Cryptography

Case Studies in Poor Password Management

Dimitar Kostadinov
October 20, 2020 by
Dimitar Kostadinov

Introduction

In essence, a password is a cryptographic secret that needs proper storage and management. Even for individual users this can be a difficult task, however, let alone large organizations with hundreds of employees. Sometimes the end result could be disastrous, whether it happens in business or personal situations.

Learn Applied Cryptography

Learn Applied Cryptography

Build your applied cryptography and cryptanalysis skills with 13 courses covering hashing, PKI, SSL/TLS, full disk encryption and more.

No Password Equals No protection

  • Cupid Media stored over 42 million user passwords in plaintext. The attackers who targeted their database must have been very happy to had found this trove.
  • The parent company of New York Sports Clubs made a similar security lapse. No password was set on their unprotected server, which meant that personal customer records and financial records were up for grabs for anyone smelling blood.
  • New York University left unprotected a backup drive that carried information on a confidential encryption-breaking program that have some military/intelligence backing.
  • Staying on the topic of military and intelligence services – Booz Allen, a consulting organization with ties to military and intelligence agencies left classified data on a publicly accessible Amazon server with no protection. Not even a password. A cache of more than 60,000 files could be found there that contained sensitive information and security credentials belonging to several government contractors that operated under Top Secret Facility Clearance.
  • The security researcher Kushagra Pathank stumbled upon an unexpected discovery – openly accessible links to sensitive documents for various United Nations’ accounts. He did nothing amazing to make this discovery, he just ran some simple search engine queries.

Apparently, flawed security settings were installed during their initial setup. Regardless of the reasons for this poor password management, it comes off as shocking that an international organization of such magnitude did not have recourse to a password vault or two-factor authentication. 

 Weak Password Protection

 A Verizon study from 2018 established the correlation between weak/default/stolen passwords and data breaches, the statistical result of which (81%) confirmed that many data breaches happen due to such passwords. 

  • Australian government officials were apparently negligent of their duties to use strong credentials to access information assets in government agencies. They utilized generic logins (e.g., “abcd1234”) and passwords (like “password123”) instead.

According to a report published by the Seattle-based security specialist WatchGuard, half of all passwords associated with .GOV and .MIL email addresses were so weak – “123456,” “password,” “linkedin,” “sunshine,” and “12345678”, to mention a few – that they were hacked within two days.

  • In the Ashley Madison data breach, credentials of government and military employees were exposed again but for entirely different reasons. Passwords and usernames of a total of 32 million users were compromised. Besides that leaked credit card and payment details, Ashley Madison case highlighted other information stolen: real names, real addresses and phone numbers. Read more about this interesting case in “Ashley Madison Revisited: Legal, Business and Security Repercussions.”
  • 412.2 million accounts of members of the dating platform Adult Friend Finder were collected by attackers in October 2016. Because most of the stored passwords were guarded only by the weak SHA-1 hashing algorithm, they were likely exposed before the official news of the incident surfaced on front pages.
  • In Adobe’s 2013 incident, the security team made three serious mistakes concerning password management:

1)      Using the same key to encrypt every password

2)      Relying on a flawed encryption method known as ECB mode, which makes equal passwords look exactly the same

3)      Not encrypting the password hints 

  • 117 million passwords were compromised in 2012 because of LinkedIn not using random data to make password hashes more resilient to reverse engineering.

Learn Applied Cryptography

Learn Applied Cryptography

Build your applied cryptography and cryptanalysis skills with 13 courses covering hashing, PKI, SSL/TLS, full disk encryption and more.

Password Reuse

 According to Dodi Glenn, vice president of cyber security at the Iowa’s security software company PC Pitstop, the biggest problem when a credential leakage occurs is the username and password reuse:

With username and password reuse, an individual may use the same e-mail address or username and password on site A that they would use on sites B and C. When site A gets compromised, the hacker uses an underground tool to check other various sites to see if this account login and password combination exists elsewhere.”

  • Celebgate is a case where some famous users fell prey because of weak passwords, some of which being used across multiple accounts. Drake, Katy Perry and Lana Del Rey are other celebrities that had their Twitter accounts hacked because they were reusing passwords from other websites and services that had been exposed in the past, such as MySpace and LinkedIn. Despite that there were encryption mechanisms in place, they were evidently not good enough to withstand what hackers had to offer.
  • Dropbox admitted that they became a victim to a massive hack that had taken place in 2012 and resulted in email addresses and hashed passwords of 68,680,741 accounts being stolen. A Dropbox employee who used the same password harvested from another data breach was the point of compromise.

Almost half of U.S. workers use the same passwords for personal and work accounts, and almost 60% respondents to one survey admitted to using the same password everywhere.

Loose Internal Practices Related to Password Management or Cases of Rogue Insiders

  • It was made known in May 2018 that a glitch in Twitter's system, where all stored passwords were residing, caused user information to be accessible to the internal network. While this is not tantamount to a breach or misuse of data, it could be seen as a mismanagement concerning password information.
  • “A chain is only as strong as its weakest link” – you heard that before, right? Unfortunately, even if your company security is a top priority, third-parties you work with may not have the same attitude towards security. Something along these lines happened in the 2013 Target data breach. A third party vendor’s login credentials were sniffed out by a Trojan hiding in their IT infrastructure. As a side note, Home Depot was compromised in almost identical way.

That did not exonerate Target themselves from any responsibility: they should have “at least mandate[d] two-factor authentication to contractors who have internal access to sensitive information," suggested Chris Poulin, a research strategist for IBM.

  • Aadhaar number, a unique 12-digit ID that almost every Indian citizen has, is an equivalent more or less to the Social Security Number in the United States, as a lot of personal data – name, address and biometrics, for example – is stored in a government database. For the reason that backdoors can be useful, there exists a portal on the Aadhaar website that can let in anyone having login credential access to the Aadhaar database. While the portal is intended for government officials for the purpose of correcting inaccurate information, rogue agents have been selling access to this portal to anyone willing to pay $5-10.

Learn Applied Cryptography

Learn Applied Cryptography

Build your applied cryptography and cryptanalysis skills with 13 courses covering hashing, PKI, SSL/TLS, full disk encryption and more.

Key Takeaways

 Do not expect cases of poor password management to vanish any time soon because people generally give priority to convenience over security or are downright careless.

Obviously, there are some lessons to be learned from each data breach mentioned here:

  1. Never reuse a password
  2. Change your password, especially if you suspect it may have been exposed
  3. Enable two-factor authentication
  4. Never completely trust service providers
  5. Use proper encryption in the password management process

If companies are not willing to apply these measures into their business dealings, they better be ready to pay the price.

 

Sources

  1. 4 of 5 Company Breaches Due To Poor Passwords, Kubera
  2. Aadhaar ‘breach’: Everything you need to know, Tech HindustanTimes
  3. Anatomy of the Target data breach: Missed opportunities and lessons learned, ZDNet
  4. Best Practices Guide for Password Management, JumpCloud
  5. Facts About the Adobe Data Breach, Cygilant, Inc.
  6. Lessons from the Dropbox breach, ComputarWeekly
  7. Marriott discloses data breach possibly affecting over 5 million customers, CNN
  8. Myspace, LinkedIn Hacks Could Compromise Workplace Security, SHRM
  9. Password Fails: 6 Reasons You Need A Better Password, Cloudwards
  10. Poor password management a top data security threat in 2018, EuroDNS S.A.
  11. Poor password hygiene makes breaches inevitable, PaymentsSource.com
  12. Poor Password Management Remains a Top Threat to Data Security, SAMSUNG
  13. The 36 Biggest Data Breaches [Updated for 2020], UpGuard
  14. The UN Unexpected Example of Poor Password Management, Secret Double Octopus
  15. Top Defense Contractor Left Sensitive Pentagon Files on Amazon Server With No Password [Updated], Gizmodo
  16. Twitter says it hasn't been hacked — now stop reusing your password, Business Insider
  17. Weak Password = Data Breach? Why Password Security Is More Important Than Ever, CMIT Solutions LLC
Dimitar Kostadinov
Dimitar Kostadinov

Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. He obtained a Master degree in 2009. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. Dimitar also holds an LL.M. diploma in Intellectual Property Rights & ICT Law from KU Leuven (Brussels, Belgium). Besides legal studies, he is particularly interested in Internet of Things, Big Data, privacy & data protection, electronic contracts, electronic business, electronic media, telecoms, and cybercrime. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels.