Information Security, Ethical Hacking, website Security, Database Security, IT Audit and Compliance, Security news, Programming, Linux and Security.
Wednesday, 8 January 2014
Reusing Passwords Across Social Media Sites: Don't Do That!
It doesn't matter how long and complex your password is: if you use the same password across multiple sites, you are at high-risk for attack.
Last month, Trustwave researchers discovered a trove of about two million usernames and passwords on a command-and-control server based in the Netherlands. The server, which was part of the Pony botnet, had harvested credentials for various websites as well as email, FTP, Remote Desktop (RDP), and Secure Shell (SSH) accounts from user computers, Trustwave's Daniel Chechik wrote at the time. Of the 2 million credentials harvested, about 1.5 million were for Websites, including Facebook, Google, Yahoo, Twitter, LinkedIn, and online payroll provider ADP.
A deeper analysis of the password list found that 30 percent of users who had accounts across multiple social media accounts had reused their passwords, said John Miller, the security research manager at Trustwave. Each of these accounts would be vulnerable to a password reuse attack.
"With a small amount of effort and some clever Google queries, an attacker could find additional online services where the compromised user had used a similar password and could then gain access to those accounts as well," Miller told Security Watch.
It's "Just" Social MediaIt's obviously bad that attackers had access to victims' FTP servers and email accounts, but it might not be as obvious why having their Facebook or LinkedIn passwords was a big deal. It's important to remember that attackers frequently use these lists as a jumping off point to launch secondary attacks. Even if attackers steal "just" a social media password, they may wind up getting into to your Amazon account, or break into your corporate network via VPN because the username and password happened to be the same as what you had on that social media account.
Security Watch frequently warn about the dangers of password reuse, so we asked Trustwave to analyze this password list to quantify the extent of the problem. The resulting figures were startling.
Of the 1.48 million username/passwords associated with social media accounts, Miller identified 228,718 distinct users with more than one social media account. Out of those usernames, 30 percent had used the same password across multiple accounts, Miller found.
In case you are wondering, yes, cyber-criminals will try out the same combination across random sites, either manually or via a script to automate the process.
Reuse As Bad as Weak Passwords
Passwords can be hard to remember, and that's especially true for passwords that most people consider strong. While these users should be commended for not using weak passwords such as "admin," "123456," and "password," (which was still a problem among this group) the problem is that even complex passwords lose their effectiveness if they aren't unique.
Miller also identified another reuse problem. While many sites have users log in with their email addresses, others allow users to create their own usernames. In that original list of 1.48 million username/password combinations, there were actually 829,484 distinct usernames because users were using common words. In fact, "admin" appeared as a username 4,341 times. Half of the "weak" usernames also had weak passwords, making it even more likely that attackers could brute-force their way across multiple accounts.
Stay Safe
Secure passwords are critical to keep our data and identity safe online, but users frequently opt for convenience over security. This is why we recommend you use a password manager to create and store unique, complex passwords for every site or service you use. These applications will also automatically log you in, making it much harder for keyloggers to snatch your information. Be sure to try out Dashlane 2.0 or LastPass 3.0, both which are our Editors' Choice award winners for password management.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment