InfoSec 201: A Day in the Password Dumps — the Mike Mackintosh Journals

(Originally written in 2014)

In the past 14 days, I’ve received twice as many emails informing me of password dumps, stolen credentials. Sharing of this information had me drop the gears on certain projects to get traction on protecting our customers. Management didn’t understand since it wasn’t our site that was outed. I explained to them, attackers use passwords from other dumps to attempt account takeovers on our web properties. Attackers hope that customers of our reuse passwords in an attempt to simplify the security of their online identities. I sent the C-suite an executive summary of our honeypot service showing all ATO attempts. It’s was clear.

As a security or operational professional:

YOU NEED TO BE CONCERNED WHEN ANOTHER SITE IS COMPROMISED AND CREDENTIALS ARE LEAKED

The Truth Behind The Infamous Password Dump

The news has been abuzz the past few weeks like a colony looking for its queen with back to back to back to back password dumps appearing on LeakedIn, Pastebin and HaveIBeenPwned.

I’ve been been on the all four sides of the fence when it comes to password dumps: at the receiving end of a dump as an organization which had account takeover (ATO) attempts, as a security researcher investigating breaches, a person whose credentials were leaked and as a security vendor who waved the magical unicorn horn wand with the promise to make the problem go away.

There’s just one thing that all four points of this security star had in common that they could never proactively solve: password re-use by end users.

What is Password Reuse?

This the process of using one remembered password at more than one website or application to reduce login friction as an end user. It simply means using your password more than once. Password reuse also encompasses the variant approach, such as adding a ! or 1 to the end of your password, but still having the same base password.

How to Prevent Password Reuse

It’s simply not possible.

Welcome to my TED talk.

The Mike Mackintosh Journals: These are old articles I’ve written but never posted because they were either incomplete or I was too critical of them. Thought it would be fun to share them.