3 ways to respond to a password breach, inspired by Facebook

As password breaches continue, it's time to advance better ways of responding that lead to changes in authentication

Recent headlines detail the Adobe breach [link], resulting in the compromised credentials of 38 million active users and up to 150 million accounts in total. Just yesterday it was reported that MacRumours [link] forums experienced a password breach similar to the Ubuntu forums compromise earlier this year. That means an additional 860,000 credentials may be compromised.

The analysis that follows breaches like these usually focuses on "what went wrong" and then follows-up with concerns over the poor password choices evident in the now-public files.

On the heels of the Adobe breach, Facebook [link] took an interesting approach that other security professionals need to consider adopting in their organizations (with some changes outlined below). Facebook checked existing user accounts against the breached passwords and locked out accounts using compromised passwords.

In other words, they looked for password reuse on their system. When they found it, they locked people out and forced a password reset. It's a direct protection for the accounts (and a wise move on the part of Facebook).

By itself, however, it doesn't necessarily change behaviors or stem the problem. In order to shift the approach, first consider why attackers target passwords and why the rise in large-scale password breaches. 

Why attackers target passwords

Passwords are at the intersection of people, systems, and information. Attackers seek credentials (the username and password) to get access to those systems and the information they process and store.

As network and system level protections increased, the value of passwords (and credentials) as a means of attack also increased.

Attacks on passwords are a means to an end.

Why so many password breaches?

Attacking passwords presents a fairly easy choice: focus on grabbing individual passwords one-at-a-time, or work to breach an organization and take the entire password cache. 

The reasonable course of action for an attacker is to seek out a large, potentially diverse, cache of passwords. That allows them to either sell the stolen credentials to others or the means to gain access to targeted systems. 

While lamenting people as the "weak link" in security, the recent round of attacks focused on large stores of passwords suggests the real weak link is organizations failing to properly implement, maintain, and protect the most common means of authentication.

Admittedly, the high incidence of password reuse/recycling drives the demand/desire for credentials from well-trafficked sites.

That means the challenge of authentication is more complex and involves more steps than generally gets attention. To make a difference, that needs to change.

It starts with a different response.

3 actions to take after (someone else's) password breach

After learning of a password breach (like Adobe), grab the now-public files of the compromised credentials, especially if the passwords are already broken and available as plaintext.

1. Check for email addresses in your domain: this is a quick way to provide a dual service -- make sure the people in your organization are aware (and provide them with better service, education, and assistance) and as an opportunity to focus on checking if they reused a password for access to corporate systems.

2. Compare the know-known hashes against your own password database(s): whether the email is matched or not, it is worth checking the now-known hashes and plain text passwords against existing hashed password files.

Why?

Even when people choose complex, long passwords --> if the corresponding plain text/hash pair is known, it's now in attack dictionaries. Which means it's no longer a good password. This is worth explaining to people (next step).

3. Reach out to individuals with matching passwords: send a personal message (sure it could come from a template) that they need to change their password(s). Explain reuse and the risks. Provide them access to better information, training, and help, if needed.

Initially, it may seem like a lot of work. It might be. We have to reverse more than two-decades of poor explanations and chiding. Run the list. See how many people you can help. Then get started.

Longer term: how do we improve authentication?

Ripe for more discussion (we need to have), here are three things we need to do to improve authentication in general, and password authentication specifically:

1. Change the way we think about password authentication: it's a top target - yet few companies are investing in actual solutions for implementation, technology, or training (not awareness [link], not education -- it's training). It's time to step back and refocus on the purpose, benefits, and ways to authenticate with less friction for the right people, more friction for attackers.

2. Focus on proper implementation of password authentication: while it would seem some "basics" exist, it appears we need to refocus the discussion of password authentication among developers, operators, and administrators to protect current systems using currently known, pragmatic methods.

3. Change the approach to teaching and training people to build, use, and manage passwords: this is the real sea change (and an area we need more discussion); we need to stop chiding people and stop sending the same confusing messages of the last few decades. We have to explain the importance of authentication and explain - quickly, easily and in an understandable way - how passwords work. It's the first step toward building awareness, providing training, and influencing action [link].

What about you?

Curious if/how you handle the password breaches. Drop me an email or leave a comment with additional ideas, suggestions or challenges, and we can work together to make a difference.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.