Blocking compromised passwords from the Collection leak

It all started with Collection #1, a monster breach dubbed as the biggest data dump in history with its 773 million unique email addresses, and 22 million unique passwords. The exposed data was a compilation of previous thefts (Yahoo, Linked, Dropbox), with 140 million email addresses, and 10 million passwords from previously unknown sources. Next came Collection #2-5 with three times as many unique records. The new Collection leak contains 2.2 billion unique usernames, and passwords.

How does the Collection leak put your organization at risk?

Unlike previous breaches, where the data was sold on the dark web for thousands of dollars, the Collection credentials are available for free download on torrent sites. Since the leaked passwords are dehashed and converted back to plain text, even unskilled hackers can break into user accounts by manually testing a leaked username and password on any site. In a credential stuffing attack, preferred by more sophisticated hackers, a botnet is used to automate the injection of credentials stolen from one source to access other online services. These attacks are often successful if the same password is used across multiple sites and services.

Compromised passwords cause more than 75 percent of corporate cyberattacks. Remember the infamous Dropbox breach in 2012? Hackers used an employee password to infiltrate the corporate network. From there they gained access to a database containing user data, leading to the theft of 60 million user credentials. Not surprisingly, the employee password that had been exploited was reused on the employee’s LinkedIn account, which had suffered a breach earlier that year. This is the domino effect of password reuse.

99 problems and password reuse IS one

The problem with password reuse isn’t necessarily the lack of security awareness. In fact, 91 percent of users know there is a risk when reusing passwords, but 61 percent continue to do so, according to this survey. The sheer volume of passwords combined with demanding complexity requirements drive users to take shortcuts. It is not the only bad habit users employ to combat password overload – using weak passwords, sharing passwords, and storing passwords insecurely, make the gravity of the password issue hard to deny.

It has become abundantly clear that users will continue to make poor password choices. While security training educates users about the risks, most of them will still choose convenience over security. In the 2017 update to the Digital Identity Guidelines, NIST recommended shifting responsibility away from users and onto the verifier whenever possible. This means your authentication systems should have better built-in security – for example, using a blacklist to block the use of common and compromised passwords, and implementing password rules to disallow common patterns such as the selection of consecutive characters, and incremental passwords.

Blocking compromised passwords from the Collection leak

Specops Password Blacklist is a hosted service with a continuously updated list of previously leaked passwords, including 21 million passwords from Collection #1. Following a password change in Active Directory, the password is checked against the Blacklist. If the new password matches a previously leaked password, users will be prompted to change their password at next logon.

Specops Password Blacklist currently contains over a billion vulnerable passwords, making it a comprehensive blacklisting service for any organization that wants to eliminate weak passwords, or meet the latest compliance recommendations from NIST.

Passwords not found in Collection leak?

Just because passwords didn’t end up in the current Collection leak doesn’t mean they won’t be included in future editions. As long as users continue using common passwords, dictionary attacks will continue to work. NIST recommends screening of new passwords against a list of not only compromised passwords but also common passwords. With the right tools in place, organizations can ban all of those passwords from being used in their organization.

With Specops Password Policy, you can create a custom dictionary containing potential passwords relevant to your organization, including company name, location, services, relevant acronyms, and even local sports team. You can also use one of the downloadable dictionaries consisting of the most popular password lists, common keyboard and character substitution patterns.


Identify other password vulnerabilities to prevent future attacks

It is important to identify all password-related vulnerabilities before hackers can exploit them. Besides compromised and weak passwords, vulnerabilities such as stale administrative accounts or users with expired passwords can pose serious security risks.

This free tool scans your Active Directory for weak password policies and displays interactive reports containing password-related information, such as policy usage, expirations, and relative strength. For each password policy, you can drill down and see how the settings compare to various industry standards, including NIST, PCI, and SANS. The tool also identifies other security vulnerabilities that may have slipped through the cracks, such as stale administrative accounts, or accounts that do not require passwords, as shown in the screenshot below.


Lessons learned

There is no “set it and forget it” when it comes to passwords thanks to the constant emergence of threats. The Collection leak should be a wake up call for organizations to take a proactive approach in protecting themselves against future attacks. Here are the lessons to keep in mind:

  • Organizations must take on the burden to ensure password security – Users will always take shortcuts when they can. Instead of leaving it up to users to create secure passwords and hope for the best, enforce a truly strong password policy that prevents them from creating weak passwords in the first place. Using a password dictionary allows you to ease password complexity requirements, while maintaining your desired level of password security. Furthermore, checking new passwords against a blacklist ensures your organization keep out all of the compromised passwords.
  • Enable multi-factor authentication (MFA) – Passwords are susceptible to a host of problems and weak passwords will be the root cause of many future breaches to come. MFA requires users to present two or more forms of authentication factors such as password combined with a security token each time they log into an account or regain access to a locked account. This effectively secures accounts against unwanted access even when a password is compromised. MFA is recommended for all organizations and required for those that follow The Payment Card Industry Data Security.