Forced Password Reset? Check Your Assumptions

21
Aug 19

Forced Password Reset? Check Your Assumptions

Almost weekly now I hear from an indignant reader who suspects a data breach at a Web site they frequent that has just asked the reader to reset their password. Further investigation almost invariably reveals that the password reset demand was not the result of a breach but rather the site’s efforts to identify customers who are reusing passwords from other sites that have already been hacked.

But ironically, many companies taking these proactive steps soon discover that their explanation as to why they’re doing it can get misinterpreted as more evidence of lax security. This post attempts to unravel what’s going on here.

Over the weekend, a follower on Twitter included me in a tweet sent to California-based job search site Glassdoor, which had just sent him the following notice:

The Twitter follower expressed concern about this message, because it suggested to him that in order for Glassdoor to have done what it described, the company would have had to be storing its users’ passwords in plain text. I replied that this was in fact not an indication of storing passwords in plain text, and that many companies are now testing their users’ credentials against lists of hacked credentials that have been leaked and made available online.

The reality is Facebook, Netflix and a number of big-name companies are regularly combing through huge data leak troves for credentials that match those of their customers, and then forcing a password reset for those users. Some are even checking for password re-use on all new account signups.

The idea here is to stymie a massively pervasive problem facing all companies that do business online today: Namely, “credential-stuffing attacks,” in which attackers take millions or even billions of email addresses and corresponding cracked passwords from compromised databases and see how many of them work at other online properties.

So how does the defense against this daily deluge of credential stuffing work? A company employing this strategy will first extract from these leaked credential lists any email addresses that correspond to their current user base.

From there, the corresponding cracked (plain text) passwords are fed into the same process that the company relies upon when users log in: That is, the company feeds those plain text passwords through its own password “hashing” or scrambling routine.

Password hashing is designed to be a one-way function which scrambles a plain text password so that it produces a long string of numbers and letters. Not all hashing methods are created equal, and some of the most commonly used methods — MD5 and SHA-1, for example — can be far less secure than others, depending on how they’re implemented (more on that in a moment). Whatever the hashing method used, it’s the hashed output that gets stored, not the password itself.

Back to the process: If a user’s plain text password from a hacked database matches the output of what a company would expect to see after running it through their own internal hashing process, that user is then prompted to change their password to something truly unique.

Now, password hashing methods can be made more secure by amending the password with what’s known as a “salt” — or random data added to the input of a hash function to guarantee a unique output. And many readers of the Twitter thread on Glassdoor’s approach reasoned that the company couldn’t have been doing what it described without also forgoing this additional layer of security.

My tweeted explanatory reply as to why Glassdoor was doing this was (in hindsight) incomplete and in any case not as clear as it should have been. Fortunately, Glassdoor’s chief information officer Anthony Moisant chimed in to the Twitter thread to explain that the salt is in fact added as part of the password testing procedure.

“In our [user] database, we’ve got three columns — username, salt value and scrypt hash,” Moisant explained in an interview with KrebsOnSecurity. “We apply the salt that’s stored in the database and the hash [function] to the plain text password, and that resulting value is then checked against the hash in the database we store. For whatever reason, some people have gotten it into their heads that there’s no possible way to do these checks if you salt, but that’s not true.”

CHECK YOUR ASSUMPTIONS

You — the user — can’t be expected to know or control what password hashing methods a given site uses, if indeed they use them at all. But you can control the quality of the passwords you pick.

I can’t stress this enough: Do not re-use passwords. And don’t recycle them either. Recycling involves rather lame attempts to make a reused password unique by simply adding a digit or changing the capitalization of certain characters. Crooks who specialize in password attacks are wise to this approach as well.

If you have trouble remembering complex passwords (and this describes most people), consider relying instead on password length, which is a far more important determiner of whether a given password can be cracked by available tools in any timeframe that might be reasonably useful to an attacker.

In that vein, it’s safer and wiser to focus on picking passphrases instead of passwords. Passphrases are collections of multiple (ideally unrelated) words mushed together. Passphrases are not only generally more secure, they also have the added benefit of being easier to remember.

According to a recent blog entry by Microsoft group program manager Alex Weinert, none of the above advice about password complexity amounts to a hill of beans from the attacker’s standpoint.

Weinert’s post makes a compelling argument that as long as we’re stuck with passwords, taking full advantage of the most robust form of multi-factor authentication (MFA) offered by a site you frequent is the best way to deter attackers. Twofactorauth.org has a handy list of your options here, broken down by industry.

“Your password doesn’t matter, but MFA does,” Weinert wrote. “Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.”

Glassdoor’s Moisant said the company doesn’t currently offer MFA for its users, but that it is planning to roll that out later this year to both consumer and business users.

Password managers also can be useful for those who feel encumbered by having to come up with passphrases or complex passwords. If you’re uncomfortable with entrusting a third-party service or application to handle this process for you, there’s absolutely nothing wrong with writing down your passwords, provided a) you do not store them in a file on your computer or taped to your laptop or screen or whatever, and b) that your password notebook is stored somewhere relatively secure, i.e. not in your purse or car, but something like a locked drawer or safe.

Although many readers will no doubt take me to task on that last bit of advice, as in all things security related it’s important not to let the perfect become the enemy of the good. Many people (think moms/dads/grandparents) can’t be bothered to use password managers  — even when you go through the trouble of setting them up on their behalf. Instead, without an easier, non-technical method they will simply revert to reusing or recycling passwords.

Tags: Alex Weinert, Anthony Moisant, credential stuffing, Glassdoor, microsoft

You can skip to the end and leave a comment. Pinging is currently not allowed.

Sophos named a Leader in the Gartner EPP Magic Quadrant… again

For the 11th time in the last 11 reports, Sophos has been named a Leader in the 2019 Gartner Endpoint Protection Platform (EPP) Magic Quadrant.

What makes Sophos a leader?

We believe our placement is driven by our strong endpoint protection, real-world endpoint detection and response (EDR) usability, as well as our unifying platform, Sophos Central. We believe Gartner recognized Sophos for our proven record at stopping ransomware, the deep learning technology that blocks never-seen-before malware, and our anti-exploit technology.

The changing endpoint protection marketplace

This year’s report represents a shift in Gartner’s view of the EPP marketplace. Over the past couple of years, more vendors have shifted down and to the left of the Magic Quadrant.

Last year there were 5 “Niche” vendors (bottom left quadrant); this year there are 10. Last year there were 12 “Visionaries” (bottom right quadrant); this year there are only 4.

Summary

Being a “Leader” in the Magic Quadrant for EPP every year of its existence is a fantastic achievement for Sophos. As the endpoint protection marketplace changes, we continue to evolve as well, driven by our increased brand awareness in enterprise organizations and 3rd party test results. Additionally, as EDR has become more tightly integrated with endpoint protection, Sophos is leading the way with an EDR offering that adds expertise, without adding headcount.

We believe we will remain well positioned going forward thanks to our continued excellence in endpoint protection, industry leadership in artificial intelligence, massive growth and ongoing enhancements for our EDR offering, and our upcoming managed detection and response (MDR) launch.

Intercept X Third Party Test Results

SE Labs

  • AAA Rated for Enterprise – 100% total accuracy rating (Jan-Mar 2019)
  • AAA Rated for SMB – 100% total accuracy rating (Jan-Mar 2019)

NSS Labs

  • Ranked #1 for Security Effectiveness
  • Ranked #1 for Total Cost of Ownership (TCO)

AV-Comparatives

  • Ranked #1 for Malware Protection (99.9% detection, 0 false alarms)

MRG Effitas

  • Ranked #1 for Malware Protection
  • Ranked #1 for Exploit Protection

PC Magazine

  • Editor’s Choice

AV-Test

Gartner Y19Q1 Magic Quadrant for Endpoint Protection Platforms, Analyst(s): Firstbrook, Peter | Bhajanka, Prateek | Pingree, Lawrence | Webber, Paul | Zumerle, Dionisio | August 20, 2019

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Everything is bigger in Texas, including ransomware attacks

Texas is big. Really big. With 29 million residents it’s the second largest state in America, has a land mass twice the size of Germany, and a GDP larger than Russia. Texans like to say, “everything is bigger in Texas”, and usually that is a good thing. However, this time bigger isn’t better.

News hit this week that 22 government organizations in the Lone Star State were recently hit by coordinated ransomware attacks. It’s a stark reminder that as attacks continue to evolve, it’s crucial that your defenses evolve even faster.

Ask about these three big, protective layers against advanced attacks

So how can you help ensure your organization isn’t the next ransomware victim?

For starters, does your solution have industry-leading anti-exploit technology to ensure attackers can’t use unpatched, vulnerable software programs to distribute and install ransomware?

Sophos Intercept X Advanced blocks more exploit techniques than any other endpoint protection product on the market. It’s not enough to just have exploit protection: the number of exploit techniques a product protects against is also extremely important. Luckily, if it can be exploited, Intercept X Advanced has the best chance of neutralizing it.

Should that not stop an attack – or should an exploit not be leveraged – how will your solution stop attacks it’s never seen before?

Our award-winning deep learning engine can identify unknown, unseen, and previously unidentifiable executables with greater accuracy than – you guessed it – any other vendor on the market.

And finally, should the unthinkable happen – should ransomware find its way onto one of your endpoints and start executing – how will your solution deal with it?

The second-to-none CryptoGuard anti-ransomware technology found in Intercept X Advanced not only offers the best ransomware protection on the planet to stop attacks in their tracks, but also uses proprietary shadow-copy technology to roll affected files back to their previously-safe states, and cleans up affected registry entries – all in the blink of an eye. It’s not enough to just stop a ransomware attack: it needs to be reversed and cleaned up as well, so you can get on with your day.

These are just three of the ways that Intercept X can thwart an attack, all backed up by a very long list of pre-execution, runtime, and post-execution features.

Seeing is believing

Here’s a closer look at what happens when a popular ransomware variant tangles with Intercept X technology:

Take it for a spin

Of course, the best way to experience the power of Intercept X Advanced is to try it yourself. Download a free 30-day trial, and you’ll be up and running in minutes. Evolve your defenses today!