top of page

InfoSec Basics – Credential Stuffing


Now that we know a bit about hashing (https://www.til-technology.com/post/infosec-basics-hashing) and passwords (https://www.til-technology.com/post/infosec-basics-passwords-are-easy-right), and even a bit about why our password complexity rules are so goofy (https://www.til-technology.com/post/infosec-bullshido-password-complexity-rules), the next question to consider is: “Why do I care?”

Aside from a few friends and family, no one’s interested in me”

While it is true that most attackers are not interested in you as an individual, they ARE interested in your account. Online accounts are a commodity, and represent revenue for an attacker.

Nowadays, attackers are often part of a criminal supply-chain, and often run like a business. One group might focus on compromising social media accounts, then selling access to those accounts to another group, which might use them to spread disinformation. Interestingly, many companies have been focusing on shutting down “inauthentic accounts” as a way to deal with misinformation / disinformation without having to address concerns about freedom of speech. This makes a lot of sense, since fake accounts are often easier to identify, and non-existent people have no rights. Maybe a topic for future investigation...

Social media accounts also provide the means to attack others. Your social media account has some value in itself, but can also be used to compromise other accounts in your network, providing more value. It’s one thing to receive a link to a cat-video from a stranger, but you’re more likely to click on it if you receive it from a close friend. (Another point for future discussion is the concept of “trust”. I can trust a person, but how can I be confident that that person is actually the one at the other end of an online communication?)

I don’t care if my account gets hacked. What’s the harm?”

Years ago, the impact of having an account compromised may have been relatively small, as most of our lives were conducted offline. Now, though, losing control over our online identities can have enormous impact on our lives.

Consider the fact that email accounts are often used to register for online services. What happens if that account is compromised? Does the attacker now have access to my social media accounts? My bank account? Cloud services? Home security? And what about my online collection of cat-videos?!

Passwords are used by most of these services, so they are an important line of defense for our online identities. We know a bit about passwords and how they work, and know that a lot depends on how the company manages those passwords. But what can we do to protect ourselves better?

Password Management Example:

Let’s say that Alice has an email account, a social media account, a cat-video site, and an online bank account. Alice understands that strong passwords are a good thing, but passwords are hard to remember and, after reading xkcd (https://xkcd.com/936/), decides that “correcthorsebatterystaple” is a good password to use. (Hopefully unnecessary disclaimer: I am NOT suggesting that as a good password.)

Having decided on a password, Alice then uses it for all accounts. Let’s assume that Alice’s email provider, social media provider, and bank all have excellent security, with strong hashing, and all the other best practices. That means we’re ok, right?

Well, no.

That cat-video site, unfortunately, is pretty old, and uses unsalted MD5 hashes... That is bad. Also, the cat-video site was recently hacked by Malice, who managed to access the entire database of accounts and password hashes. After a shockingly short period of time, Malice has cracked the MD5 hashes and watched many hours of cats walking on people while they are trying to work.

Not good, but it gets worse.

After watching those cat-videos, Malice decides to see how much more use can be made of the cat-video site’s account and password database. Since Malice knows that many people use the same password on different sites, and most sites use email addresses as account names, it’s easy enough to build a tool (or use an existing one) which will try to access a list of email providers, social media companies, cloud services, and banks. Malice will then pass the user ids and passwords from the cat-video site.

Uh, oh...

Within a few minutes, and in spite of the relative security of these services, Malice has gained access to Alice’s email, social media, and bank accounts.

That’s credential stuffing. Using credentials obtained from one security breach to attack other services in the hopes that people have used the same password on different services.

And don’t bother asking - of course it can get worse. As more and more services are compromised, more credentials are made available to attackers, so any password you have ever used on any account is potentially compromised.

People use a variety of schemes to come up with their passwords. Names from family members, favorite books or movies, pets, sports teams, cars, and so on. Some come up with schemes to adjust their passwords so that they can use a single “root”, but have different passwords for different services. For example, Alice might use “correcthorsebatterystapleCAT” for her cat video site, and “correcthorsebatterystapleBANK” for her bank. Still others will add numbers or special characters, to comply with password policies, or leetspeak (https://en.wikipedia.org/wiki/Leet) to make their passwords “harder”, but as xkcd points out, it doesn’t really make it harder for computers.

Malice is pretty clever, and really wants access to Alice’s accounts. (Strictly-speaking, this would now be considered a “targeted attack”, rather than credential stuffing, but whatever.) In any case, Malice decides to write (or use) a program that will take the passwords obtained from the cat-video breach, combine it with other password lists found on the Internet, then figure out variations of those which can be tested. For example, add “1”, “2”, “3” to each of them, replace “o” with “0”, capitalize the first character, etc. Or, try replacing “Gandalf” with “Saruman”, or “T0ny$tark” with “Bruc3B9nner”. Easy enough for a human, but Malice can write a program (or use existing ones) to come up with hundreds or thousands of variations easily.

This is bad. But what can we do about it?

The key is to ensure that we have a long, hard-to-guess password that is unique for each site/service. But how do we remember those passwords?

We don’t. In practice, we can’t. There are too many accounts, and passwords need to be too long for our brains to manage effectively. For good password management, we need a way to generate good passwords, and a way to record them so that we don’t have to remember them.

Information Security is mainly about risk. So, what are the risks and benefits of a particular course of action?

What if we write them down? While it seems extremely risky and counter-intuitive, this “old school” approach may not actually be the worst option for some people. The risks associated with writing things down are that the list could be lost or stolen, but if someone is uncomfortable with other tools, this could at least help to ensure that strong, unique passwords are used. Still, I think there are better options available.

How about storing them in a file on your computer? Actually, that might be riskier than writing them down, as an attacker could potentially access your computer from anywhere in the world, and compromise all your accounts, while fewer people are likely to have access to the book you keep in your (normally locked, of course) desk drawer.

How about a password-protected file? Getting better, possibly, but inconvenient to use, and dependent on the password-protection of the program in question.

There are endless clever ways for making these options “safer”, but the root of the problem is that they depend either on other passwords, or codes that you have to remember, or are otherwise inconvenient or insecure in one way or another.

Multi-Factor Authentication (MFA) improves login safety, doen’t it? Yes, and it is highly recommended, but you will still normally need to deal with a password, so we’ll deal with MFA some other time.

What about “Sign in with” an online account, such as your social media or cloud services account? That brings us into “federated identity” and “single sign on” (SSO) connections. Always good to be aware of what is out there, and the benefits and risks associated with them. Without going into detail, these options delegate the protection of your credentials to another service. They can be quite secure and convenient, but still require a degree of trust – both from the user, and from the service supporting “Sign in with” another service.

Back to Alice. Alice would need to have a social media account (for example), and the cat-video site would have to set up “trust” between their service and that social media company. When logging on to the cat-video site, Alice would be directed to the social media site to enter a username and password. The social media site would then send a “token” back to the cat-video site, verifying that Alice has successfully authenticated to the social media service and allowing Alice to access the site. Since the cat-video site doesn’t know Alice’s password, Malice would not be able to compromise Alice’s account by compromising the cat-video site’s password database.

Whew! We’re done, right?

Well, much better than before, but Alice is still trusting the social media site to set up their security correctly, and providing them with a lot more information about habits and sites of interest (That’s often why services like this are provided in the first place). Also, this is a social media company, not a security company, and there have been cases where the “authentication tokens” used for this sort of thing have been compromised. For a security company, this would be a critical priority, but for a social media company, maybe not treated quite so urgently.

Which leads us to password managers. The basic concept is that you use a password manager to store all of your passwords, then have a single (long and strong) password for managing them. You enter your “main” password, then access your password list. The risk is more focused, and if your password manager or “main” password is compromised, your entire password list is still compromised, but a “good” password manager will be built by a company whose primary focus is on security, and they will make sure that the service is as strong and secure as possible. (Also, since password managers provide the “keys to the kingdom”, they will usually receive a lot of attention from the security community and the criminal market. This will normally either ensure they are secure, or destroy their reputation.)

I use a password manager, and love it. While there are a number of “free” or “cheap” password managers, or tools which are built into other products, it’s vitally important to pick a good one. Not an easy decision, but there are a lot of reviews out there, and only a few password managers which seem to consistently come out high on those lists.

Getting back to our example, if Alice had used a password manager, and let it generate long and strong passwords for each of the services used, Malice would probably still have compromised the cat-video site (though a very long password might require much longer for Malice to crack), but the password obtained would have been useless against Alice’s email, social media, or bank accounts. Also, Alice would be able to change the cat-video site password as soon as the notification came from https://haveibeenpwned.com/, or sometimes even from the password manager itself.

While it’s impossible to eliminate all risk, it’s relatively easy to reduce it. In this case, a password manager would eliminate the risk of a credential stuffing attack, now that we know what that is, and reduce other risks associated with password maintenance.

Cheers!

Komentáře


bottom of page