Credential stuffing is one of the most common account takeover attacks. It is a cyber attack where attackers use stolen credentials to gain authorized access to enterprise systems through large-scale automated login requests.
Today’s solutions to deal with credential stuffing are insufficient and don’t consider the urgency of the enterprise risk. It amounts to companies saying “look we tried” but watching breach after breach continue to disrupt business.
I’m less concerned about the breach of data (it’s all available anyways) and more concerned about protecting the enterprise. This means that I won’t point to insufficient remediation and rest on the “we tried” argument.
I want to minimize the risk to companies I work with. Let’s have a look at how we can do that.
The most common ways to counter credential stuffing are:
- Two-factor authentication
- Educating users so they don’t reuse passwords
Simply put, two-factor authentication is complicated to manage at scale and hard for users. That doesn’t mean it’s bad. That also doesn’t mean there aren’t good solutions to help companies manage. In fact, it’s important and there are good solutions out there.
However, as with anything related to cybersecurity it’s always good to have multiple layers of protection. Especially since two-factor authentication requires changes to applications, and you don’t always have control over the applications your employees and customers use. Besides, two-factor authentication isn’t a panacea and at times can itself be insecure.
Companies need to seriously rethink how they make users aware of their cybersecurity hygiene. That’s the subject for another post.
Here’s the thing. You are educating your users not to reuse passwords, and then making them use complex passwords that are hard to remember (and sometimes you even still require they change their passwords quarterly). Of course, they’re going to reuse them. It’s human nature.
Education that goes against human nature is hard. We have to figure out how to work with human nature to get better results.
That all said, password managers are great but they’re still too hard to use (I use one) and not widespread enough. Browsers are doing some interesting stuff remembering passwords, but it’s early in their implementations and there’s still a huge password reuse threat.
No one is ever going to stop reusing passwords.
No more than 15% of people will successfully use password managers. Fewer than that will do so consistently.
STOP VICTIM-BLAMING USERS FOR OUR INDUSTRY'S ABJECT FAILURE TO DEPLOY WORKABLE SOLUTIONS TO A DECADES-OLD PROBLEM.
— Blaine Cook (@blaine) February 23, 2019
Restate the risk
A company is at risk if their users reuse passwords.
“For example, if you used your Starwood password anywhere else, that other account you used it at is now at a much higher risk of getting compromised.” (Brian Krebs on the Marriott breach)
Current solutions put the onus of protection on the user by adopting two-factor authentication or better user awareness about the risks of password reuse. However, the risk is borne by the organization.
We need a way to map the mitigation effort to the place where the risk lies. Meaning, since the company bears the risk of breach due to password reuse, the best way to approach the problem would be for the company to do something to help themselves other than put the burden on the user for the good of the company and hope things work out. Even if your users have the best intentions wouldn’t you want to help them with more than hope?
Remember, customers of your company’s technology outnumber by a large margin the number of employees you have. Even if you could force every employee to add friction to their own login procedures, you’d still be chasing away customers who find your password rules too frustrating to bother.
How can the company help themselves?
Why not add in a real-time check against known compromised passwords?
If a password has been compromised why allow a user to continue to use it?
Why allow a new user to use a previously compromised password?
Partly the answer is that real-time is hard. Doing this in the flow of the user login process adds latency which the business knows is bad (for shopping cart fulfillment for example).
Partly the answer is that monitoring all passwords, all the time, against every changing known breach data is arduous (though can be automated).
I think it’s simply a different way of thinking about password security that adds a layer of protection to existing methods. Companies can take advantage of new solutions (like ours) that live in the cloud and ingest relevant breach data from the dark web. Breach data can then be used to help companies lower their cyber risk profile by avoiding the reuse of breached passwords from other sites.
Lowering a company’s risk profile is not an absolute process, so any tool that helps weight the odds more in the company’s favor should be welcome.
A final note on user awareness
I think people want to help, they just don’t want to be too badly inconvenienced on the hope of being helpful.
It reminds me of a passing comment about credit scores. When talking to a bank about something (business related) they mentioned that giving customers their credit scores didn’t change their credit behavior (and so giving them a cybersecurity score would also not drive behavioral change).
The thing is, the way our behavior impacts our credit score is a complete mystery. So, how would anyone expect simply having a number but not understanding how our behavior impacted that number would change behavior?
Users are familiar with real-time NIST password validation for length and special characters. If we simply request a password reset when a compromised password is in use (even if it wasn’t your company that was breached), people will understand. People will realize that “this password was compromised, so it needs to be changed” and will oblige. It’s specific and the mitigation action, their extra friction, is mapped directly to a threat so they know the extra work is helpful.
This is the change in user education that’s needed. Mapping user behavior directly to the risk their behavior presents. In the credit score example, if people understood how their financial habits impacted their credit score they could make better decisions and trade-offs. As a mystery process, the credit score is more of a curiosity treated with skepticism rather than a tool to help people create healthy habits.
Same goes for security.