On Sept 5, 2018, law enforcement alerted Inova Health of a data breach. It appears that their billing systems were accessed by a bad actor using an employee’s credentials first in January 2017, and then again, between July-October 2017. The breach has impacted 12,331 patients.
An article by Databreaches.net points rightly at the source of the problem- if Inova Health systems were being accessed repeatedly once in January then again in July-October with the same credentials, then neither did the employee change their password, nor did the system require that the employee should do so.
Why should the Inova Health breach concern you?
Password re-use can cripple even the most secure systems.
– Travis Smith, Tripwire
Lori Macvitte of F5 writes of a 2012 study done by CSID. The CSID researchers found that three-fifth of the Internet users reuse passwords on multiple sites. Some of the major password habits of American consumers are listed below:
- 61% reuse passwords among multiple websites.
- 54% have only five passwords or less.
- 44% change their password only once a year or less.
How bad password habits hurt your business?
According to the National Institute of Standards and Technology (NIST), stolen or weak passwords were the real cause of more than 80% of hacking-related breaches.
Let’s consider the situations listed below:
- If your employees use their official email address as username to access the company network, then attackers only need to find their passwords; and if any of the employees has reused the password on an external site, and if that website gets hacked – the attacker would also gain the access to your network.
- If your customers or vendors are in the habit of reusing passwords and email addresses across multiple sites; and, if they have reused any of them at work- the attackers could hack your office network by hacking those websites.
- If your employees, customers or partners aren’t in the habit of creating strong passwords, the attacker can hack your network using credential stuffing.
Hey, but isn’t 2012 ancient history? Not really-
- A 2018 LastPass survey of their customers found that 50% people do not create different passwords for personal and work accounts.
- Another 2018 survey by the information destruction company Shred-It, too, found that 51% of consumers reuse their passwords and pins across multiple accounts.
Certainly, bad password habits aren’t history. People still reuse passwords; and they still create easy-to-use passwords.
How hackers steal passwords and usernames?
If your employees use their email addresses as username- it’s a hack made easy. Consider the techniques listed below. Attackers can use them, and get corporate email addresses easily.
- View the “Contact Us” page of your company website.
- View the author page.
- Use LinkedIn to build rapport, and get the email address.
- Reach out on Twitter.
- Subscribe to your prospect’s email list.
- Use CRMs or LinkedIn Sales Navigator.
Now consider the techniques that criminals could use to collect passwords:
- By collecting personal information of employees from the Internet, and guessing at words and numbers related to them.
- By searching computers and the office network for passwords.
- With dictionary attacks – by entering words in a dictionary as password.
- With social engineering attacks, like phishing and whaling.
- By shoulder surfing or going through the material on an employee’s desk, like sticky notes and whiteboards.
Else, they could just buy credentials from the dark-web, and hammer your network with password and login combinations. Consider the following new items:
- Credential stuffing list containing 111 million records found online (July 10, 2018)
- 42 Million records of credential stuffing data discovered on the free hosting service kayo.moe (14 September 2018)
Remember the 2012 LinkedIn incident? Attackers stole 6.5 million passwords from LinkedIn servers.
Do brute force attacks really work?
The two news items listed below aren’t even a month old:
- On November 2, 2018, HSBC reported that unauthorized users were accessing their US Accounts (less than 1%) using personal information (including passwords) obtained from other sources.
- On October 30th, 2018, the Telegraph reported that Eurostar had to force all customers to reset passwords after the data breach.
Both incidents are suspected to be credential stuffing attacks. A recently published report on credential stuffing underlines the problem. As per the report, Akamai customers were hammered by nearly 30 billion malicious login attempts between November 2017 and June 2018. That’s 3.5 billion attempts a month.
Out of them, 8.3 billion were recorded between May and June, only.
What is credential stuffing?
Simply stating, credential stuffing is an automated attack on your network by a botnet which hammers your network with login credentials until a set of credentials is accepted as legitimate.
Bad password habits and credential stuffing
In essence, credential stuffing is just another brute force attack. Unfortunately, if either an employee, or customer, or partner has had bad password habits – they have reused passwords, or used weak or fairly common passwords – the attacker would gain access to your network.
Consider the examples shared on the OWASP website
- The 2014 JP Morgan Chase breach: The breach compromised information for 76 million households and 7 million small businesses. The attackers used employee credentials which they obtained by targeting an athletic race/run site, which was sponsored by JPMC and was open to bank employees to participate.
- The 2012 Dropbox breach: Attackers used credentials stolen from other sites to try to login to Dropbox accounts.
- The 2012 Yahoo breach and the 2011 Sony breach are also the cases of credential stuffing, which occurred because users had used common passwords across sites.
In all the cases stated above, attackers gained access to the victim website only because people had bad password habits.
The DOs and DON’Ts of password security
Create strong passwords
- Use two things that you like and separate them with numbers and symbols.
- Base the password on a phrase.
- Use a picture or a series of pictures to frame the password.
- Create unique, randomized passwords
- Create complex passwords:
- They should include at least three of these four character types- lower case letters (a,b,c … z), uppercase letters (A,B,C … Z), digits (0,1,2 … 9) and special characters (*,&,$ …).
- They should not be dictionary words, or be dictionary words with a single-character prefix or suffix, such as Dictionary1 or 3spaGhetti.
- Passwords should not contain more than two repeated letters in a row (“biNNNkie3?”) or more than two letters in alphabetical or keyboard sequence (“qWEr%94”, “cDeF%94a”).
- Use the longest password that you can remember. Create passwords that are 10 characters or longer. They are harder to crack.
- Use this tool to test the strength of your password.
Avoid risky password practices
- NEVER re-use passwords.
- Do NOT use names or words that could be found a dictionary.
- Do NOT use words and numbers that could be associated with you.
- NEVER give-out your passwords to others – not even to family or friends.
- Do NOT store your account information in an unsecured document on your computer or the network.
- Never write your passwords on a paper or sticky notes.
- Do NOT use the ‘Remember me’ or ‘Save password’ option for sensitive sites.
- Do NOT share passwords via email.
- Never use official passwords for personal accounts.
Good password management practices
- Use a secure password management system to keep track of your login information across the web.
- Change passwords frequently.
- You can use weak but easy-to-remember passwords for websites that don’t require heavy security; however, you should use only strong passwords for sensitive information.
- Use unique passwords for every account and vary the email addresses that you use for logging in.
- Have separate passwords for financial and confidential accounts.
- Implement two-factor authentication for sensitive accounts, such as network login and financial portal.
- If you really have to write down your password – use steganography.
- If you receive a password via email – which is fairly common during authentication – change the password immediately.
As stated above, NIST has found stolen or weak passwords to be the cause of more than four-fifth, or 80% of hacking-related breaches. This makes password habits a major risk factor for your business.