).
Why did they do that?
Cyber-criminality is a well organized industry, with many distinct and specialized roles. Some hackers analyze popular server distributions looking for vulnerabilities called zero day exploits in order to sell them on marketplaces. Some other hackers, in turn, use these vulnerabilities to launch cyber-attacks on organizations in order to extract information – such as passwords, credit card numbers, valid email addresses, social security numbers, patient data… – and sell it further. At the end of the chain, some other individuals use the information for their own purposes, such as spam campaigns, fraudulent use of credit cards, user impersonation, industrial espionage, etc. There are also receivers of stolen data and brokers.
This is not just an industry, this is a market. There are producers of data, but also buyers of data. They buy it because they’re able to use it. Not for our good. So, now, Yahoo accounts data is for sale. The problem – or opportunity – isn’t with the data stored in the accounts. It’s with everything that can be done with valid accounts: get password reset links and therefore access to all accounts using Yahoo as the recovery email address, impersonate users, try the same passwords on other accounts. Such amounts of data – hundreds of millions of data points, a dream for any marketer – can also be used to extract statistical information about how users create their passwords, and therefore to get access to more online accounts. So, yes, 500 million Yahoo accounts hacked is a problem, probably more for anyone else than for Yahoo itself.
How did they do that?
We still don’t know precisely how the cyber attack(s) on Yahoo was performed. Complex attacks nowadays combine some form of social attack or spamming to lure internal users to a page or content containing a malware. That malware might use a vulnerability to provide the attacker with admin access rights. There are as many attacks as there are targets. Vulnerabilities are used as a toolkit. Each situation requires the proper set of tools. Ultimately, data is extracted.
Password protection at websites has improved over the years probably due to some famous breaches (I almost wrote “thanks to”). Passwords stored in clear were not uncommon as late as 5 years ago (I’m being optimistic), as some breaches at large Internet companies revealed it. The best practice is now to hash passwords with a “salt” – a random information generated for each account. Without the salt, it’s impossible to authenticate the user but also to ‘reverse’ the hashed password. So when a hacker steals a hashed passwords file, he now needs to steal the salts as well – best practices evolve on the hackers’ side too. Knowing the salt, reversing the hashed password is much more complex than without a salting mechanism, that’s the point of salting. In theory at least. In fact, although protection mechanisms have progressed, the password complexity has not, while the computing power and storage available to launch attacks have increased tremendously. Therefore reversing salted hashed passwords is still fairly easy for most of the passwords we use.
What can we learn – and do?
The lessons of Yahoo record breach but also of the many others are 1/ That most users still have simple few passwords, even with their email accounts, 2/ That cyber security measures can’t prevent targeted attacks. This is an asymmetric problem where the defense needs to invest much more than the attacker. Not to say that organizations shouldn’t protect their assets. But we should assume that whatever the protection, if the reward for hacking an organization is big enough, it will be hacked. We should therefore not rely on cyber-security only to protect passwords databases.
Where do we go from there?
As a user, no question, we should use automated tools to help us create and manage complex unique passwords. Humans can’t do that, password managers just do it. There are many tools available, some good, some free, this post isn’t a review (inWebo offers a free secure password manager – still as a beta). If passwords were unique and complex, passwords breaches would have a minimal impact. We’re obviously not yet there and can’t rely on the fact that we will any time soon.
As an organization, as we’ve seen it, just adding cyber-security measures – such as threat detection – to prevent anyone from accessing passwords isn’t enough. Especially if you are a very large organization, where the attack ROI (return on invest) is so high. Since you can’t make attacks impossible, you should make them useless. How?
MFA (multi-factor authentication) is an option, provided that user credentials on the server side are well protected (the attack on RSA in 2011 showed us that it was not the case by default). Anyway, it’s no longer the time when MFA was either expensive, ineffective, or complex to use. Check inWebo solutions among others. However, since MFA is visible, there should be a user-specific rationale to implement MFA – your risk as an organization is not. As an example, payment cards issuers need a proof of the user’s consent for a transaction. Passwords don’t bring that proof, MFA does. Regulation therefore increasingly enforces MFA for payment (see PSD2 in Europe). The case for MFA in healthcare and many other areas is similar.
There are, however, many situations where such user-specific rationale is hard to find and regulation doesn’t impose MFA (yet). What should we do there – beyond increasing endlessly the cyber-security budget, and get data breach compliance services? Since current solutions – adding more of the same thing – doesn’t work, and hasn’t for 25 years, we should invent solutions. This is an under-served market and an active innovation topic tackled by inWebo: provide organizations with answers to protect their passwords databases when they can’t opt for MFA.