Security Week 04: what to do with passwords

Of course, the most important news last week was the leak of “Collection # 1” - a database consisting of 2.7 billion “email: password” pairs, or 773 million unique records. The leak has already been highlighted in detail both here on Habré and in the blog , perhaps, of the most famous collector of insecure passwords, Troy Hunt. We will not repeat, better let's talk about what to do?

Passwords have long been recognized as an unreliable means of protecting accounts on the network. With a high probability, all your ten-year-old passwords are already available to attackers due to the mass of large and small leaks from Linkedin , Vkontakte , Twitter , Tumblr and MySpace and, of course, Yahoo . Spoiler: There is no simple solution to the problem, but there is a set of actions that will help reduce the risk of hacking important accounts.

If you are subscribed to Troy Hunt HaveIBeenPwned service, last week you were 34% likely to receive a similar message:


Ok, your email address is in the database, what's next? You can go to the site and see where this address lit up earlier. And check other address. And that one. In the case of long-used addresses, the expensive edition watched a list of a dozen different leaked password databases. A logical question arises: which passwords have leaked? What services need to change the password? In the case of an incident with a specific service, you can answer at least the second question. In the case of the leaked "Collection # 1", you will not receive such an answer. A new leak is a compilation from various sources of unknown origin.


Well, on the same service, you can check your own passwords. If you do not trust Troy Hunt, you can download a database of hashed passwords and check your passwords offline. Or just decide that at least someone in this world is sometimes necessary to trust.


You can use the muddy services, for money returning a line from the leaked database, but you don’t need to trust them. Moreover, you should not download the leaked database itself, which seems to have scattered across the Internet. If the unique leak from a single service turned out to be new, then this is, of course, a problem. But if this password also applies to all your accounts in general, this is a potential catastrophe.

Who is to blame for the fact that your password was available to attackers? Here, too, there may be many answers. The obvious one is the leak of the password database of some kind of network service. In the list of databases that make up Collection 1, there are a huge number of small sites and forums that have been hacked at various times. About once every couple of years, data leaks from large services occur. But the problem is not only in them.


The screenshot is taken from this post by Troy Hunt in response to suspicions of stealing the password database from the Spotify music service. The service was not to blame: using the login-password pairs already known from other leaks, the attackers were able to hack quite a few Spotify accounts, including accounts with a paid subscription. This is a clear consequence of reusing the same password. But that's not all. Your passwords are stored in the browser, you enter them on different computers and mobile devices. These data can be stolen and on your side. Finally, many sites do not even have weak protection against theft of personal information of users - they do not even use HTTPS, which means that your password to such a service is sent in clear text and can be intercepted. You could also become a victim of phishing at some point and not even notice it (“well, I could not log in, then try again”).


All this creates a rather unpleasant situation for the average user, when there is no clear understanding of what happened where and what the consequences would be. Leaking passwords from one service can result in cracking another, using the same password. You (or, even worse, your technically untrained relatives) may be trying to blackmail, giving the real password of one of your accounts as an argument. Through the hacked payment services and sites that store your credit card information, you can steal real money. Here you can probably be the Captain of Evidence and recommend any password manager to solve the main problem - reuse. But in fact, not everything is so simple.

The story of the next major password leakage is a story about operating security (a term borrowed from the military). The meaning of OPSEC is that protecting your data is a continuous process. There is no one reliable method that solves all problems at once once and for all. Suppose you are using a password manager. Have you exactly changed the password on all sites? What about long forgotten forums? Is it possible to bypass the password manager or any other phishing protection? Yes, it is quite.

Two-factor authentication adds another level of security to your account. Is it possible to get around it? Can. There were enough examples of SMS authorization bypass using, for example, social engineering to clone a SIM card. More recently, a proof-of-concept interception of data entered by the user during 2FA authentication was shown . In December, a Trojan program was discovered to steal funds from PayPal, which does not steal passwords or 2FA tokens at all, but waits for a login to a legitimate application and takes control.

The correct approach is to use a combination of technical means to protect accounts, such as a password manager and two-factor authentication, plus security-oriented use of software and devices. Without trying to make an exhaustive list of methods, we give examples. Probably, you should not bind the accounting of working tools to a personal e-mail. It is definitely worth having a separate email for the vulnerable services - old, but useful forums without https and the like. Or vice versa, you can create an e-mail account for the most important services, do not shine it on the Internet, do not correspond with it and protect it as much as possible with all available means. In the event of a leak, attackers will receive an email address for “insecure” services and will not be able to use it to attack your critical accounts. The main thing - do not get lost in your own opsec-pants.

Let's add here the refusal to install questionable applications on the smartphone and the desktop, or, better yet, the installation of anti-virus software, which also does not solve all the problems, but makes a tangible contribution to the common security box. The phone is generally worth saving, as it usually contains the keys to all doors. Even these measures do not preclude the regular change of passwords at least on frequently used services with a certain frequency. The frequency of this procedure depends on your personal degree of paranoia: every six months should be more than enough. Make a list of important services, put a reminder, do not save billing information when you are offered this, even if it is eBay or Aliexpress. Do all of these methods provide a 100% guarantee for the protection of your data? No, they do not, in the sphere of protection anything does not happen at all. But they sufficiently protect you not only from the method of credential stuffing, when the leaked passwords from the list try to apply to any services, but also from some more cunning methods. In this case, when you receive the next letter from HaveIBeenPwned, this will no longer be a reason for panic, but a trigger for performing the usual procedure for checking your own intangible assets.

Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend to treat any opinions with healthy skepticism.