Hackers are having a field day with stolen credentials
Hackers are having a field day with stolen credentials

Login credentials have always been a weak link in cybersecurity's protection chain, a situation that's worsening. However, this trend could be reversed with a bit of effort from end users, website owners and software vendors.

2016: The Year of Stolen Credentials

Hackers made hay of the sorry state of credential security in 2016. They stole millions of username and password combinations from online services of all shapes and sizes. Blogs and discussion forums were hit particularly hard.

Exploiting credentials is an old attack vector that still works wonders for hackers. In its 2016 Data Breach Investigations Report (DBIR), Verizon added a section about credentials, revealing that 63% of data breaches involved weak, default or stolen passwords.

“This statistic drives our recommendation that this is a bar worth raising,” reads the report.

Why is it so easy for cybercriminals to plunder login credentials?

The triad of end users, website owners and software vendors bears collective responsibility for inadvertently making life easier for credential thieves.

End users, despite constant warnings, continue re-using passwords, allowing hackers to conveniently break into multiple accounts after stealing someone's credentials once. It's like having one key for your bike lock, front door, office building, car and bank box.

Meanwhile, more software vendors should provide advanced hashing, salting and other scrambling technologies for protecting credential information in case it's stolen.

Finally, website owners often don't patch third-party software powering their discussion forums, blogs and other online apps. For example, attackers hacked Clash of Kings' forum after exploiting a known vulnerability in an outdated version of the vBulletin software. The thieves stole personal information from 1.6 million user accounts, including scrambled passwords.

Let's X-ray the attack methods

Typically, hackers “fingerprint” websites' underlying software, such as their blog content management system or discussion forum application, and exploit either known vulnerabilities the website owner left unpatched or zero-day flaws.

In one case, an attacker used misplaced install files to gain admin privileges. In another case, hackers stole one moderator's credentials and used the account to post a malicious message in the forum. After viewing the message, the forum's administrator had his account compromised, leading to a massive breach. Notable vulnerabilities exploited in recent years include CVE-2016-6483, CVE-2016-6195, CVE-2016-6635, CVE-2015-1431, CVE-2015-7808, CVE-2014-9574 and CVE-2013-6129.

What can be done?

Software vendors

Update algorithms used to calculate and store password hashes, which are one-way mathematical functions . Given the password, the hash is resolved, but not vice versa.

But not all hashes are created equal. Some are generated with weak, insecure algorithms, like md5(md5(password)salt), which can be cracked by tools like:

http://project-rainbowcrack.com/

http://ophcrack.sourceforge.net/

http://www.l0phtcrack.com/download.html

Vendors should design software assuming it will be compromised and passwords stolen.

Website owners

When choosing forum or blog software, evaluate its security features, including password hashing. Inventory software products so when vulnerabilities are disclosed, you immediately know what needs to be patched. Vulnerability scanners automate inventory and detection.

You can stop managing passwords altogether by using authentication standards like OpenID, which lets users log in using credentials from a third-party account.

Individual users

Instead of recycling passwords,  use a password manager to generate unique passwords for each site. These applications automatically fill in the log in credentials for each online account.

Meanwhile, two-factor authentication adds a requirement to the log in process, such as entering a code texted to your phone, so hackers can't access your account even if they have the password.