Posted on 12/06/2019 6:47:14 AM PST by Perseverando
After analyzing a database containing 3 billion leaked credentials from security breaches, the Microsoft threat research team determined more than 44 million user accounts had a serious security problem. Here's what you need to know.
The Microsoft threat research team password analysis The Microsoft threat research team analyzed billions of login credentials that had been leaked following security breaches. These came from multiple sources, including law enforcement and publicly accessible databases, according to Microsoft.
Considering that data breaches are known to have exposed 4.1 billion records in the first six months of 2019 alone, there's obviously plenty of this kind of credential data floating around, and plenty that is traded across dark web markets. Security researchers analyze this breach data, and by so doing, it's possible to get an idea of the most commonly reused and therefore insecure passwords. The Microsoft identity threat research team was also looking for these compromised credentials to cross-check against the Microsoft user eco-system.
Across just the first three months of 2019, Microsoft found some 44 million accounts that were reusing passwords found within those breached credentials databases. You might think that 44 million reused passwords, out of more than 3 billion breached credentials, isn't too bad a percentage. Unless you are one of those Azure AD or Microsoft Account holders with the password problem, of course.
What is password reuse, and why is it a security problem? Don't think you are safe just because you don't use any of the headline passwords mentioned in the "most reused passwords" lists that regularly appear online, as threat actors use a variety of techniques to reveal login credentials. If one of your passwords turns up in a breached database and you use it to access your email account, for example, it's often game over as
(Excerpt) Read more at forbes.com ...
Windows ping?
User: Admin.
Password: Password.
What’s the problem?
Ok, ok, ok I get it..... Change my passwords from PASSWORD and 123456 to new ones....... ok, ok how about PaSsWoRd?
“Here’s what you need to know...”
~~~
That quote appears in the first paragraph.
I then read 4 paragraphs that said just about the same thing in different words.
I refuse to click the f’n link.
I’m not reading a whole scary click-bait article to try to find out exactly which users were compromised.
The simple answer is, use strong passwords, and use different ones for personal and social accounts than you do for banking and important accounts.
10 million MS scam artists are calling all over the place to help “secure” the “breached” computers. All they need is a social security number.
Holy crap what CRAP Microsoft has ALWAYS been. The dirt road internet paved with layer after layer after layer of patch blobs of asphalt.... correction ASS Fault.
8 character passwords are no longer safe.
One of the services that I have designed and provide to our customers is a password cracking service. I can go througth EVERY POSSIBLE combination of a Windows 8 character password in a week. An that is using standard hardware on a standard well known to the internet build. IOW, if I can do it, so can others.
How to make a strong password that is domain specific.
First, start with a strong 8 character password. On that has at least one capital, one lowercase, one number. Lets start with the work "Broncos".... change that to "Br0nc0s!" by replacing the o's with zeros and adding an exclimation point.
Then a special character to mark the difference between the password and the tag or purpose.
Br0nc0s!@work
Br0nc0s!@retirement
Br0nc0s!@school
Instead of using "@" others will use "#", a comma, a semicolon, etc.
Now having said all of that, it is a really strong password. I do not recommend using the names of NFL/NHL/NBA/MLB teams, mascots or towns. Also, dont use the company that you work for in the password.
AND NEVER US PASSWORD OR ANY VARRIANT OF PASSWORD!
If you must generate our own passwords, there are plenty of sites like this:
https://passwordsgenerator.net/
I use Dashlane for password management. I like it because I only need to remember one good password, yet all of the logins I use have their own strong password.
There are other good apps.
I dont understand your post.
Are you saying the domain specific should be part of the password
The problem with password manager applications is that once the application is:
- lost, then there are X number of accounts that are needing to be reclaimed
- compromised, then all accounts are compromised
It is an “all eggs in one basket” solution that has serious ramifications should either of the above occur.
Yes.
One common mistake that people make is to use a single password for all of their domains. i.e. “Br0nc0s!” for everything. First, that is too short (NIST recommends 14 characters for admin accounts) and second, once compromised, all accounts are at risk.
adding the “@domain” to the end of the password makes it much longer and creates a short password structure that can be remembered easily.
I use a password manager called Enpass. It simplifies things and generates really strong passwords. As of today it has 179 logins.
Patterns like that are easily defeated and well known.
Well, IMHO the problem with this scheme is that if just one of your passwords is leaked, then all of them are. Is that not correct?
The headline should have said “Microsoft finds that 44 million users use stupid passwords.”
“there are plenty of sites like this”
The problem with this is you have to trust whoever is generating your passwords. Otherwise your nice long nonsensical password just goes into a list of passwords to try. With hashes precomputed.
The question I should be asking is how do I know Enpass can be trusted? I really don’t. I just check to make sure they are still in business and have not made the news.
Always, always enable 2FA, especially on high value accounts.
Generate a list of up to 100 passwords, between 6 and 24 characters in length. It doesn't use special characters, so plug in a couple or few. You can also brew your own using a mix from the list. These are not passwords you'll remember:
2BGkWPmEvX
I write them down, and keep them near my coffeemaker, not my computer. I normally have coffee while I'm on the computer. If I don't make coffee before I sit at the computer, I have to get back up to get the password list. Since I'm at the coffeemaker anyways, I make a fresh pot.
Win/Win
Cloud vs spare hard drives. An easy solution to data security. Also, use a separate device for the internet and always use strong passwords. Simple.
Assuming an 8 character password and a 96 character possible combination of characters. I would argue that the vast majority of users do not know how to insert ALT based keyboard special characters. This leaves us with the set of alphabet (upper and lower case), numbers and about 32 keyboard special symbols ... a “normal” pool of about 94 characters.
10 numbers
26 upper
26 lower
32 keyboard specials (Keys like the “=” sign)
Just to round up, lets use 96 as the pool. A single character password could then consist of 1^96 possible combinations. 2 characters would be 2^96 etc.
So lets see that that looks like time wise according to the calculator from Tulane (https://tmedweb.tulane.edu/content_open/bfcalc.php?uc=&lc=&nu=&sc=&ran=&rans=6&dict=):
Assuming alpha, numeric, and specials and using a typical 2007 cpu to crack
6 characters - a little over 13 hours
8 characters - over 118,000 hours
HOWEVER
GPU cards have significantly sped up the process of guessing passwords. Based on using 8 cards from the Nivida 1080 line, the benchmarks show significant improvement.
https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a270c40
Such a system can test over 300 Billion passwords per second against the MD5 hash. This means that 8 characters are no longer safe and much larger passwords must be used. In short, size matters. Here is an interesting chart for cracking times.
https://www.betterbuys.com/estimating-password-cracking-times/
By using a structure of [strong 8 character or longer][special character][context] the length of the password more often approaches 14 characters and longer. This makes cracking the first password out of the reach of most script kiddies, hackers, and criminal gangs. So the assertion that the pattern is easily defeated is false.
*Note
It should also be mentioned that different hash algorithms make this even more difficult by reducing the number of hashes that can be guessed per second. bcrypt and scrypt are examples of such “improved” hashes. However, using pass phrases / sentences is much easier for the user and reduces the password computational requirement on the server. It is a balance between protection against attacks and ease of use.
A good explanation can be found here:
https://blog.benpri.me/blog/2019/01/13/why-you-shouldnt-be-using-bcrypt-and-scrypt/
So how does leaking a password change from a single domain password?
If the single domain password is leaked, all domains are compromised instantly.
If a multi domain password is leaked, there is still the domain portion that must be guessed. On could argue that the guessing process is trivial but lets consider the following scenario.
Br0nc0s!@work is leaked
Attacker knows that customer has account at Bank of America. What password to use?
Br0nc0s!@ ????
BOA?
BofA?
Bank?
check?
savings?
mortgage?
etc
So not instantly compromised.
Leaking a password (ie it gets out) is not what this method is attempting to mitigate against. It is the cracking of passwords - a technique used by a hacker to guess passwords using easily obtained hardware - that this method works against.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.