At the recent Usenix Security Conference, researchers at Google and Stanford revealed new statistics and insights that show the poor state of password security, and how credential stuffing remains an ever-present threat to the current account security landscape.
While the researches provide good information on password insecurity, their guidelines fall short of providing a permanent solution to protect individuals and organizations against credential stuffing.
Any tool and technique that is based on keeping track of breached credentials and reminding users to choose longer and more complex passwords is a Band-Aid approach that will grow obsolete as hackers continue to become more sophisticated.
Hackers are taking advantage of billions of breached accounts
In their study, the researchers focused on the threat of credential stuffing. Credential stuffing is a kind of brute-force scheme in which the attackers take a massive trove of usernames and passwords and “stuff” those credentials into the login page of other online services until they find a working combination that gives them access to an account.
Attackers use the billions of usernames and passwords that have been leaked in various data breaches in the past years to conduct credential stuffing attacks.
Credential stuffing remains a persistent threat because users often reuse their passwords across different accounts and neglect to change them periodically or after they hear about a data breach. They also tend to choose passwords that are easy to remember, which means it’s likely that the password will turn up in one of many data breaches. According to a 2017 study by researchers at Google and UC Berkley, 6.9% of breached credentials remain valid due to reuse, even several years after their initial exposure.
Results of a password audit at the Australian government
“Despite variations across industries, our analysis reveals that the threat of credential stuffing extends well into the long tail of the Internet,” the Google and Stanford researchers note in their report.
Old approaches are playing into the hands of hackers
Some organizations and independent researchers have tried to address the issue of credential stuffing by raising awareness. In the past few years, several websites and online services have launched that enable users to track whether their username and passwords were included in any known data breach.
Some examples include Antipublic, a collection of 500 million stolen passwords, Exploit.in (600 million credentials) and Collection 1-5, a compilation of over 2 billion usernames and passwords. Also worth noting is Troy Hunt’s Have I Been Pwned website, an online service that enables users to check their username against a collection of half a billion breached credentials, its not a solution but a good tool to have if passwords are the only factor defending access.
But while these collections and service enable users to stay alert and find out if their online accounts, they’re also double edged blades that can end up further compromising the security of the people they’re supposed to protect. Hackers often use these collections and services to create rich databases for their credential stuffing attacks. In fact, collections of leaked account details are much more popular with hackers than average users.
Hackers keep close tabs on the latest data breaches and credentials they can rummage from the efforts of other cybercriminals. Users often neglect or remain in the dark about new data breaches and the troves of usernames and passwords that change hands in the dark and surface web.
“At present, these services make a variety of tradeoffs spanning user privacy, accuracy, and the risks involved with sharing ostensibly private account details through unauthenticated public channels,” the researchers observe.
An incremental improvement in protecting user passwords
In their recent project, the researchers at Google and Stanford released a Chrome extension that warns users when they login to a website with breached credentials, using a repository of more than 4 billion breached usernames and passwords. In a study conducted on 670,000 users and 21 million logins, the researchers found that 1.5% of logins on the web involve breached credentials, which amounts to one warning for every two users.
The new tool introduced by Google helps users securely check whether their usernames and passwords have fallen into the wrong hands while also preventing adversarial users from using the same repository for credential stuffing.
An improved user interface and experience also makes sure more users are made aware when their usernames and passwords appear in troves of leaked data. According to the researchers’ report, with their new tool, 26% of users responded to warnings and reset their passwords. Also, 94% of new passwords were stronger than the original.
The effort marks a good progress in helping users protect their online accounts against known data breaches. But this is incremental progress, not a definite solution to the threat of credential stuffing. And given the amount of value we associate with our online accounts, it is not enough to remedy the abysmal situation of password protection.
The false sense of achievement
Here’s why I think Google’s new tool will only serve as a Band-Aid approach to the problem of credential stuffing attacks:
- Users are required to install a browser extension, and we all know that no extension is installed by absolutely all users. Even if Google integrates the functionality into its Chrome browser, it will reach out to 60-70% of users, its share of the browser market.
- Even among users who install the browser, the response rate is 26%, according to the researchers’ own stats, which means 74% of participants remain vulnerable to attacks. And this is an optimistic figure because the people who participate in beta test programs are usually more tech-savvy than average users and are more likely to take action on security warnings. In real life, the percentage of users who respond to security warnings will be less.
- The tool will only track known data breaches. Many data breaches remain hidden for months or years, and during this period, all the people whose data has been stolen will be in danger of having their accounts breached. And the credential tracking tool will only provide a false sense of security.
The passwordless solution
All of the above problems stem from the fact that you have to create, exchange, memorize and store secrets (i.e. passwords) to protect your accounts. Interestingly, if you remove passwords from the equation, all three problems we just explored will be solved.
When using passwordless authentication solutions, users no longer need to keep track of leaked credentials. In fact, since passwordless authentication technologies don’t store any secrets in the servers of online services, users don’t need to worry about hackers brute-forcing their way into their accounts. Neither do users need to worry about regularly changing their credentials.
The wide adoption of passwordless authentication will altogether remove the threat of credential stuffing. With the development of FIDO passwordless authentication standards into an easily adoptable solution, there are many ways organizations can protect their employees and customers from account hijacking.
Anything less is a Band-Aid fix.