The Digital Shadows 2022 Account Takeover Report provides some useful insights into password/account security and the trade in stolen account details.
Digital Shadows amassed a collection of 24,649,096,027 compromised credentials in 2021. These were sourced from data sets readily on sale to those with the funds and lack of morals. Many credentials appear on more than one source but roughly 6,700,000,000 were of unique user name and credential pairs. The information is traded in files of thousands of data rows. The value of this information depends on the age of the data, together with the presence or format of the passwords. The longer account details are in the wild the more likely that the account has been shut down or password changed.
Having a password linked to an account is a valuable asset but passwords are often stored as an encrypted hash rather than in plain text. The passwords for the popular blog software WordPress for example are stored as an MD5 hash in the WordPress database of the host server. It would be hard to un-hash the password to plain text but hackers can try to guess the original; if the new hash matches that of the original then the password has been cracked. A dictionary or brute force attack can be run off-line with no risk of the account being locked out. Success depends on the strength of the original (plain text) password but if there are enough rows in the file it is likely that some will be guessed. This process offers a middle ground of income for the slightly more principled hacker. Buy files with hashed account passwords and sell on the more valuable filtered data with clear text passwords.
Where no password is present the data still has value. More so if the seller can guarantee that the accounts actually exist and are still live. Passwords can be guessed by brute force or dictionary attacks. Even an attack that fails will confirm if the account is live or not. Log ins may be restricted to a limited number of failed accounts and may block suspect IPs but hacking software will introduce pauses between attempts and switch between spoofed IP addresses. This may be a burden when hacking a single account but running through a file of thousands of accounts allows time intervals to be built in and the low hanging fruit will swiftly fall. If the aim is to increase the value of data by confirming accounts and adding passwords then it may not be worth the hacker’s time to confirm every single account in a file. This is a clear benefit to choosing more complex passwords.
The following data indicates the relative ease to crack related passwords. Digital Shadows used the password strength evaluating zxcvbn software to compare the strength of similar passwords. A brute force attack implies the trial of increasingly long sequences of keyboard characters. The throttling data reflects attempts to overcome account or IP lock outs. A password such as London1984 would probably be more easily picked up by a dictionary attack as it comprises a word in common use and a simple sequence of numbers.
|Password||No’ of brute force attempts||Off-line – solve hash (h:m:s)||On-line no throttling||On-line throttling|
|London1984||36,800||00:00:03||1:01:20||15 days 8:00:00|
|London_1984||53,610,000||1:29:21||62 days 1:10:00||22,337 days 12:00:00|
|@London_1984||1,868,800,000||2 days 3:54:40||2,162 days 23:06:40||778,666 days 16:00:00|
Part of the problem lies with the nature of passwords themselves. Users cannot be expected to remember details of every account they have access to. It is too easy to re-use passwords between accounts or use simple modifications to a base keyword. With large sets of account details trading in the wild a known working pair can be used to look for similar user name details and match that with variations of the already cracked password. This could allow a criminal to work up the access chain from shopping cart to corporate admin. Any password vault is only as strong as the account on the vault itself. Even two-factor authentication solutions can be by-passed if the hacker is able to convince the victim’s phone provider to change access to that account. Kindus have already discussed passwordless solutions but that technology is not yet widely deployed.
Kindus recommendations to minimise the impact of password theft:
• The more complex a password system the less likely it is to be hacked.
• Use work passwords that have no similarity to home passwords
• If there is any likelyhood that an account has been compromised, lock it
• Create a new account instead of re-setting the password on a compromised one.