When normal computer users fall into the nasty habit of recycling passwords, the result is most often some type of financial loss. When cybercriminals develop the same habit, it can eventually cost them their freedom.
Our passwords can say a lot about us, and much of what they have to say is unflattering. In a world in which all databases — including hacker forums — are eventually compromised and leaked online, it can be tough for cybercriminals to maintain their anonymity if they’re in the habit of re-using the same unusual passwords across multiple accounts associated with different email addresses.
The long-running Breadcrumbs series here tracks how cybercriminals get caught, and it’s mostly through odd connections between their online and offline selves scattered across the Internet. Interestingly, one of the more common connections involves re-using or recycling passwords across multiple accounts.
And yes, hackers get their passwords compromised at the same rate as the rest of us. Which means when a cybercrime forum gets hacked and its user databases posted online, it is often possible to work backwards from some of the more unique passwords for each account and see where else that password was used.
SWATTING THE FLY
Of all the stories I’ve written here over the last 11 years, probably the piece I get asked most to recount is the one about Sergey “Fly” Vovnenko, a Ukrainian man who in 2013 hatched and executed a plan to buy heroin off the dark web, ship it to our house and then spoof a call to the police from one of our neighbors saying we were dealing drugs.
Fly was the administrator of a Russian-language identity theft forum at the time, and as a secret lurker on his forum KrebsOnSecurity watched his plan unfold in real time. As I described in a 2019 story about an interview Fly gave to a Russian publication upon his release from a U.S. prison, his propensity for password re-use ultimately landed him in Italy’s worst prison for more than a year before he was extradited to face charges in America.
Around the same time Fly was taking bitcoin donations for a fund to purchase heroin on my behalf, he was also engaged to be married to a young woman. But Fly apparently did not fully trust his bride-to-be, so he had malware installed on her system that forwarded him copies of all email that she sent and received.
But Fly would make at least two big operational security mistakes in this spying effort: First, he had his fiancée’s messages forwarded to an email account he’d used for plenty of cybercriminal stuff related to his various “Fly” identities.
Mistake number two was the password for his email account was the same as his cybercrime forum admin account. And unbeknownst to him at the time, that forum was hacked, with all email addresses and hashed passwords exposed.
Soon enough, investigators were reading Fly’s email, including the messages forwarded from his wife’s account that had details about their upcoming nuptials, such as shipping addresses for their wedding-related items and the full name of Fly’s fiancée. It didn’t take long to zero in on Fly’s location in Naples.
POOR PASSWORDS AS GOOD OPSEC?
While it may sound unlikely that a guy so enmeshed in the cybercrime space could make such rookie security mistakes, I have found that a great many cybercriminals actually have worse operational security than the average Internet user.
Countless times over the years I’ve encountered huge tranches of valuable, dangerous data — like a botnet control panel or admin credentials for cybercrime forums — that were full of bad passwords, like password1 or 123qweasd (an incredibly common keyboard pattern password).
I suspect this may be because the nature of illicit activity online requires cybercrooks to create vast numbers of single- or brief-use accounts, and as such they tend to re-use credentials across multiple sites, or else pick very poor passwords — even for critical resources.
Regardless of their reasons or lack thereof for choosing poor passwords, it is fascinating that in terms of maintaining one’s operational security it actually benefits cybercriminals to use poor passwords in many situations.
For example, it is often the denizens of the cybercrime underground who pick crappy passwords for their forum accounts who end up doing their future selves a favor when the forum eventually gets hacked and its user database is posted online.
SOME ADVICE FOR EVERYONE
It really stinks that it’s mid-2021 and we’re still so reliant on passwords. But as long as that’s the case, I hope it’s clear that the smartest choice for all Internet users is to pick unique passwords for every site. The major Web browsers will now auto-suggest long, complex and unique passwords when users go to set up a new account somewhere online, and this is obviously the simplest way to achieve that goal.
Password managers are ideal for people who can’t break the habit of re-using passwords, because you only have to remember one (strong) master password to access all of your stored credentials.
If you don’t trust password managers and have trouble remembering complex passwords, consider relying instead on password length, which is a far more important determiner of whether a given password can be cracked by available tools in any timeframe that might be reasonably useful to an attacker.
In that vein, it’s safer and wiser to focus on picking passphrases instead of passwords. Passphrases are collections of multiple (ideally unrelated) words mushed together. Passphrases are not only generally more secure, they also have the added benefit of being easier to remember. Their main limitation is that countless sites still force you to add special characters and place arbitrary limits on password length possibilities.
Finally, there’s absolutely nothing wrong with writing down your passwords, provided a) you do not store them in a file on your computer or taped to your laptop, and b) that your password notebook is stored somewhere relatively secure, i.e. not in your purse or car, but something like a locked drawer or safe.
Further reading: Who’s Behind the GandCrab Ransomware?
I deserve to have my right to own a computer taken away. Why? Because my lifetime (good) habit was to keep a small address book with nothing written inside the pages except for my usernames and passwords. Like Brian suggested in this post, it never left home with me and was always stored in a secure location.
Fast-forward. For about the past 10 years I have kept all of my usernames and passwords stored in a text file named passwordsdottext, and I email this file back and forth to myself and forward it to my various electronic devices (laptop, phone, desktop PC, tablet.) I think that for this very bad habit, I should be hung at the stake or sent to visit a virtual firing squad.
I do (and have always done) something similar. But I don’t write the complete email account or password. I just put enough info on the page for me to remember the account and password. I also “salt” the information with a bit of nonsense.
But even with that said, I understand there is some vulnerability. But there is vulnerability with everything. I try to make the most useable method for me, as secure as it can be without becoming far less useable.
10 years, wow! I can’t believe that you have had internet access, or been able to keep internet access. TN sold my identity and eventually me, to A virtual, passive human trafficking association, which uses paranormal activity(entities, shadows, and smoke-and-mirrors to contain, or hide what NASA reserves to call, an environment). The Federal gov doesn’t want to admit theyre attempting to murder me, publicly, or they also let the alliance conduct espionage in this so called ENV, and this has enabled ET’s, that love human trafficking, for obvious reasons, to create outposts here in TN, using parallel dimensions, they can stay in your home, and physically experiment with you, and bait, weaker less genius victims. basically Shelbyville, TN, 37160, has allowed themselves to fall victim to an array of scams, which now has transpired from cyber terror(my idtheft problem and my human rights denial) to indefinite public terror, possibly the London bridge or A Olympus has fallen, London too, situation. I cant access the internet, due to these smart bastards using “perfect timing” and god ole oppression, blackmail, hidden cams, auxillary, and audio visual( to ensure asshole is cleaned everytime, since theyre programming the public though, they prefer that its got TP and extra left overs, for your self esteem perseverance).about 100000 times ive attempted to get help, police even say that there is no TCA code that they can classify cyber terror nor proof of IDtheft, I wont elaborate, Tired, missing my kids, and I have to deal with grownups whom are scared of standing up for themselves. they’ve constructed A domain, DMZ, and call it TENET, no problem finding child porn using google(that’s all that shows when I google: teen *), gov domains are blocked, my phones from here on out have explosives, parasites, and are part of mafia gambling habits which net more money than any million lives that could be saved, phone is A dummy phone, so power hungry bitches can run good peoples lives in the ground, and they pay with sexual favors, use my social media posts for communications, and these people are famous, some are some are “dead”. tell people about Tennessee, the tngov pays citizens to : poison, rape, steal. blackmail, kill, as long as theyre oppressing me(theyre trying to kill me, but first they have to frame me for it to work(tonight they attempted to make this state out to be in an environment, kids always need love, and you can debo the kids out from their parents hands, just go into the home while they sleep, or weve already tied them up, waiting on you,; but I know better, the gov is real, and they have chosen to ignore this problem. No rights, no communications, illuminti ran, mafia ran, and first objective is to feed identities to optriarch gov, take over, and oppress me. Thanks if you read this. also they’ve been chasing kids down the street, making them take off walking, and then sleeping with taylor swifts.
wow, meth is a hell of a drug, try weed, or maybe just go clean. Leave tech all together and sit by a camp fire most nights. Good luck, hope you can become human again.
Hey is that you, Alex Jones? 🙂
I’d advise a change in medication, or dosage.
Hello. I think it’s worth mentioning that the second to last paragraph is incomplete.
In that vein, it’s safer and wiser to focus on picking passphrases instead of passwords. Passphrases are collections of multiple (ideally unrelated) words mushed together. Passphrases are not only generally more secure, they also have the added benefit of being easier to remember. Their main limitation is that countless sites still force you to add………
Thanks. Not sure how that got cut off, but it’s fixed now. The full sentence should read: “Their main limitation is that countless sites still force you to add special characters and place arbitrary limits on password length possibilities.”
Or instead of text passwords, people can start logging into accounts with things such as a Yubi Key, like what is being done with Gmail (dot) com
Good advice. But the word “instead” is going to be confusing.
–
There are many many articles written about 2FA.
Yes, the prevailing advice is to use them everywhere that is available.
https://2fa.directory
Problem with giving that as blanket advice on an article about password reuse… is that passwords are still going to be a factor. They don’t really go away, even when 2FA is used.
Multi-factor Authentication (MFA), often still has “text passwords” as 1 of the factors. The “something you know”.
Adding a physical token like a Yubikey is much better security, the “something you have”. But passwords still need to be secured with the advice given in the article. Passwordless solutions do exists, some have MFA using biometric + token… but they are rare, and usually have a fallback to a knowledge factor, a password.
“Instead” isn’t a good word… rather it should be “in addition”.
I agree on the words “in addition”
Hi Brian. Great article, but wanted to point out that you missed something in the second last paragraph. “Their main limitation is that countless sites still force you to add ….”. If I was to finish this sentence I would have said “countless sites have field length limitations that essentially prohibit the use of a decent passphrase”. 🙂
Brian:
Thanks for this. I wonder what you think of using an MS Word file, encrypted with a password, as a safe place to store stuff. I’m sure it could be hacked, but not easily, and it provides a portable way to store passwords. I have to update passwords frequently, and this is a problem for a printed list.
Better than plain text, for sure. But Office document encryption has some flaws, as they aren’t really designed for good cryptographic strength.
A big problem with using Office documents is that many things can betray it’s security. It’s easy to accidentally save a backup of the unencrypted file in various locations, as Microsoft Word really wants to avoid the risk of losing data, so auto-saves, and temp files, etc… can exist in various locations, even in the Microsoft’s cloud. Not saying you can turn all that off, but it requires constant vigilance and its easy to slip.
If you want portability of passwords… Keepass is a great option. It allows multi-factor authentication to unlock the database, they make apps for every operating system, even for mobile, and they help you generate strong passwords. It can even store more than just username/password strings, like other files.
Many other offline password managers available too.
Actually, keeping your passwords on a slip of paper in your wallet isn’t really that bad of an idea, especially if you might need to access the account when you’re out of the house. Just make sure the web site address and your account name aren’t linked together on that same piece of paper. Memorize the easy stuff, write down the hard stuff.
This is actually good advice.
It’s been a part of national security for decades. Print out a numbered list of unique and random passwords, no other references, just the passwords. Use the smallest print you can see, maybe multiple columns in a grid. You memorize the “position” of your real password on that grid/list.
As long as whatever it is you are wanting to log into, has some kind of limit on unsuccessful login attempts… it is pretty secure. A brute force attempt is risky for someone trying a single real password from among a list/grid of 10-20.
Not really scalable beyond a couple of very important passwords that you absolutely must carry around. But you’ve probably heard about these code cards used in some applications.
Back when banks didn’t trust us to remember PINs, my bank had a really cunning idea (maybe they stole it from somewhere else, I don’t know). They mailed everyone a credit card sized cardboard card that had a 5×5 printed grid with the letters A – Z (leaving out ‘X’) printed in one corner of each cell. You were invited to think of a 4-letter word (obviously with all letters different) and write in your PIN against the letters of that word, then randomly fill in the rest of the cells with digits 0 – 9.
You could keep it in your wallet (relatively) happy that your PIN wasn’t going to be exposed.
There is just such an item, which is available at:
https://dvana.com/security/codebooks
It does exactly what you are talking about, but on a much larger scale. Designed for use in the office or home.
Meh… sounds like someone is trying to make money off a free idea.
Diceware does the same without charging you money.
Agreed. There was a time a couple years ago when I moved that I was getting asked to create accounts “offline” (i.e., having to use someone else’s computer to create a new account, like at a library or co-op). Rather than having to make up something random-ish on the spot and either memorize it or write it down, I instead created a [scramble sheet](https://impossiblystupid.com/node/1011/?content=here-are-all-my-passwords) to print and carry around in my wallet. Getting access to it might make a dictionary attack easier, but I don’t lose control of my wallet often enough to be overly concerned about that.
All this and no link to “xkcd – passwords” ? Forsooth! This shall be corrected henceforth!
hXXps://xkcd.com/936/
Welcome to the Apportionment Wars aka Cancel Culture Wars. When I voted in the local Texas Election on Sunday I produced my TX Driver License and Voter Registration Card. The registrar declined to even look at the latter. She validated my entry with my 1) “name + issuer TX” (as “user name”) and 2) the fact the polling place located in a particular County (as “password”). This was a good guess because it was the same County name pre-printed on my Voter Registration Card ! It’s magic ! Long story short this is two-factor authentication in name only.
I’ve used Lastpass for years with Authy as the second factor. My master password is a line from an obscure poem my Dad used to recite to us kids (it wasn’t a children’s poem, BTW). If I want to change the master password I just choose another line from the same poem. Probably wouldn’t protect against NSA or KGB but OTOH far as I know neither organization is all that interested in poor little me.
Lastpass is good and all… but as a cloud managed password vault, keep in mind that they control the 2nd factor. They can be socially engineered to remove 2FA. They have a “recovery method” for losing your 2FA device… and this is the thing that can and will be exploited. Your recovery email, if compromised, also compromises your 2FA with lastpass.
The master password, they don’t control, so that’s good at least.
I like keepass, because the second factor is completely under my control. I am responsible for backing up, and locking up any recovery method.
I still recommend Lastpass to family who are not even a bit tech savvy and could not handle a local password manager.
BitWarden is superior to LastPass in that regard. There *is* no recovery method. If you lose your master password, your only recourse is to sign up a new account.
I believe they make it possible for someone to wipe your database, but in such a case, “they” would have to have access to your email account. If you are using your google account to do your sign-in (either via “Sign in with Google” mechanism or via Chrome’s password generator), if “they” get manage to co-opt your email, all of your data belongs to them, anyway. So at that point, you’re probably hosed, regardless. But even so, the WORST they could do with BitWarden is reset your vault.
The biggest problem I have with Keepass is that they have no mechanism for synchronizing across devices. For some, that could be an advantage, but for my usage patterns, it’s a significant distraction. Yes, there’s options for that, and some of those options are very inexpensive (using native AWS s3 storage, for example, would cost pennies per month for a keepass database), but the cheapest options are the ones that would require the most time to implement. I really like that their desktop app’s support autotype functionality, and it (mostly) works very seamlessly, but the android app (I have no experience with the IOS app) makes password entry extremely cumbersome.
I switched to BitWarden when LastPass nerfed their free account, and my only regret is that I didn’t switch sooner.
Lastpass also has no recovery of the master password.
My issue is that 2FA options are recoverable for Lastpass, and exploitable if socially engineered. Looks like Bitwarden has a recovery code given when you enable 2FA, and if you lose that, you’re out of luck. Good.
I happen to like the fact that KeePass does not try to do file synchronization. It’s not it’s job. The database file can be in Google Drive, Dropbox, Box, OneDrive, etc… all free options with no user complexity at all.
I prefer it when a password manager leaves synchronization and automation up to me. It’s the “features” beyond password management that often winds up being the vulnerability. The feature creep leads to a wide attack surface.
Lastpass is a good example. They weren’t breached directly…. but vulnerabilities were introduced because of their browser plugins. A “convenience” feature.
Is the passphrase thing still secure, or is that a balance between security and user willingness to comply? I know schneier posted an article on dictionary attacks to try to debunk the xkcd thing awhile back. Arstechnica had an in-depth article on it as well: hxxps://arstechnica.com/information-technology/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
It is still secure. But the xkcd approach MUST use randomly chosen words.
–
Schneier didn’t debunk it, he misunderstood it. He mentioned that password crackers are taking into account this approach, and tuning their algorithms to match. But that doesn’t really matter if its random.
–
His ONLY mention of XKCD:
“This is why the oft-cited XKCD scheme for generating passwords — string together individual words like “correcthorsebatterystaple” — is no longer good advice. The password crackers are on to this trick.
The attacker will feed any personal information he has access to about the password creator into the password crackers. A good password cracker will test names and addresses from the address book, meaningful dates, and any other personal information it has.
–
But he completely ignored the actual XKCD comic… which says: “four RANDOM common words”.
If the words chosen have special meaning to you… then yes, it’s vulnerable to guessing based on creating a personal dictionary.
–
The randomness is absolutely key. Pick words from random, and the attacker needs to include the entire dictionary in the set.
Allegra ; ‘Passphrases’ are mentioned in the article and a proven secure method using those is Diceware (i.e. eff dot org/dice ; using “Eff’s Long Wordlist”). it’s suggested to use a six word minimum and don’t manually select it but use actual dice to do it. basically with five dice, each roll of those dice will give you one word from the text file on that site.
if I use a passphrase like that I typically pair it with a bit of padding and I never use ‘spacebar’ in my passwords.
but if I calculated it correctly… a 10-word Diceware passphrase is similar in security as a 20-character randomly generated password using all of the characters on a standard keyboard short of the spacebar. basically 129.2 bits of entropy (10-word Diceware) vs 131.1 bits of entropy (20-character randomly generated password). for measure, based on the minimum suggested length of six words on from that Diceware list, that’s 77.5 bits of entropy.
in short… Diceware is definitely secure as long as your word length is sufficient and your randomly selecting the words, not manually choosing what you want to use.
so while Diceware is proven secure, I figure a decent (and probably easier to remember) alternative, which is probably not as secure, but secure enough, is to use a decent password paired with some padding. for example… “MyDecentPassword” would become something like “,,,,,,,,,,My!DecentPassword<<<<<<<<<<". so even for the lazy types who like to take the easy way out and who are using so-so passwords would be to wrap it in some sort of padding scheme which should give a decent increase in security for minimal effort and should not be too hard to remember.
p.s. one can generate long passwords of any length using dice (i.e. each roll of three dice gives one character on a keyboard basically. so to get a 20-character password you would have to roll those three dice a minimum of twenty times), but it's more time consuming so I won't explain that for now.
Since I am still here I figured I might as well reply to my own post and explain how to generate long complex passwords using Dice (it’s quickest if you use three dice and roll those three dice all at once even though technically a single die will work but will take about three times the rolls to finish generating your password) as this is mainly useful for the more paranoid types who don’t trust a password managers generation of passwords being random enough.
basically you go to this site… theworld dot com/~reinhold/dicewarefaq.html ; and under the “How do I use dice to create random character strings?” section it shows you how to generate passwords of any length using real dice.
while a person could use a single die to generate passwords it will be much faster if you roll three dice at once. so to make things as fast as possible you need to roll three dice at once and reading from left to right (or right to left) as they fall on the floor/table in front of you will give you a three digit number which is converted to a character on a standard keyboard using that chart on the website I linked to.
so for example… if you roll “552” that would be the character “-“. it’s possible to roll a ‘blank’ (or even the ‘sp’ which represents the ‘spacebar’) at which point you simply roll the three dice again. so if you want to generate a 20-character password you basically have to roll three dice at once a minimum of twenty times. I say minimum because it’s possible to roll a ‘blank’ at which point you got to roll again.
here is a 20-character password example I rolled using real dice… XN\&~a?)Ti:fN*(z_86M
on a bit of a side note… I figure it’s probably a good idea to have at least one lower case letter, upper case letter, a number, a symbol in your password. but I noticed this usually seems to happen if your password length is long enough, like say 20-characters (or so) or longer. but since things are random, it’s possible that won’t always be the case. either way, if your password is long enough it’s probably not going to matter too much even though I would generally try to make sure you got at least one lower case letter, upper case letter, a number, a symbol in your password as if someone is trying to crack it using brute force, it will basically force them to scan through all possible combinations which makes it harder for them to crack your password using all possible keys on a keyboard and not just try using lower case letters or numbers which is less possible combinations etc.
It is still secure. But the xkcd approach MUST use randomly chosen words.
–
Schneier didn’t debunk it, he misunderstood it. He mentioned that password crackers are taking into account this approach, and tuning their algorithms to match.
His ONLY mention of XKCD:
“This is why the oft-cited XKCD scheme for generating passwords — string together individual words like “correcthorsebatterystaple” — is no longer good advice. The password crackers are on to this trick.
The attacker will feed any personal information he has access to about the password creator into the password crackers. A good password cracker will test names and addresses from the address book, meaningful dates, and any other personal information it has.
But he completely ignored the actual XKCD comic… which says: “four RANDOM common words”.
If the words chosen have special meaning to you… then yes, it’s vulnerable to guessing based on creating a personal dictionary.
The randomness is absolutely key. Pick words from random, and the attacker needs to include the entire dictionary in the set.
Unique passwords are so important but often not used which is a real shame given the amount of credential stuffing attacks.
That’s why we released our open source tool SmartPass to help generate random passwords to hopefully help out with the process.
Nice write-up once again Brian.
Just use a password manager! Every article about passwords includes a long comment section where people tout their own personal scheme for storing or memorizing passwords that is always more difficult to do, less secure, and prone to foolish mistakes. Anything that requires you to type in a password means you are better off using a password manager because of the chance of making mistakes while typing. I have locked myself out of accounts before due to making stupid typing errors while attempting to type in long, random passwords with symbols, numbers, etc. Anything stored locally is vulnerable to loss, fire, water damage, etc., which in my case would be much more likely than theft. Anything carried around with me is equally vulnerable, which is one reason I don’t like security keys. I think of all the times I have left my house keys or car keys someplace. Just don’t do it. Password manager is the only reliable and safe way to do this, IMHO.
Can we talk about websites and services that we do not care if the password is stolen? I doubt that “El Barto” will mind if someone guesses the password to his El Pollo Loco loyalty card so he can get free nachos on his “birthday”. (And how dare you, El Pollo Loco, tell me my password is weak! You’re nacho cheese sauce is weak!) Or… can we talk about silly websites that even require a password in the first place? (…I am here, this one time, to download this white paper and will never, ever be back again. My password is weak? Too bad! Be gone with your bureaucracy!)
With password managers, you also need to consider where those passwords are stored. Is it local user application storage, or some kind hosting-site cloud-based storage? With local storage you have to manage the passwords on each physical device versus shared access of password data to many devices, but you’re not putting your password data out there in the wild waiting for the data to be hacked or leaked.
Yeah, I think it is still secure.