Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Tales of Password Reuse

Published: 2013-11-22
Last Updated: 2013-11-22 15:45:51 UTC
by Rick Wanner (Version: 1)
7 comment(s)

As a security practitioner I try really hard to drink the Kool-Aid, in other words practice what I preach.  I have been a strong advocate, for well over a decade, of avoiding password reuse.  There is one consolation I personally made to password reuse. For years I  used one "throwaway" password for services where I didn't care about the account.  You know those annoying sites that make you sign up just to access some mundane capability.  In my case, my throwaway password is still a high quality password, but it is used on literally dozens of sites where there is no data of value, like Adobe.   After the Adobe breach I changed my throwaway password on as many sites as I could remember using it at, and developed a better methodology for passwords on these sites (i.e. no more reuse).  

Apparently I missed one. Yesterday I got an email from Evernote telling me that I had used the same password at Evernote that I had used at Adobe. The Evernote account  probably got my throwaway password before I realized the value of the Evernote service.  I now use Evernote nearly every day from my mobile devices; where I don't get prompted for the credentials; but never log into it over the web, so I didn't remember what the password was set to.

Needless to say I quickly changed my Evernote password and enabled Evernote's two-step authentication.

Shortly later an ISC reader forwarded a The Register article about a brute force authentication attack against github. While there aren't a lot of technical details in the article, this attack is interesting because it is a relatively slow attack from over 40,000 IP addresses, obviously designed to reduce the likelihood of any anti-brute-forcing controls kicking in. 

"These addresses were used to slowly brute force weak passwords or passwords used on multiple sites. We are working on additional rate-limiting measures to address this".  Suggesting that this was not your typical  brute force employing obvious userids and incredibly inane passwords, but a targeted attack against password reuse. 

The article also goes on to lament; "It strikes us that GitHub's recent bout of probing may stem from crackers using the 38 million user details that were sucked out of Adobe recently to check for duplicate logins on other sites."

Guess I will be looking at all my passwords again, including the ones used by my mobile devices!


-- Rick Wanner - rwanner at isc dot sans dot edu - - Twitter:namedeplume (Protected)

7 comment(s)
Diary Archives