Anonymous no more: Reusing complex passwords gives your identity away

Researchers deanonymized anonymous Tor Mail account users, raising awareness of the privacy implications of reusing even a complex password when creating an anonymous account.

How reusing complex passwords gives your identity away
Ben Patterson / IDG

2018 is starting off with a crazy vibe. For example, instead of harping on fake news, the U.S. President tweeted a different version of mine-is-bigger-than-yours – not that, silly; he was talking about the nuke button:

Shortly thereafter, literally like 16 minutes later, no longer able to refrain from using the words “fake news,” President Trump tweeted his intention to announce the “awards” for what he considers to be the worst of the worst — the most dishonest and corrupt media coverage.

While his announcement will made next week, the idea for the awards has clearly been on the back burner for over a month. Back in November, he tweeted the idea for the “FAKE NEWS TROPHY.”

Writing style and now complex passwords give your identity away

If stylometry were applied to Trump, then surely his use of “fake news” would help identify him if he were trying to tweet anonymously, right? Maybe not, but analyzing writing style — things like word choice, punctuation and sentence structure — has long been a way to deanonymize “hackers, trolls and malware writers,” as well as to unmask the people behind other anonymously posted online content (pdf). Even programmers can be deanonymized from their coding style. But did you know people can be deanonymized through their use of complex passwords?

Granted, we should not reuse passwords at all. But password reuse is not something that only people with pathetically weak passwords might do. Password managers are the wise move, but sometimes it is “fun” to come up with a password that will theoretically take decades or more to crack. A person trying to stay anonymous might think that if they were to reuse that password, there would be no way to unmask their identity. Yet that is not true, according to article posted on STS Cyber Research.

In this case, the research showed, the rarer your password is, the more it “uniquely identifies the person who uses it. If a person uses the same unique password with multiple accounts, then that password can be used as a digital fingerprint to link those accounts.” Although this is not something previously unknown, there seems to be a lack of awareness about the practice.

The researchers wrote:

We demonstrate that a large number of anonymous account users who are savvy enough to have complex passwords but still use their regular password with an anonymous account are vulnerable to being de-anonymized by even the limited credential leaks available to the public.

To prove this, they started with the now-defunct Tor Mail, as well as the 1.4 billion clear text credentials that were found on the dark web. Then they took Tor Mail accounts with “sufficiently complex passwords” — meaning it had to have at least 10 characters or have at least three characters out of the types lowercase, uppercase, digital and symbol — and linked them “to non-anonymous email accounts that used the same or similar passwords.”

We were able to de-anonymize with a high degree of certainty more than 16% of the 1019 Tormail accounts found.

Put another way, the researchers were able to deanonymize 157 of the 1,019 Tor Mail accounts using publicly available data sets. They believe this is due to a “general lack of awareness of the privacy implications to re-using an existing password when creating an anonymous account.”

After the analysis, they wanted to point out a few examples of how a password “gives away details about the user without necessarily correlating them to another account.”

  • Using real initials and full year of birth as a password (e.g. jwd1974)
  • Using full date of birth in a password (i.e. YYYYMMDD or something of that sort)
  • Using a real name or non-anonymous username with a number on the end (e.g. JohnDoe1)
  • Using an anonymous account name as password on a regular account
  • Copying and pasting a regular password twice as an anonymous password
Related:
NEW! Download the Fall 2018 issue of Security Smart