Q&A: Why the theft of usernames and passwords is accelerating

In the wake of the June 6, 2012 disclosure that hackers stole 6.5 million LinkedIn usernames and passwords, Rapid 7 security researcher Marcus Carey analyzed 165,000 cracked passwords. The top password phrases: “Link” “1234” “work” “god”

Use of weak passwords is just one of several variables playing into a complex market taking shape inthe cyber underground for stolen usernames and passwords. Carey has graciously answered LastWatchdog’s questions about the wider significance of the rash of breaches where account logins are the targeted booty.

Carey

LW: Some people might think passwords stolen from Epsilon, Stratfor, Zappos, LinkedIn, Formspring and now Yahoo aren’t that big a deal.

Carey: The actual value of the credentials lies in which sites they are harvested from. For example, if I was interested in attacking government or military related sites, I’d place credentials collected from Stratfor in high regard. If I’m interested in attacking a technology firm, I’d probably prefer credentials from LinkedIn. Attackers are very strategic . . . The prevalence of people using the same username and passwords on websites leads to the high probability of attackers being able to pivot the attacks.

LW: Can it be shown that password breaches are, indeed, accelerating?

Carey: What we are seeing is an acceleration in the ability for attackers to crack passwords due to new password cracking algorithms and hardware; Moore’s Law is in full effect. There is a variety of free powerful password cracking tools such as John the Ripper and Hashcat, which are very popular in the password cracking community.

LW: What fundamental things are driving this acceleration?

Carey: In the last few years attackers and researchers have been using graphics cards for cracking passwords and hashes. Bitcoin mining has even monetized the use of high powered graphics cards, which can also be used for password cracking.

LW: What are the key, big-picture, going-forward implications for consumers, small businesses, and enterprises?

Carey: Consumers should use passwords management software such as LastPass or KeePass, which automate and safely store logins. Small businesses and enterprises must work with application developers to ensure the use of more secure password hashing algorithms to make password cracking tougher. We are seeing many sites incorrectly using cryptographic algorithms; for instance SHA1 was never intended to keep data confidential. SHA1 was made for ensuring the integrity of data, for example you’d use it to make sure a database’s contents haven’t changed.

LW:Anything else?

 Carey: Companies need to monitor password breaches experienced by different services to ensure attackers aren’t able to pivot (using the same usernames and passwords) and compromise their user accounts. Many times users utilize the same email address, usernames, and passwords or password phrases on different sites. Organizations can automate programs to crosscheck against their user base.

Web applications should ban the use of simple passwords as well as banning those same bad password patterns in the use of longer passwords or passphrases.

Users need to get creative when generating passwords.The strongest passwords are something you can remember, but still not common enough to be cracked. This is why I recommend using passphrases with at least 12 characters, such as “GreenDonutsAreYummy” as a password. Passphrases should be somewhat random and easy to remember.

–By Byron Acohido