What can be done with data breaches? People can just change their password, and the breach becomes useless, right? Is there really any concern?
First off, not every data breach contains credentials. Some, like the Experian hack, contain personally identifiable information (commonly referred to as PII). These types of data breaches often contain information such as full name, address, phone number, gender, Social Security Number, email address, and lots of other data that I’m sure you’d like to keep private. So your “private” information, well, isn’t. Not only that, the data in this type of breach can be used for identity theft. So these types of data breaches can be hugely damaging.
Secondly, yes, people can change their passwords. However, there is a decent chance that those people still use the original password on other websites than the one that was hacked. This opens them up to what is called a “password reuse” attack. This occurs when someone uses the same password multiple places. So, perhaps they change their password on the hacked site. The attacker can still attempt to log into other sites using the credentials leaked from the hacked site. Now keep in mind that there are many thousands of websites that have been hacked. This only compounds the “password reuse attack” problem.
Often, hackers will take a data breach and use it for an attack called “credential stuffing.” They take all of the leaked credentials from the database dumps and attempt to use them to log into a specific website. If the login is successful for a given attempt, they have now taken over that account. Many times, they’ll use automated tools for this, taking over thousands and thousands of accounts in a very short amount of time.
There are also other non-malicious uses for breached data. Passwords can be analyzed to answer some questions. What are the top 100 most frequently-used passwords? What percentage of users have weak passwords? A penetration tester can use the passwords in those breaches to attempt to log into a clients’ systems.
The breached passwords could also be used as sort of a blacklist. If a new user tries to sign up using a password from that list, their attempt is denied. That way, the breached password list poses no real threat to new accounts.
What can we do to minimize our risk to these types of problems?
The primary thing for users is to use a different, randomly-generated password for everything. This sounds hard. It is actually quite simple if a password management tool is used, such as LastPass or KeePass. Also, use passwords that are 16 characters or longer when possible. Longer passwords are more secure than passwords with “at least one upper-case letter, one number, and one special character.” This is why password policies are less-than-useful. The only password policy really needed is a minimum length. I suggest 16 characters as the minimum length.
The most important thing for website owners is to use what are called computed salts. Salts are used to randomize the hashed version of the password. But the salt should not be stored in the same database as the password, or the purpose is defeated. The salt should be computed using some algorithm proprietary to the website owner. Thus, if the database is compromised, every password hash has to be cracked individually with every possible combination of salts. This will essentially take so long as to make it impractical.
Data breaches can cause plenty of headache, especially for users. They can even lead to identity theft. But with the help of a password manager and computed salts, much of the risk can be mitigated.
For the list of passwords, take a look here: