In the coming week, Digital Shadows (now ReliaQuest) will release a research report highlighting the significant risk facing organizations and individuals from the use of weak credentials, which are continuing to provide significant opportunities for threat actors in conducting account takeover (ATO). Of course, this is something we documented in 2020, and two years down the line unfortunately the situation largely remains the same. Raising security awareness of this topic can certainly help—and there are options on hand to assist with managing credentials in a safe manner—but the ATO threat will remain endemic until the problems inherent to passwords are resolved.

24 Billion credentials breached since 2016:

In our research report, Digital Shadows (now ReliaQuest) reported on the collation of approximately 24 Billion credentials, which represented a 65 percent increase from our previous report in 2020. Within this data set, approximately 6.7 billion credentials had a unique username-and-password pairing, indicating that the credential combination was not duplicated across other databases. This was 1.7 billion more than found in 2020, highlighting the rate of compromise across completely new credential combinations.

Breached credentials collated by Digital Shadows (now ReliaQuest) by year

Obviously, the first comment to make is that obviously a significant number of credentials are being breached each day. How big a problem is this? Well Verizon’s recent Data Breach Investigation Report (DBIR) identified that stolen credentials accounted for approximately 50 percent of 20,000 incidents they analyzed. This represented a 30% increase from the previous DBIR that ran in 2017. So almost half of all incidents result from the use of stolen credentials, in some form or fashion. 

Figure 1: Initial access vectors (Source: Verizon DBIR)

With companies continuing to rely upon the use of credentials to access online services, this is almost certainly going to continue in the short term, or until businesses shift over to some of the passwordless authentication options that have been floated by the likes of Microsoft. Gartner research predicts more than 20% of customer authentication transactions and 50% of the workforce will be passwordless by 2025. So while there might be light at the end of the tunnel, in the short term passwords will continue to represent the main method for authentication.

How easy is it to crack a password?

In short, extremely easy. Password cracking typically comes in one of two flavors; those that are conducted online—i.e. against a live service—and those that are conducted offline, if the attacker already has access to stored hashes and wants to crack the password on their own system. Offline attacks are much simpler for an attacker as they can be conducted without fear of sounding a network defender’s alarms and otherwise triggering account lockout processes. There are several techniques used by common, off the shelf, password crackers, which can crack the majority of password encryption formats in use today; this includes Microsoft’s LM hash algorithm, MD4, MD5, the SHA hash family, and the Unix crypt format.

In order to illuminate the ease of cracking a password, we solicited the use of the zxcvbn password strength estimator tool. We ran this tool against the top 50 most common passwords that were identified in our dataset of 6.7 billion—which were, as you would imagine, an absolute catastrophe. If you’re still using passwords like, 123456 (which was the most common) qwerty, or DEFAULT, for the love of God, please stop! 

Zxcvbn identified that most weak passwords can be cracked in under a second using offline cracking techniques, whilst online techniques were significantly slower. Introducing one or two special characters into a password made a massive difference in the amount of time its take to crack, which can be seen with the mock password highlighted below; of course, we should be clear, having the use of such characters is not a foolproof way of storing passwords, and the longer and more complex, the better.

Password Number of brute-force attempts Offline fast hash Offline slow hash Online no throttling Online throttling
London1984 36,800 0:00:00 0:00:03 1:01:20 15 days, 8:00:00
London_1984 53,610,000 0:00:00 1:29:21 62 days, 1:10:00 22,337 days, 12:00:00
@London_1984 1,868,800,000 0:00:00 2 days, 3:54:40 2,162 days, 23:06:40 778,666 days, 16:00:00
Table 3: Comparison of time and attempts needed for successful cracking

Credential stuffing: ATO at scale

Another vital stage in the ATO process is credential stuffing, which allows threat actors to verify the use of stolen and/or cracked accounts at scale. Attackers can gain access to accounts through a number of methods, but most come through the use of social engineering attempts like phishing, information stealing malware, or simply purchasing from other third parties. Once the attacker has accounts—and this usually contains hundreds or thousands of distinct accounts—they can run through a dedicated credential stuffing tool to see if the username and password combo are in use at other services.

 A good way to think of credential stuffing is obtaining a bag full of keys, and trying to unlock a series of doors. These doors represent the sites and services you use every day; they might open up your social-media accounts, your employer’s external portal login, and―probably most worrying―your bank account. Credential stuffing occurs because users inherently find it easier to simply use a password that they can remember across all their accounts. The classic case of simplicity > security, but that comes at a price. The risk this poses was demonstrated during a recent incident affecting General Motors, who disclosed a credential stuffing attack on 23 May 2022. The attack resulted in an exposure of customers’ data, allowing actors to redeem stolen customer reward points for gift cards. This reportedly resulted from breaches of accounts outside of GM being used on the motoring providers platform. 

What should you be doing?

Our recent blog highlighted that while the future of passwords may be coming to an end, it will likely take a number of years before passwordless authentication options become mainstream across business. With that in mind, what are the best methods to keep yourself safe from ATO? We’ve summarised some of the main points from our upcoming research paper below. 

  • Make sure to use unique, complex, and long passwords across all of your accounts. There’s a number of chains of thoughts towards passwords, but ideally they should be at least 12-15 characters, include numbers, capital letters, and special characters. 
  • Accountability for these passwords can be provided through the use of a password manager, which offers a safe, solitary, place to store credentials, and even can assist with recommendations and alerts if your credentials are detected in third-party breaches. 
  • Use multifactor authentication on your accounts wherever possible. The best option for MFA is the use of an authenticator application, which typically generates a new, random six-digit code every 30 seconds, which a user must enter on the website they’re trying to access.
  • Ensure that online web portals and services use a rate limiting solution; ths control ensures that if a suspicious amount of login requests comes from a certain IP address or range, the IP will be blocked or otherwise slowed down. This can dramatically reduce the likelihood of an online password cracking attempt. 
  • Refrain from using your corporate email to sign upto personal services and under no circumstances use the same password across multiple accounts. This is ultimately why and how credential stuffing attacks work, don’t get caught out!

The Photon Research team’s report Account takeover in 2022: The 24-billion password problem details the ATO lifecycle at depth, including how actors are identifying, acquiring, and exploiting stolen accounts to great effect. Be sure to check out this fantastic report following its publication on 15 June 2022.