1.4B leaked passwords in 41GB dump: Stop the madness!

Passwords: We’ve had enough!

Especially after the latest cache of 1.4 billion—all 41GB of it—emerged on the Internet. This aggregated, easily searchable database of new and old stolen credentials is the latest illustration of the mess we’ve gotten ourselves into.

So let’s do something about it. In this week’s Security Blogwatch, we fly the flag for better authentication.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention:  Splicing little babies with fish 

The State of Security Operations

What’s the craic? As Iain Thomson registers, people still suck at passwords:

A data dump containing over 1.4 billion email addresses, passwords, and other credentials, all in clear text, has been found online by … @4iQ. [It] is both current and being used by third parties.

Disturbingly the archive also shows that years of advice on choosing strong passwords is still being ignored. The top password is, depressingly, still 123456 … and the history of some accounts shows the minor variations that would make other passwords for the account easier to guess.

Ouch. Duncan Riley drives the point home: [You’re fired—Ed.] 

It’s getting easier for hackers to obtain user credentials in bulk.

An estimated [200 million] records found in the database [are] believed to be … username/password pairs [that] had not previously been decrypted by the hacking community.

[But] the way the credentials are stored within the download is said to be the more disturbing part of the discovery.

Some things never change: … People use stupid, unsafe passwords. … Yet some of the blame lies with large business failing to prevent customers and employees from using such passwords to begin with.

4i-who? Julio Casal ’fesses up—A Massive Resource for Cybercriminals:

Now even unsophisticated and newbie hackers can access the largest trove ever of sensitive credentials. … Is the cyber crime epidemic about become … exponentially worse?

[It’s] the largest aggregate database found in the dark web to date … almost two times larger than the previous largest … the Exploit.in combo list.

This is not just a list. It is an aggregated, interactive database that allows for fast (one second response) searches. [So] hackers can automate account hijacking or account takeover. … Searching for “admin,” “administrator” and “root” returned 226,631 passwords of admin users in a few seconds.

14% of exposed username/passwords pairs had not previously been … available in clear text [and] adds 385 million new credential pairs.

When it comes to collating leaked credentials, we always turn to Troy “@haveibeenpwned” Hunt. What’s he think?

It includes a heap of stuff that's been circulating for years as well as a lot of other data I've been processing since then. … It also refers to "breaches" proven to be fabricated, unverifiable or outright fake.

A raft of new people have pointed me to news stories on it. … The aggregation is the only story here. … Nothing new to see.

Wait. Nothing? Really? Your humble blogwatcher presumes to presume differently:

Aside from 200 million plain-text passwords we’ve not seen before, presumably?

But of course, Hunt is right, in the sense that most of this is pretty old news. But as Lee Mathews says, “That doesn't make the data any less useful to cybercriminals”:

Some of these breaches happened quite a while ago and the stolen or leaked passwords have been circulating for some time.

Because people tend to re-use their passwords — and because many don't react quickly to breach notifications — a good number of these credentials are likely to still be valid. If not on the site that was originally compromised, then at another one where the same person created an account.

And not everyone’s an unabashed fan of Hunt and haveibeenpwned.com—ninonino, for example:

[It’s] rather often quite incomplete. [Troy Hunt] often only has partials of dumps he claims to have added and when this was pointed out he didn't want to add the rest - didn't even want to change the description of the dumps to say they were incomplete.

Cue countless commentators asking where they can download it. William Herrin suggests a legit reason to do so:

NIST Special Publication 800-63-3 on authentication says we should check user's proposed passwords against a list of known compromised passwords. This sounds like a pretty good list.

So where do we go from here? Heed Charles “@charlesboyer” Boyer’s analysis:

[It] shows the futility of passwords, and a new form of identity management is needed.

Such as? Such as the one Johanna Curiel describes:

Universal 2nd Factor, or U2F, is an open source approach that might be just what application developers need. [The] standard, created by Google and Yubico, lets users securely and instantly access multiple online services using a single device, without requiring … special device drivers or client software. With U2F, you can use [one] token for … many services.

The key device functions as a security token that lets the user login to multiple online services that support U2F. … Yubico describes U2F as "a challenge-response protocol extended with phishing and MitM protection, application-specific keys, device cloning detection and device attestation."

The … protocol is built with very strong security in mind, and it has a very promising future. Nonetheless … A successful implementation depends on how well you program and integrate the other required components.

Yep. As MrsCuriousEngineer “@pbrunou” would say:

#passwordsmustdie

But as for the claim that 4IQ discovered the dump on the (ahem) “dark web,” it turns out that the aggregator posted the Magnet link to Reddit. Um, I’ve seen darker websites. Whatever.

The moral of the story? Passwords are lame, so you should get to grips with 2FA, U2F, OAuth, etc. (Who knows? One day Steve Gibson might even finish SQRL.) But in the meantime:

  • Test your users’ passwords against common patterns—e.g., M0nkey, Password1, and Qwerty123.
  • Screen any publicly available leaks against your users’ credentials.
  • Enforce password changes as appropriate!

And finally …

Alex Jones—as you’ve never seen him before

 “Splicing little babies with fish!”


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

The State of Security Operations
Topics: Security