Blog / Credential Stuffing Attacks: Why Using Different Passwords is Vital
It’s January and, as promised, I’m back with another newsletter on Computer Security. Sadly, it won’t be as much fun to read as my previous one (which was a lot of fun to write, I must say.) Still, I will try to keep things understandable and easy to follow. That’s assuming I haven’t lost my touch during my Christmas staycation, so here it goes:
For this newsletter, the topic is going to be about (drum roll please): “Passwords.” Now then, before you groan and move on because “I’ve beaten this horse to death”, what I wanted to do was talk about exactly why password hygiene is so vital. I’m also going to chat about and explain Credential Stuffing Attacks.
So, to start this all off, I’ll talk about the database. Why? Because that’s how you store any kind of User Information. Thus, when you create a database, you give it a name (obviously), but inside it you create tables, to store this information. These need to be defined, so that when you store data into them, the database knows what sort of info to put into each spot and how much room it takes up. For example: Say you have a table storing 4 things (Name, Email, Age, Password.) The database needs to know what sort of data to put into those places, so it can allocate the proper amount of space for each row in the table.
Name – A string of characters. Any numbers are rejected and there’s a limit on how long it can be. That limit is decided when you create the table and hardcode it, so that it can’t be changed (because that’s how a database works.)
Email – A more complicated string, which allows letters, numbers and special characters like @. Again, a maximum length that’s decided when the database is created.
Age – An Integer, since that’s how we deal with a person’s age. There’s a maximum value for the integer, which depends on how many bits are used to store it (32 or 64, depending on the operating system.)
Password – A Hash. Nobody should ever store a password in plain text.
What is a “Hash“? It is simply a string. Without getting into too much technical detail, you take some data, like a password, perform some computer wizardry on it, et voilà, you get a hash. A simple example would be turning a password like “Password1”, into a hash:
“$2a$04$6i/1VktMAl5gfZBSnJ4AdOtxvrm/cprzzvooIiu8VER.2bu41qQ8G”, by using a common hashing function called ‘bcrypt.’
Now, what’s the big deal about this whole hash thing? Well, first of all, no matter how big the input data, the output hash is always the same length (which is intentional.) This makes building a database easy, since you know how big to make your password storage container. Second, it’s more secure, because it is rather hard to reverse a hash, in order to find out what the input was.
But here’s the thing. It’s far from impossible. There are a very limited number of hash options available. Making a hash function is not easy, so the truth is that nobody makes their own. They use the ones that are openly provided and those are limited. Still, it’s better than nothing. So, what does all of this have to do with Credential Stuffing and Password Hygiene? I’m glad you asked.
The Internet makes it easy for attackers to buy and sell data from hacks. This means that as an attacker, I can rapidly and cheaply get my hands on the raw data from several hacks very quickly. Due to how hashing works, it’s pretty easy to look at them and tell which function was used to create these. It’s also very simple to look through the data and search for repeats of the same hash. Once repeated hashes are found, you need to spend some computer resources to brute-force crunch-out whatever the password was, that created the hash. And bingo, instant commonly used password. Well, not instant, but if you focus on the ones that often occur first, you’re improving your odds of getting a useful password.
So, after all of that, then what? Well, then comes the actual “Credential Stuffing Attack.” One of the most routinely used usernames out there on any login is an email address. Hence, all you need is a list of those and your list of known, often used passwords, and you’re ready to try logging in to anywhere. That’s how you hack into somewhere, without ever using an exploit or crack. You bypass all of the Security, by using a password that you got from somewhere that had nothing to do with the place you’re trying to get in to. The only reason your attack succeeds, is because people are lazy and don’t practice good old Password Hygiene, making use of the same password over and over and over again.
I hope that this was an informative look into the murky world of passwords and computers. Also, welcome to 2021 and all the COVID 19 vaccine Phishing scams that are happening.
“Disguise, I see thou art a wickedness, / Wherein the… enemy does much.” – So wrote William Shakespeare in his play, “Twelfth Night.”
If you have any questions about good Password Hygiene, please reach out to your TRINUS Account Manager for some stress-free IT.
By Kind Courtesy of Your Friendly Neighbourhood Cyber-Man.