terriko: (Default)
[personal profile] terriko
Cross-posted from my security blog, Web Insecurity.

Should you really change your re-used passwords after a breach? Maybe not.

DiceThe news is reporting that 453,000 credentials were allegedly taken from Yahoo, and current reports say that it's probably Yahoo Voice that was compromised. If you want to know if yours is in there, it seems like the hacker website is overwhelmed at the moment, but you can search for your username/email here on a sanitized list that doesn't include the passwords.

Probably unsurprisingly, the next bit of news is that people haven't changed their hacked passwords from previous breaches. To whit, 59% of people were re-using the passwords that had previously been hacked and released to the public in the Sony breach. Which seems a bit high given the publicity, but I'm not as surprised as I maybe should be.

What I'd really like to know is how many of those people actually suffered from this password re-use. Did anyone bother to try re-using their credentials?

I'm reminded of one of my favourite security papers, "So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users," by Cormac Herley. In it, he claims that many security "best" practices like changing passwords frequently are actually a waste of time for the average user, when you take into account the risks involved.

So, is changing a password after a breach one of those things that we can skip without much incident? Sadly, I don't have any definitive way to analyze how many folk were inconvenienced by their password reuse in the Sony and subsequent Yahoo breaches, but I can make a guess: If those accounts were compromised on Yahoo after the Sony breach, we'd be seeing a lot more people changing their passwords between the two. So probably at least those 59% were not inconvenienced enough to change their passwords subsequent to the breach.  That's a lot of people.

Of course, it's possible that the accounts were breached and used in a way that the owner never noticed. But if they're not noticing, are they really being inconvenienced? Probably in a global sense (i.e. spam) but maybe not in a short-term decision-making sense. Of course, we could assume that the alleged hack is a hoax using many of the previously hacked passwords from Sony, but given how easy it is to compromise web apps I'm currently assuming that the hack itself is a real thing.  In which case, that's a lot of no-change. It looks suspiciously like you're likely to be more inconvenienced taking the time to change your password than you would if you did nothing, statistically speaking.

So, should you change your password after a breach? It depends on how much you feel like rolling the dice. Failing to change their breached passwords doesn't seem to have hurt that many of the Yahoo Voice denizens, but with numbers on re-used passwords hitting the news today, it's possible we'll see more people trying this avenue of attack in the future.  Still, rather than assuming those 59% are foolish for keeping the same credentials, it's worth considering that they might have just been savvy gamblers, this time.

Date: July 12th, 2012 10:08 pm (UTC)
altamira16: Tall ship at dusk (Default)
From: [personal profile] altamira16
I worked at a place that had a policy requiring a "strong" password and required us to change passwords every N days where N seemed to be somewhere between 60-90 for various systems. And if you did not change your password, you would be locked out and have to talk to people or push paper to give you access again. They also asked you to not write down the passwords or reuse them within M days where M was anywhere between 120 and 360. It was a really irritating system because passwords were changed as soon as you got comfortable with them.

A spouse said that he had friends who gamed such systems by just iterating the numbers that were required in the password.


terriko: (Default)

August 2016

14 15161718 1920
21 222324252627

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Aug. 26th, 2016 06:39 am
Powered by Dreamwidth Studios