"Russan Gang Amasses Over A Billion Stolen Passwords"

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
User avatar
Topic Author
Taylor Larimore
Posts: 32842
Joined: Tue Feb 27, 2007 7:09 pm
Location: Miami FL

"Russan Gang Amasses Over A Billion Stolen Passwords"

Post by Taylor Larimore »

Bogleheads:

Today's New York Times has this ominous article about internet theft:
A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion username and password combinations and more than 500 million email addresses, security researchers say.
Russian Gang Amasses Over a Billion Stolen Internet Passwords

Best wishes.
Taylor
"Simplicity is the master key to financial success." -- Jack Bogle
schmitz
Posts: 343
Joined: Thu Sep 01, 2011 5:21 pm

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by schmitz »

I guess it's time to change all my passwords again
User avatar
Topic Author
Taylor Larimore
Posts: 32842
Joined: Tue Feb 27, 2007 7:09 pm
Location: Miami FL

"Strong passwords"

Post by Taylor Larimore »

Bogleheads:

I alerted Administrator, Larry Auton, who is a computer whiz. This was his reply:
This isn't really news to folks who do what we do. People should use strong passwords but they never will.

This particular case doesn't affect us directly.
Thank you, Larry.

Best wishes.
Taylor
"Simplicity is the master key to financial success." -- Jack Bogle
Louis Winthorpe III
Posts: 780
Joined: Sat Jun 15, 2013 11:17 pm

Re: "Strong passwords"

Post by Louis Winthorpe III »

Taylor Larimore wrote:Bogleheads:

I alerted Administrator, Larry Auton, who is a computer whiz. This was his reply:
This isn't really news to folks who do what we do. People should use strong passwords but they never will.

This particular case doesn't affect us directly.
Thank you, Larry.

Best wishes.
Taylor
"This particular case doesn't affect us directly." I wonder what that means. Seems like it would affect pretty much everybody directly, at least potentially.
User avatar
LadyGeek
Site Admin
Posts: 95701
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by LadyGeek »

This thread is now in the Personal Consumer Issues forum (computer security).
Louis Winthorpe III wrote:"This particular case doesn't affect us directly." I wonder what that means. Seems like it would affect pretty much everybody directly, at least potentially.
To be clear, Larry Auton is mingstar, the caretaker of the forum's server. I would assume he meant that they didn't steal anything from us. :wink:

Search this forum for "password" - there are quite a few on-going threads. I like this one: Another reason why you should never reuse passwords...
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
Copper John
Posts: 251
Joined: Tue Jan 11, 2011 11:31 am

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by Copper John »

"This isn't really news to folks who do what we do. People should use strong passwords but they never will.

This particular case doesn't affect us directly. "
I also found this response odd. From what I understand this gang amassed these passwords by targeting corporate and website databases and not by cracking individual's passwords. I would think anyone corporate or website entity that stores passwords and other consumer data would be extremely interested into how seemingly secure SQL servers were compromised.

In any case using complex strong passwords and not using the same passwords across your multiple sites is still strongly advised. But even if we do this, we are still at the mercy of the of the capability of the websites and corporate entities that store our data to defend our data.
User avatar
Ged
Posts: 3945
Joined: Mon May 13, 2013 1:48 pm
Location: Roke

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by Ged »

Another piece of evidence that reusing passwords is a bad idea.

Apparently this was done using SQL injection, which I would hope that any site that uses money is audited for.
User avatar
TimeRunner
Posts: 1939
Joined: Sat Dec 29, 2012 8:23 pm
Location: Beach-side, CA

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by TimeRunner »

Da, baby.

Use Lastpass or Dashlane or something similar.
One cannot enlighten the unconscious. | "All I need are some tasty waves, a cool buzz, and I'm fine." -Jeff Spicoli
User avatar
pennstater2005
Posts: 2509
Joined: Wed Apr 11, 2012 8:50 pm

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by pennstater2005 »

I'm guilty of using the same 2 or 3 passwords at probably fifteen different sites. Although they are considered strong passwords. You know......1234 :P
“If you think nobody cares if you're alive, try missing a couple of car payments.” – Earl Wilson
ProfessorX
Posts: 568
Joined: Mon Jul 04, 2011 12:29 pm

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by ProfessorX »

It's disappointing that whoever these companies are don't reveal the password breach to their customers.
User avatar
Ged
Posts: 3945
Joined: Mon May 13, 2013 1:48 pm
Location: Roke

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by Ged »

ProfessorX wrote:It's disappointing that whoever these companies are don't reveal the password breach to their customers.
They might not even know. Being vulnerable to SQL injection implies a very low level of expertise.
ProfessorX
Posts: 568
Joined: Mon Jul 04, 2011 12:29 pm

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by ProfessorX »

Ged wrote:
ProfessorX wrote:It's disappointing that whoever these companies are don't reveal the password breach to their customers.
They might not even know. Being vulnerable to SQL injection implies a very low level of expertise.
It sounds like they do know:
Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable. At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic.
jchef
Posts: 263
Joined: Wed Aug 29, 2012 7:04 am

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by jchef »

Copper John wrote:
"This isn't really news to folks who do what we do. People should use strong passwords but they never will.

This particular case doesn't affect us directly. "
I also found this response odd. From what I understand this gang amassed these passwords by targeting corporate and website databases and not by cracking individual's passwords. I would think anyone corporate or website entity that stores passwords and other consumer data would be extremely interested into how seemingly secure SQL servers were compromised.

In any case using complex strong passwords and not using the same passwords across your multiple sites is still strongly advised. But even if we do this, we are still at the mercy of the of the capability of the websites and corporate entities that store our data to defend our data.
Intelligent websites don't store passwords. They store hashes of passwords. And if the administrators are doing their jobs properly, the hashes are salted and they are using a slow hash function. If they take both of these steps, even if the hash files are stolen, extracting the passwords from the hash files is so slow as to be nearly impossible (or at least very impractical).

I'm guessing the hackers found a bug that allowed them to retrieve hash files from a certain website architecture. And if those hash files weren't salted and didn't use a slow hash function, it wouldn't be that difficult to extract many millions of passwords.

So if you know you aren't using the architecture that was targeted and you also know you are taking proper precautions with you hash files, there isn't too much to learn from this instance.



Edit: Here's a quick article of how easy it is to extract hashes is they aren't using a slow hash function and didn't salt their hashes. You may remember in 2012, LinkedIn had the hash file stolen. They didn't use a salt or a slow hash function.

Just using one computer and some free software, this person was able to extract 1.4 million of the LinkedIn passwords in five hours.

https://community.qualys.com/blogs/secu ... -passwords
User avatar
Ged
Posts: 3945
Joined: Mon May 13, 2013 1:48 pm
Location: Roke

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by Ged »

ProfessorX wrote:
Ged wrote:
ProfessorX wrote:It's disappointing that whoever these companies are don't reveal the password breach to their customers.
They might not even know. Being vulnerable to SQL injection implies a very low level of expertise.
It sounds like they do know:
Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable. At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic.
"Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information."
Spiffs
Posts: 224
Joined: Sat Jan 19, 2013 10:33 pm

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by Spiffs »

Whoops, I just made a thread about this, and then saw this one, so I deleted my duplicate thread and pasted below what I had written there.

Good time to change passwords (over a billion stolen!)

Just a heads-up. In case you haven't heard about this (Russian Crime Ring Amasses Over a Billion Internet Passwords) already, I believe this means that it would be a good time to change all the passwords to your financial accounts, e-mail accounts, and any other accounts with sensitive information in them (such as e-commerce websites like Amazon.com, Ebay.com, and PayPal.com and utilities websites, which you may have store your credit card or bank information, as well as any online backup, government, professional, or health-related accounts, etc.).

As The New York Times wrote, this breach is SO big (over 1.2 billion unique user name and password combinations stolen from over 420,000 websites), you should assume that some of your usernames and passwords are among those that have been stolen.
  • This webpage has great tips on creating (re)memorable passwords.
  • This website gives you an estimate on how long it would take to crack your password (or decode a hashed password from some corporate account databases where yours may be stored). For instance, "AuntieJ0" would take about 14 minutes to crack, according to the site. Here's another site that provides estimates, which also has some more background about their estimates as well as some helpful online security tips.
Remember, though, that it's not so much about how super complex your password is (though it never should be a dictionary word, closely based-off of one, or something that is easy to guess, like a family name or birth date), as it is about using a unique password for each aforementioned important financial, e-mail, e-commerce, health, etc. account (so that when a corporate database with your username and password is stolen, it isn't the password for all your accounts that was stolen).

If you can enable two-factor authentication for any of your important accounts, I would definitely do so, too. (As an aside, I don't know why all financial sites don't already have this as an option--it blows my mind that the only financial account I have that does is my little credit union's online account, and not any of the financial accounts I have with big corporate entities).
Hope this is helpful! Stay safe out there!
dolphinsaremammals
Posts: 2094
Joined: Tue Jul 22, 2014 4:18 pm

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by dolphinsaremammals »

Hastibe wrote:.

If you can enable two-factor authentication for any of your important accounts, I would definitely do so, too. (As an aside, I don't know why all financial sites don't already have this as an option--it blows my mind that the only financial account I have that does is my little credit union's online account, and not any of the financial accounts I have with big corporate entities).
I'm getting a little fatalistic about this type of thing. I saw no indication in the article that the criminals couldn't just go back into sites again and steal passwords again. I do have unique passwords for every site except the ones I don't care about, and I do check my financial accounts often.

3-4 of the credit unions I have accounts at use two-factor authentication. I wish every financial site did. The largest credit union I do business with does not, go figure. However that one doesn't even let you set a verbal password for calling in, they let in anyone who knows stuff like your birthdate and a few other things.
Carl53
Posts: 2693
Joined: Sun Mar 07, 2010 7:26 pm

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by Carl53 »

dolphinsaremammals wrote: I'm getting a little fatalistic about this type of thing. I saw no indication in the article that the criminals couldn't just go back into sites again and steal passwords again. I do have unique passwords for every site except the ones I don't care about, and I do check my financial accounts often.
Agreed. If this is becoming the primary means of breaking into accounts, it doesn't matter how long or complex your passwords are. Somewhat complex passwords may keep out family members, but it seems that these folks have the where-with-all to overcome virtually all of your best efforts.
User avatar
midareff
Posts: 7711
Joined: Mon Nov 29, 2010 9:43 am
Location: Biscayne Bay, South Florida

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by midareff »

At the time of the last big scare, and after reading a bunch of posts here I added LastPass to my collection of IT tools. After watching a security analysis link about it I used it to generate unique 10 and 12 character upper/lower case and numeric passwords for each site that handles money or credit cards. Thanks to the folks here who wrote about it. While I'm sure nothing is truly safe on the net I'm as secure as I can be now.
jchef
Posts: 263
Joined: Wed Aug 29, 2012 7:04 am

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by jchef »

Carl53 wrote:
dolphinsaremammals wrote: I'm getting a little fatalistic about this type of thing. I saw no indication in the article that the criminals couldn't just go back into sites again and steal passwords again. I do have unique passwords for every site except the ones I don't care about, and I do check my financial accounts often.
Agreed. If this is becoming the primary means of breaking into accounts, it doesn't matter how long or complex your passwords are. Somewhat complex passwords may keep out family members, but it seems that these folks have the where-with-all to overcome virtually all of your best efforts.
It actually matters quite a bit.

Nearly all websites will hash their passwords. Meaning that they don't store the actual password, instead they store a hash of the password. Unfortunately, many websites don't use a salt or a slow hash function. What this means is if hacker can steal a hash file that doesn't use a salt or a slow hash function, they can extract most of the passwords from the hash file.

However even if the hash file doesn't use a slow hash function or a salt, using a very long and random password can still make extracting this password from the hash file extremely time consuming. Eventually after the hackers have extracted 97% of the passwords from the hash file they are going to give up on the rest. It just isn't worth the amount of computer time to try extract the rest of the passwords. (I'm just making the 97% number up, but you get the point).

If a hacking group can extract 97% of the passwords in a week, they aren't going to be that interested in trying to spend the next year (or decade) trying to extract the rest. They'll just move on to try to hack a new password hash file.



Edit: in case people don't understand the basics of hashing, here's a website that will calculate a SHA-1 hash. This is a commonly used hash function and one that shouldn't be used to generate password hashes, but unfortunately sometimes is. (don't enter you actual password into this website)

http://www.sha1-online.com/

Say your password is: 123456
The hash of that is: 7c4a8d09ca3762af61e59520943dc26494f8941b

So the website is going to store the hash, not your actual password. So when you enter your password to log in, the website is going to quickly create the SHA-1 hash of it. It will then compare the hash it just generated to the one in its hash file. If they match, then it will let you in the website.

Hashes are complicated mathematical functions with the idea even if you know the hash, it's nearly impossible to figure out the input without using brute force and trying nearly every possible combination. So if you are using a 32 character password, even if the hackers have the hash, trying to figure out your original password is going to take an incredible length of time to try nearly every possible password until they finally find yours.

But if you are using an 8 character password it actually doesn't take that long for a computer to generate a hash for every 1 character, 2 character, ..., and 8 character password, if a fast hash function is being used.
Last edited by jchef on Wed Aug 06, 2014 7:27 am, edited 1 time in total.
rkhusky
Posts: 17767
Joined: Thu Aug 18, 2011 8:09 pm

Re: "Strong passwords"

Post by rkhusky »

Louis Winthorpe III wrote: "This particular case doesn't affect us directly." I wonder what that means. Seems like it would affect pretty much everybody directly, at least potentially.
They are not stealing passwords in order to make odd posts under your username on Bogleheads. On the other hand, if you use the same user/pass combo on Bogleheads as you do on Vanguard, then you could be in trouble. (Or the comment could mean that the security holes that were used are not present on Bogleheads.org)
User avatar
midareff
Posts: 7711
Joined: Mon Nov 29, 2010 9:43 am
Location: Biscayne Bay, South Florida

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by midareff »

On second glance....... over a billion is a big number... population of the earth is maybe 7.5 billion? Deduct a few billion for unconnected folk in China, India, the third world, etc., and a couple billion more for infants, juveniles, the elderly who don't use password sites, etc. Do they have the password for every one left?
User avatar
magellan
Posts: 3489
Joined: Fri Mar 09, 2007 3:12 pm

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by magellan »

dolphinsaremammals wrote:I do have unique passwords for every site except the ones I don't care about, and I do check my financial accounts often.
Reusing passwords for sites you don't care about is sort of bad manners. It causes grief for website owners and users at the other sites where you reused credentials. Following a hack at one site, your accounts at sites where you reused the credentials will almost certainly be turned into spammer bot accounts or used for some other nefarious purposes. In general, whenever a site's password database is hacked, the miscreants use automatic scripts to test the stolen credentials on hundreds or thousands of other sites, looking for valid credential/site pairs that they can resell to other miscreants.

Even when it doesn't matter for your security, it's more polite to keep all your passwords unique. A simple trick is to tack part of the name of the site to the end of a common "don't care" password to make it unique (eg <commonpassword>+bogle). You could think of clever variants of this trick that are easy to remember, but keep things unique. This system probably wouldn't thwart a sophisticated and personally targeted attempt to derive one of your passwords from the other, but it would likely thwart bulk credential reuse checks that are deployed whenever a site's password database is hacked.

Jim
Last edited by magellan on Wed Aug 06, 2014 8:07 am, edited 1 time in total.
jchef
Posts: 263
Joined: Wed Aug 29, 2012 7:04 am

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by jchef »

midareff wrote:On second glance....... over a billion is a big number... population of the earth is maybe 7.5 billion? Deduct a few billion for unconnected folk in China, India, the third world, etc., and a couple billion more for infants, juveniles, the elderly who don't use password sites, etc. Do they have the password for every one left?
According to wiki, 40% of the world's population is using the internet: en.wikipedia.org/wiki/Global_Internet_usage

Nearly of them likely have at least an email account or instant messaging account. And most people will have many more than 1 account.
rkhusky
Posts: 17767
Joined: Thu Aug 18, 2011 8:09 pm

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by rkhusky »

jchef wrote:
midareff wrote:On second glance....... over a billion is a big number... population of the earth is maybe 7.5 billion? Deduct a few billion for unconnected folk in China, India, the third world, etc., and a couple billion more for infants, juveniles, the elderly who don't use password sites, etc. Do they have the password for every one left?
According to wiki, 40% of the world's population is using the internet: en.wikipedia.org/wiki/Global_Internet_usage

Nearly of them likely have at least an email account or instant messaging account. And most people will have many more than 1 account.
My password list probably has 50 user/passes.
Jeff7
Posts: 329
Joined: Sat Nov 24, 2012 1:30 pm

Re: "Strong passwords"

Post by Jeff7 »

Taylor Larimore wrote:Bogleheads:

I alerted Administrator, Larry Auton, who is a computer whiz. This was his reply:
This isn't really news to folks who do what we do. People should use strong passwords but they never will.

This particular case doesn't affect us directly.
Thank you, Larry.

Best wishes.
Taylor
Of course, even "strong" passwords aren't always so strong anymore, due in large part to leaks like this.

Passwords can be examined for patterns.
So let's say your password needs to include spaces, punctuation, and numbers.


My house is a big1!
There's a password that meets those criteria and is easy to remember.
- First letter is capitalized.
- Standard sentence structure is followed.
- Last character is punctuation.
- Number is at the end of a word.

If a password is going to be easy for a human brain to remember, it will follow a pattern. With billions of passwords available to analyze for patterns, you can brute-force that password dictionary first, then try the most probable password permutations next, and then start really brute-forcing it.

You can only really do a brute-force attack like that though if you have direct access to the encrypted data. If you're forced to go through an interface which has an automatic lockout after X failed attempts, you'd better be very good at guessing.
There are still plenty of poor implementations out there though - some of the worst leaks were when someone broke through a server's perimeter defenses and found the usernames and passwords stored in plain text, entirely unencrypted.
Make the interface robust and resilient, encrypt the connection, and properly encrypt the data stored on the server.


Then there's also the old-fashioned way to get in: "I was told to work on some kind of network slowdown, but they didn't give me the administrative login yet; I think there was a meeting somewhere that had everybody tied up. Do you have that?"


ProfessorX wrote:It's disappointing that whoever these companies are don't reveal the password breach to their customers.
Only if they're legally required, I'm sure.
Revealing something like that could cause a plunge in stock price, or risk losing customers, and that, unfortunately, greatly outweighs the perceived cost of leaving customers vulnerable.
Last edited by Jeff7 on Thu Aug 07, 2014 9:16 am, edited 1 time in total.
HogsAndApples
Posts: 199
Joined: Thu Feb 02, 2012 4:52 pm

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by HogsAndApples »

Is it worth it to change all my passwords now? Or do I wait until after I know if the site has been fixed?
dolphinsaremammals
Posts: 2094
Joined: Tue Jul 22, 2014 4:18 pm

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by dolphinsaremammals »

HogsAndApples wrote:Is it worth it to change all my passwords now? Or do I wait until after I know if the site has been fixed?
I ran around and changed all my passwords and made them unique to all the sites I use except the ones that don't matter (update: having now read above why this is not good, I will fix that) after the previous event - I don't even remember which site that was, ebay?

Now who knows when a zillion sites will protect the data or even if they can - the article I read did not make the latter clear. I'm not chasing a moving target any more, although I may do another upheaval at some point. I will be, of course, watching my financial accounts closely.
User avatar
TimeRunner
Posts: 1939
Joined: Sat Dec 29, 2012 8:23 pm
Location: Beach-side, CA

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by TimeRunner »

Additional info in Q&A format on this incident: http://krebsonsecurity.com/2014/08/qa-o ... -accounts/
One cannot enlighten the unconscious. | "All I need are some tasty waves, a cool buzz, and I'm fine." -Jeff Spicoli
S&L1940
Posts: 1658
Joined: Fri Nov 02, 2007 11:19 pm
Location: South Florida

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by S&L1940 »

Hastibe wrote: Hope this is helpful! Stay safe out there!
From the above security tip link:
"Regularly monitoring your financial records can help minimize the damage if someone gets your information. But only the companies storing your personal data are responsible for securing it. Consumers can slow down hackers and identity thieves, but corporate computer security and law enforcement are the biggest deterrents."

So, yes, shuffle the passwords but if they are not properly protected and we are not immediately (if possible) notified when there is a break in, presumably the passwords can be worked over and cracked without our knowledge.

And staying safe means monitoring our accounts regularly. There are Bogleheads who post about not checking their Vanguard account often because their allocation is long term and it is set to automatically move through the process. That could lead to some surprises...
Don't it always seem to go * That you don't know what you've got * Till it's gone
denovo
Posts: 4808
Joined: Sun Oct 13, 2013 1:04 pm

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by denovo »

I don't know about everyone else here, but I have so many darn accounts I log in to, I end up recycling passwords. However, I think this is why it's important that all financial institutions like credit cards, banks, and brokerages implement two-factor authentication, so the loss of a password isn't "game over"
Last edited by denovo on Wed Aug 06, 2014 3:58 pm, edited 1 time in total.
"Don't trust everything you read on the Internet"- Abraham Lincoln
ajcp
Posts: 719
Joined: Fri Dec 13, 2013 5:44 pm

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by ajcp »

ProfessorX wrote:
Ged wrote:
ProfessorX wrote:It's disappointing that whoever these companies are don't reveal the password breach to their customers.
They might not even know. Being vulnerable to SQL injection implies a very low level of expertise.
It sounds like they do know:
Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable. At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic.
Related: Hold Security will tell you if your passwords are compromised for only $120! No potential conflict of interest there.

http://mobile.theverge.com/2014/8/6/597 ... -hack-ever
User avatar
LadyGeek
Site Admin
Posts: 95701
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by LadyGeek »

^^^ Website link is for mobile devices. For those viewing on a desktop: The Russian 'hack of the century' doesn't add up

The $120 cost is in the article's comment section.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
livesoft
Posts: 86080
Joined: Thu Mar 01, 2007 7:00 pm

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by livesoft »

You know what is going to happen. The Kremlin (usually spelled P-U-T-I-N) will eventually need to crash the economies of the West, so they will just subvert these Russian hackers and say, "Do it." And they won't use an e-mail to ask them to do it, so it won't be traced back to a government action.
Wiki This signature message sponsored by sscritic: Learn to fish.
surfstar
Posts: 2853
Joined: Fri Sep 13, 2013 12:17 pm
Location: Santa Barbara, CA

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by surfstar »

Starting to rethink LastPass again...!
ProfessorX
Posts: 568
Joined: Mon Jul 04, 2011 12:29 pm

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by ProfessorX »

So the NYT got tricked into acting like free advertising for a Cyber Security Firm that carefully tried to over dramatize a security thread for profit?
jchef
Posts: 263
Joined: Wed Aug 29, 2012 7:04 am

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by jchef »

ajcp wrote:
ProfessorX wrote:
Ged wrote:
ProfessorX wrote:It's disappointing that whoever these companies are don't reveal the password breach to their customers.
They might not even know. Being vulnerable to SQL injection implies a very low level of expertise.
It sounds like they do know:
Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable. At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic.
Related: Hold Security will tell you if your passwords are compromised for only $120! No potential conflict of interest there.

http://mobile.theverge.com/2014/8/6/597 ... -hack-ever
If Krebs is confirming the story it's true, then it's highly likely to be true. The chances that both the NY Times and Krebs got duped seems extremely low.

So even though the actions of Hold Security don't look great, it seems highly likely they are telling the truth.
nhrdls
Posts: 108
Joined: Tue Aug 20, 2013 5:14 pm

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by nhrdls »

midareff wrote:On second glance....... over a billion is a big number... population of the earth is maybe 7.5 billion? Deduct a few billion for unconnected folk in China, India, the third world, etc., and a couple billion more for infants, juveniles, the elderly who don't use password sites, etc. Do they have the password for every one left?
I think that's wrong way to calculate. On average, a person has around 10 accounts on various sites - and I think they are counting those accounts get hacked, not the actual individuals.
ProfessorX
Posts: 568
Joined: Mon Jul 04, 2011 12:29 pm

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by ProfessorX »

jchef wrote:
ajcp wrote:
ProfessorX wrote:
Ged wrote:
ProfessorX wrote:It's disappointing that whoever these companies are don't reveal the password breach to their customers.
They might not even know. Being vulnerable to SQL injection implies a very low level of expertise.
It sounds like they do know:
Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable. At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic.
Related: Hold Security will tell you if your passwords are compromised for only $120! No potential conflict of interest there.

http://mobile.theverge.com/2014/8/6/597 ... -hack-ever
If Krebs is confirming the story it's true, then it's highly likely to be true. The chances that both the NY Times and Krebs got duped seems extremely low.

So even though the actions of Hold Security don't look great, it seems highly likely they are telling the truth.

IMO, after reading up extensively on the matter, they are telling a highly selective and misleading self serving truth. But, yes, the truth.
User avatar
Steelersfan
Posts: 4129
Joined: Thu Jun 19, 2008 8:47 pm

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by Steelersfan »

As a precaution I changed my password on all the financial sites where I have an account. There are four of them. It took about ten minutes, mostly bouncing through menus to find the page where you do that.

What was interesting was when I googled "test security passwords" I got a whole pages of sites which allow you to enter your proposed password (better yet a proxy for it) to see how strong the password is. I tried about half a dozen. The difference of opinions was ridiculous. Some of them gave an opinion (weak, medium, strong, very strong, etc) and some gave a time to hack the password. I got below average, medium or strong on the opinion tests, while the hack time results varied from a couple of hours to several years, all for the same password, which has numbers and upper and lower case letters.

What's up with that? :oops:
ajcp
Posts: 719
Joined: Fri Dec 13, 2013 5:44 pm

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by ajcp »

ProfessorX wrote:
jchef wrote:
ajcp wrote:
ProfessorX wrote:
Ged wrote: They might not even know. Being vulnerable to SQL injection implies a very low level of expertise.
It sounds like they do know:
Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable. At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic.
Related: Hold Security will tell you if your passwords are compromised for only $120! No potential conflict of interest there.

http://mobile.theverge.com/2014/8/6/597 ... -hack-ever
If Krebs is confirming the story it's true, then it's highly likely to be true. The chances that both the NY Times and Krebs got duped seems extremely low.

So even though the actions of Hold Security don't look great, it seems highly likely they are telling the truth.

IMO, after reading up extensively on the matter, they are telling a highly selective and misleading self serving truth. But, yes, the truth.
This. I'm not saying they're lying, but I think they're hyping it up more than it deserves.
User avatar
BolderBoy
Posts: 6755
Joined: Wed Apr 07, 2010 12:16 pm
Location: Colorado

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by BolderBoy »

jchef wrote:Nearly all websites will hash their passwords. Meaning that they don't store the actual password, instead they store a hash of the password. Unfortunately, many websites don't use a salt or a slow hash function. What this means is if hacker can steal a hash file that doesn't use a salt or a slow hash function, they can extract most of the passwords from the hash file.
The password breaking tools even recommend not wasting too much time on hashed passwords that were also salted - even if the salt was pretty simple. Salting VASTLY increases the complexity of breaking a password.

And salting is so easy to do, there is no excuse not to do it, prior to the hashing. Add in SHA2(512) or SHA3 level hashing and breaking the PW is virtually insurmountable at this time.
User avatar
beyou
Posts: 6915
Joined: Sat Feb 27, 2010 2:57 pm
Location: If you can make it there

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by beyou »

This is why you need 2 factor authentication.
My etrade and paypal accts have it, why not Vanguard ?
NOgmacks
Posts: 169
Joined: Mon Dec 30, 2013 9:22 pm

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by NOgmacks »

surfstar wrote:Starting to rethink LastPass again...!

Once I made the leap of faith and got Lastpass there was no turning back. I feel more secure now with a sufficiently hard master password and the two factor authentication turned on.
User avatar
LadyGeek
Site Admin
Posts: 95701
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by LadyGeek »

Security expert Bruce Schneier is now questioning this whole thing: Over a Billion Passwords Stolen? Be sure to read the comments.

He also provides some suggestions about passwords: Choosing Secure Passwords
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
User avatar
Ged
Posts: 3945
Joined: Mon May 13, 2013 1:48 pm
Location: Roke

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by Ged »

One of the problems with this is that Hold Security is not notifying sites if their credentials are in the database unless they pay a fee. This is really problematical.

http://www.itworld.com/data-protection/ ... heir-heads
Shadow_Dancer
Posts: 162
Joined: Thu Jun 19, 2014 1:40 pm

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by Shadow_Dancer »

This article, which comes courtesy of CNET News, I feel, provides some balance to the alarmist sounding article in the New York Times:

Why you shouldn't be scared by the 'largest data breach' ever
Experts say the reported heist of 1.2 billion account credentials is legit, but caution that for most people there's little they can do -- or should be worried about . . . http://www.cnet.com/news/why-you-should ... ta-breach/.



Shadow_Dancer
Spiffs
Posts: 224
Joined: Sat Jan 19, 2013 10:33 pm

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by Spiffs »

Steelersfan wrote:What was interesting was when I googled "test security passwords" I got a whole pages of sites which allow you to enter your proposed password (better yet a proxy for it) to see how strong the password is. I tried about half a dozen. The difference of opinions was ridiculous. Some of them gave an opinion (weak, medium, strong, very strong, etc) and some gave a time to hack the password. I got below average, medium or strong on the opinion tests, while the hack time results varied from a couple of hours to several years, all for the same password, which has numbers and upper and lower case letters.

What's up with that? :oops:
Steelersfan, I think you (and others) might find these articles helpful in understanding what's going on here (though I got lost in parts of them, I ultimately thought they were extremely informative and interesting):
surfstar
Posts: 2853
Joined: Fri Sep 13, 2013 12:17 pm
Location: Santa Barbara, CA

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by surfstar »

NOgmacks wrote:
surfstar wrote:Starting to rethink LastPass again...!

Once I made the leap of faith and got Lastpass there was no turning back. I feel more secure now with a sufficiently hard master password and the two factor authentication turned on.
Started LastPass last night and let me tell you - its a pain in the Pass! I'm tech savy and when I go to change passwords at various sites using a strong, new, password from the generator - its about 50/50 of LastPass actually not messing up the "old password" and "new password" inputs. Copy & Paste can straighten it out sometimes. Of course on Vanguards login, it prompts that I've entered a wrong password when LP is used. :oops:
I'm sure I'll iron it out eventually, but it is much less user-friendly than I would have thought (30-something with good computer skills). :x
User avatar
LadyGeek
Site Admin
Posts: 95701
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by LadyGeek »

May I suggest KeePass? See this thread: KeePass vs LastPass - feel free to continue the discussion.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
Mudpuppy
Posts: 7409
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: "Russan Gang Amasses Over A Billion Stolen Passwords"

Post by Mudpuppy »

jchef wrote:Intelligent websites don't store passwords. They store hashes of passwords. And if the administrators are doing their jobs properly, the hashes are salted and they are using a slow hash function. If they take both of these steps, even if the hash files are stolen, extracting the passwords from the hash files is so slow as to be nearly impossible (or at least very impractical).

I'm guessing the hackers found a bug that allowed them to retrieve hash files from a certain website architecture. And if those hash files weren't salted and didn't use a slow hash function, it wouldn't be that difficult to extract many millions of passwords.
Unfortunately, most websites think that switching to SHA256 or SHA512 is switching to a "slow" password function. Granted, they take longer than SHA1 or MD5, but they're still relatively fast for someone with a modern GPU cracker or for someone with the storage capabilities to build large rainbow tables. Even actual slow algorithms could still be vulnerable to rainbow table attacks, depending on their output length and the current data storage capabilities of the attacker.

By the way, salts have an effect on GPU crackers, but it is not as big of an effect as some might have you think. The salts are stored in the plain, so the GPU cracker can just preprocess the password database for all of the unique salts in that database. Then it will have to generate that many hashes per guessed password, but we're only talking about a factor of increase that is at worst proportional to the number of hashes in the database (and the number of salts tested decreases as more passwords are cracked). Salts are really meant to increase the storage requirements for rainbow tables to an infeasible point (although it's not nearly as infeasible today as it used to be).

Back to the original article, if you don't reuse passwords, there's not much to do at this point. If the database has your password for xyz site, then xyz site was compromised severely enough to retrieve the password database. That means xyz site should now be considered "insecure" and changing your password only delays things until the next password database dump and crack. But your password for xyz site should not be reused anywhere else, so your risk/damages are contained to xyz site.

Just give up on memorizing a ton of passwords. Make a few really good (at least 24 characters, more is better) master passwords using some technique like DiceWords, pronounceable passwords, etc. and use a password locker program to remember individual site passwords. Have separate lockers for separate tasks (e.g. one for financial/retirement accounts, one for social media/forums, one for work, etc).
Post Reply