10

I sometimes hear news articles about hackers managing to get a list of usernames/emails and passwords from a given site, and I also hear news articles about how little entropy there is in some people's passwords, and how common some of the most common passwords are.

uh - I like how Google makes everything easy, but this is a little over-the-top

However, I don't hear many news articles about people using passwords to breach security. The last time I've heard of something vaguely similar to that was for a very high-profile target - a Vice-Presidential candidate in the 2008 election campaign (and it involved resetting a password using verification information).

Are bad passwords used to breach security in real life?

The question Are there any examples of huge damages done by password leaks, or bad password management policies? is partially related, but it seems to be also touching upon the damage caused to companies by the company having lists of usernames/emails and passwords leaked.

Community
  • 1
Andrew Grimm
  • 2,100
  • 2
  • 20
  • 27
  • 9
    I'm seeing a ton of results by Googling "high profile hacks passwords". RockYou, Ebay in 2015, Ashley Madison, all the result of poor passwords. I stopped going further because there is a ton of material online. – schroeder May 15 '16 at 04:08
  • 1
    I'm thinking this is too broad. There is a ***LOT*** of material out there. Maybe you need to narrow your focus a little? – schroeder May 15 '16 at 04:16
  • @schroeder are you sure those hits are about companies being breached by poor passwords, as opposed to companies releasing users' passwords? – Andrew Grimm May 15 '16 at 04:21
  • 2
    Yes, I am sure. Breaches as a result of poor password management: either phished, old accounts left open, password reset weakness. Read the reports. – schroeder May 15 '16 at 04:22
  • 1
    If password reset problems also qualify, the scope broadens. – schroeder May 15 '16 at 04:23
  • 3
    and don't forget the Apple celebrity pics hack from 2014, that was directly the result of a brute force attack on weak passwords (plus the flaw that let them do it...) – AviD May 15 '16 at 07:41
  • 1
    I'm thinking that this question is either too broad, or lacking research. Google and VDBIR produce a ton of recent, real-life examples. – schroeder May 16 '16 at 05:12
  • 2
    Yesterday evening I wanted to sit out in the sun on the roof of my apartment complex, but unfortunately the door is locked with a keycode. I just entered a random, weak code which I knew was fairly common, and got access straight away on my first try. – user1666620 May 16 '16 at 10:19
  • 1
    One problem you'll have is that the kind of breaches caused by weak password use aren't the same as the kind caused by mass leakage. Online, weak passwords result in individual accounts being compromised - bad for the individual, but unlikely to cause the company much damage. If you look at automated attacks against systems, though, you'll see the use of lists which you can find in full online, containing usernames and passwords. – Matthew Feb 24 '17 at 10:29
  • Well... [yes](http://security.stackexchange.com/questions/150184/should-i-tell-my-boss-i-have-discovered-their-passwords-and-they-are-too-weak) – sysfiend Feb 27 '17 at 16:10
  • Reused passwords are a huge threat. Once someone has one, they then can try all the usual sites (Facebook, Twitter, Snapchat, etc.) to see if the same password has been used. I use Lastpass to generate random passwords for nearly every web site I use, so that is not a problem for me. – SDsolar Feb 27 '17 at 18:54

9 Answers9

10

Yes, stolen passwords are used in real life attacks. I didn't actually know myself until I searched, and it's buried all the way on the third page of my fourth or fifth Google search; i.e. the information practically doesn't exist. ;-)

Anyway, apparently back in 2012 there was a period of several months where Best Buy accounts were compromised by stolen passwords from another site. And in 2015, Verizon estimated 63% of data breaches used stolen, default, or weak passwords. I don't feel like registering to download the full report from Verizon so I'm not sure how many were stolen vs. weak or default, but I'd guess it's a significant portion if they're reporting it that way.

I'd guess more information is out there for the finding if needed.

Ben
  • 3,896
  • 1
  • 10
  • 22
8
  • It is believed that common passwords were used for the Celebgate/Fappening incident of 2014.
  • The Groupon website blamed password reuse as the source of some fraudulent purchases in 2016.
  • Verison reports 422 data breaches using stolen credentials for the year 2013.
  • ...

The list goes on, and on... That's just a fraction of the results from a quick search. You just have to look for "password breaches".

So, yes, bad passwords are used to breach security in real life.

A. Hersean
  • 10,173
  • 3
  • 29
  • 42
  • Is The Register a reliable source? Most of the time I've heard about it was a decade ago when it repeatedly ran nonsense articles about Wikipedia. – Andrew Grimm Mar 03 '17 at 21:49
  • You don't have to trust them. You can (should) cross check the information by yourself and check their source (linked in the article). This advice stands for any newspaper. – A. Hersean Mar 08 '17 at 09:30
4

One challenge when trying to assess the specific impact that poorly chosen passwords have is that we don't always know how an attacker obtained a password. Maybe the password was learned because it was an easy guess, or it was reused and leaked from another breached site, or was it phished, or a few other possibilities. Either the targeted user or system owners don't actually know the answer to that question, or they know and it simply isn't included in the information shared with the public.

A decade ago I used to actively record stories about password related incidents and looking back through my index there weren't many with details on how the compromised passwords were obtained. For example, here's one story that mentions a student guessing his teacher's password in an hour. Another report disclosed that a woman's ATM PIN was guessed because it was her birth date, which was stored alongside her stolen bank card. But for the few of those with details you'll see dozens of other stories with no mention of how passwords were stolen. As @Matthew points out in his comment these attacks tend to be more individual focused, which often isn't considered newsworthy.

Fortunately we do have a bit more data that we can turn to. In the 2016 Trustwave Global Security Report they reported that weak passwords were responsible for 7% of the hundreds of incidents they investigated the previous year. They don't define what they mean by "weak", but it's reasonable to assume this means a password that can be guessed or cracked within a few minutes to a weeks worth of effort. Or it was a default vendor password. Similarly, they reported weak passwords as the identified method of intrusion 28% of the time in 2015 and 31% in 2014.

RSA shared news of a situation where a attackers tried a single popular password against a site's 145,000 users and successfully compromised 434 of the accounts.

These days some organizations have moved to blacklisting weaker passwords because they are tired of dealing with customer compromises that result from attackers successfully guessing them. Microsoft announced that they were banning common passwords for their customer accounts last year. They joined organizations like GitHub and ArenaNet who have been doing this for years.

PwdRsch
  • 8,361
  • 1
  • 28
  • 35
3

Yes, they are. I suggest you skim the Verizon Data Breach Incident Report.

Last year, 63% of confirmed data breaches involved weak, default, or stolen passwords.

...

The capture and/or reuse of credentials is used in numerous incident classification patterns. It is used in highly targeted attacks as well as in opportunistic malware infections. It is in the standard toolkit of organized criminal groups and state-affiliated attackers alike.

Community
  • 1
Wrycu
  • 430
  • 4
  • 7
3

The Mirai botnet used bad passwords to compromise many devices with weak default passwords. This enabled its operators to gather one of the (arguably..) most powerful DDoS botnets ever.

There is a lot of data about it online, this report discusses the password issue: https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html

GalB1t
  • 513
  • 1
  • 5
  • 9
1

Actually, this happens a lot more often than you are suggesting.

A very good (and practical) example of what happens would be what happened to Mr. Facebook, Mark Zuckerberg: https://techcrunch.com/2016/06/06/zuckerbergs-twitter-pinterest-linkedin-accounts-hacked/.

Short version being: an otherwise smart, and one assumes from the tape on his webcam, reasonably well informed IT professional got embarrassed in public because he chose bad passwords, and re-used passwords.

One can only imagine what might have been available to anyone able to get their hands on his Facebook account...

Edit: Most of us seem to be focusing on user passwords.

There are other instances to consider:

  • master codes for certain models of ATM were leaked online, allowing anyone in the know to do things like make the ATM think a 20 $CURRENCY bill was a 5 $CURRENCY bill
  • SCADA applications and systems having hard-coded and/or well-known default passwords have (allegedly) been exploited to cause infrastructure issues (there is a theory the 2011 blackout in California was one such instance)
  • SIM card pincodes, which (AFAIK) almost always default to 0000: this may seem like a trivial example, but it is the difference between losing an expensive piece of hardware, and losing an expensive piece of hardware AND having to pay for services the thief used.
iwaseatenbyagrue
  • 3,631
  • 1
  • 13
  • 24
0

Yes, hacked data dumps of credentials are often used to breach hundreds or even thousands of accounts at different sites. In fact, SWIM tells me it's actually quite trivial to do.

When a site is hacked and dumped, hackers end up with millions of email:password pairs. Since passwords are reused a lot, these logins have a high chance of working on different sites. So, you pick a site, code a quick script to login, then have it try all the passwords and save the ones that work. There's a whole market around these stolen accounts -- Netflix seems quite popular.

Long story short, don't reuse passwords.

Awn
  • 480
  • 4
  • 16
-2

Fortunately or unfortunately depending on what side you are on most people use the same password for every site. Therefore, it makes it really easy to steal passwords from insecure websites, especially android apps or even wifi. Then you use that same password to escalate to other sites such as bank accounts, etc. Then if you get into someone's email it makes it really easy to change almost any password. This may actually be the easiest and oldest vulnerability.

Chris Howard
  • 7
  • 3
-2

Yes, but let's expain this point by point:

  1. First of all: as said by many other answers before, many people use always the same password, usually a weak one. So once stolen, a major attack can then be possible. As some other users informed about Verizon leak, and others... we can add to this list the Yahoo data breach, in which probably (not sure) many of those stolen credentials were used in many other sites.
  2. A Stolen password can also be added to a Rainbow Tables (reversing hash passwords) so they can be used for other attacks.
  3. Stolen passwords/weak passwords are also added to brute force dictionaries to attack, is one of the most simple and easy attacks anybody can try.
  4. A stolen password can make it easier a social-engineering attack. As a example: if you can steal some employees mail password, you can trick some mates and bosses; becoming a futher attack.

All this is proven to be a fact that had happenned thousands of times.

KanekiDev
  • 1,039
  • 6
  • 9