Russian Gang Amasses Over a Billion Internet Passwords

danilko1
danilko1
Community Member
edited August 2014 in Lounge

http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-than-a-billion-stolen-internet-credentials.html?partner=rss&emc=rss

It seems we are not done with this. Major account holders are vulnerable, heartbleed or not.

I would like to see the ability of mass account password change management. If I am missing something, I would like to know about it.

This also includes the ability to fully changeout keys on our keychain and re-encrypt.

How can we protect ourselves. As an industry player, how will we know if 1Password has been compromised, now and in the future, not to single anyone out, that would imply other password lockers. (I only use 1Password)

I added an RSS link to the NYT article, instead of my personal link.

Comments

  • three-cushion
    three-cushion
    Community Member
    edited August 2014

    Hello: this is getting serious. I use 1PW to encrypt my unique PWDs. BUT, that is useless IF one of my Web sites exposes my un-encrypted PWDs and then loses them.
    So, how does 1PW be of any uses at all? No one is looking to break into my personal system! And is That is the only scenario where 1PW is valuable?
    I should just cancel 1PW.... Set up PWDs as I do now, keep a paper record at home (in my safe) and save time effort and $$?

    Cynically yours
    Jim b

  • three-cushion
    three-cushion
    Community Member

    One further point.... Updating ALL of my 90 odd logins with new PWDs is a VERY tedious task! Since Each Web site varies so much, a semi-standard automated approach seems impossible.
    Can Agile folks research a better update mechanism to use a mass approach to updating all my PWDs as these hacks get more prevalent.?
    Thanks. Jim b

  • Stephen_C
    Stephen_C
    Community Member

    The key point about 1P is that you can use unique, complex passwords for each site you visit. You have no need to try to remember or duplicate passwords. Thus if one site is hacked your access details to other sites you use are not affected (as they would be were you to duplicate username/password combinations).

    If you follow that principle there should be no need to update all your logins with new passwords if one site is compromised...because your other logins will have unique combinations (username/password) of access credentials.

    Stephen

  • Megan
    Megan
    1Password Alumni
    edited August 2014

    Hi @three-cushion‌

    @Stephen_C said it pretty well already, but I just wanted to draw your attention to our latest blog post on the subject:

    Heads up: Your best defense against the Russian hacker data breach is still strong, unique passwords

    Of course we're here if you do have any further questions!

  • three-cushion
    three-cushion
    Community Member
    edited August 2014

    But here is my dilemma as stated earlier. Granted maybe Only one site was compromised....which one? Yes, EVERY one of my PWDs is unique. But so far, no one knows which sites were hacked, do they?.. In the Target case, a list of compromised data was available for searching. But in this case I presume that May or May not happen.

    Therefore for assurances, change them all is recommended!!

    For my 90 sites it would require several hours of login, change, update, over & over & over..What tedium!
    "Maybe" Hold Security is able to design an App to let one discover if they are in the mix or not. What if they can't?

    I appreciate your feedback.... But uniqueness of PWDs is a very very small part of the issue.

    I believe Mass PWD changes is the answer to mass hacking of 1.2 billion sites....
    I'm afraid that is beyond the current technology's reach.

    Jim b

  • three-cushion
    three-cushion
    Community Member

    Thanks for the Agile Bits note. Still & all, even Watchtower has tagged several of my login sites to change the PWD. Still not done with all of them. Guess they are left over from Heartbleed.
    No matter what you tell me it IS a hassle each time.
    I do it manually...access the site, then set up the new PW in 1PW and Copy to the Clipboard BEFORE I commit the new PWD to the target site. Then, check the new one using 1PW before closing the login page. I have 'lost' too many current PWDs trying to do this...especially with my iPad. That is even riskier since the iPad is not a computer. Better to Always use my iMac to do this.

    Thanks again for your advice.
    Jim b

  • khad
    khad
    1Password Alumni

    It sounds like some of the facts are being called into question, but regardless of whether the data is newly or previously obtained the advice remains the same: your best defense continues to be strong, unique passwords. 1Password securely generates, stores, and fills them for you, so you can spend your time on more interesting things. :)

    I would like to see the ability of mass account password change management. If I am missing something, I would like to know about it.

    With trillions of sites on the Internet with all different password change forms, it is not a trivial task to fully automate password changes. Thank for letting us know you are interested in this, though. For now, 1Password makes it easier to change passwords than it is to do it on your own.

    This also includes the ability to fully changeout keys on our keychain and re-encrypt.

    I'm not sure what this has to do with the recent news, but please see the thread on changing Master Passwords for more information on that. :)

    How can we protect ourselves. As an industry player, how will we know if 1Password has been compromised, now and in the future, not to single anyone out, that would imply other password lockers. (I only use 1Password)

    We don't have your data, so there is nothing that an attacker could get from us.

    Please be sure to read through those links (especially the first one which pertains to this specific Russian hacker news). If we can be of further assistance, please let us know. We are always here to help!

  • pomme4moi
    pomme4moi
    Community Member

    Like Jim, I also have around 100 website registrations, each with a long and unique password stored in 1P. In situations like this one with the Russian hackers, I will change passwords on a few key sites (e.g., financial institutions, email) for peace of mind. I probably won't change emails on other sites - too much work.

    One other thought: Set up alternate identities and use them on less important sites. If someone hacks your account, at least they won't know who you really are.

    My two cents ...

  • three-cushion
    three-cushion
    Community Member

    pomme4me....thanks for your input.

    For critical sites i always use TOR as my browser. These include financial, healthcare and sites that have my credit card # stored. But that also is not good enough. That is just to derail a nosy hacker trying to penetrate my system. .

    No, my concern is the wholesale hacking of millions of records being stolen from commercial sites that sorely need better security to safeguard my data. If the site(s) I use are careless , my non-encrypted PWD is gone. Yes, using unique PWDs helps...but even ONE site where I am vulnerable is too much for me. And this hacking is over hundreds of sites...each one your un-encrypted PWD is compromised. Again, I stress how many sites should you update?

    We are told ...change them all.

    Thus, my problem remains...bulk updating is not feasible now. OR, is it?
    Cheers Jim b

  • sjk
    sjk
    1Password Alumni

    Hi Jim, aka three-cushion. :)

    I've merged your topic with a related discussion. You've asked:

    Thus, my problem remains...bulk updating is not feasible now. OR, is it?

    Originally responding to @danilko1, @khad‌ answers that in post #8 (which is worth reading entirely):

    With trillions of sites on the Internet with all different password change forms, it is not a trivial task to fully automate password changes. Thank for letting us know you are interested in this, though. For now, 1Password makes it easier to change passwords than it is to do it on your own.

    You've expressed concern about this:

    No, my concern is the wholesale hacking of millions of records being stolen from commercial sites that sorely need better security to safeguard my data. If the site(s) I use are careless , my non-encrypted PWD is gone.

    This is unfortunate, yes, but most of us essentially have no control over what these sites do regarding their security nor what happens with personal data that has already been obtained once security has been breached.

    One responsible thing we can all be doing to help limit potential damage from these incidents is what has been previously stated:

    Using strong, unique passwords is at least preventing the same "key" being used to unlock different/multiple "doors".

    You've wondered:

    Again, I stress how many sites should you update?

    We are told ...change them all.

    I think it's more a question of which than how many, at least if you have already been using strong, unique passwords. In some past cases I've been able to determine specific sites where I have "personal" information have been compromised. Even if that includes my password it's not going to be reusable to gain access to other places where I also have information. Plus I know changing my password isn't going to "re-protect" any information that's already been taken. However, depending on the type of information and if I'll be changing any of it is going to be a factor in determining whether I'll change passwords. Similar to what @pomme4moi mentioned:

    I will change passwords on a few key sites (e.g., financial institutions, email) for peace of mind. I probably won't change emails on other sites - too much work.

    Plus this:

    One other thought: Set up alternate identities and use them on less important sites. If someone hacks your account, at least they won't know who you really are.

    I do that to some extent, while knowing if someone really wants to "connect the dots" between my online "alter egos" I'm sure they can do it. :)

    If you have other questions or concerns please let us know. Thanks!

  • Jim Peterman
    Jim Peterman
    Community Member

    Wouldn't multi-factor authentication with YubiKey solve these problems? See here: https://lastpass.com/go-premium/. With a unique second authentication for each login instance, stolen passwords will be useless. This is available on LastPass, but is it available on 1Password?

    Thanks

  • danilko1
    danilko1
    Community Member

    Yes I panicked. The NYT article has some holes.

    I am trying to help. The Heartbleed check was brilliant. Frankly I feel this needs to be done multiple times over months to catch stragglers.

    I think for the bulk of users, maybe I am unique, 100 passwords is a little shallow. Try like 500 or more. Maybe a way to mark high value passwords that we would should change first. I agree, unique passwords are not the problem and yes you don't need to change them all. But what about the master container? What if they get that. It's not just on your computer.

    The problem with 1Password, is not agile bits servers. It's any cloud service. Syncing is a very valuable feature. It actually makes the product more effective. However with bits going up and down, and the NSA listening, and you know if they are listening, there are others - where I am going may be impossible, but it's a target for your, a wish list item - is there a way to determine if someone is listening, a man in the middle, or if someone has copied our data in the cloud. Is there a way for an encrypted packet to notify "home" it's not where it should be?

    Maybe it's impossible and a loosing battle, one way or another, from AI to big government to rogue crime syndicates. The article at NYT is a reminder that we must be vigil and agile :-) to maintain our own security.

    So I think at the simplest task is developing a priority list, weather it's automated you help the user decide, or you let the user build their own "bug out" list. Then maybe for some of these high value sites, plug-ins to automate password change, or a builder to allow the end user to develop and even share a plugin for these sites.

    I don't know I am just brainstorming.

  • RichardPayne
    RichardPayne
    Community Member

    Wouldn't multi-factor authentication with YubiKey solve these problems? See here: https://lastpass.com/go-premium/. With a unique second authentication for each login instance, stolen passwords will be useless. This is available on LastPass, but is it available on 1Password?

    No, but then 1Password does do authentication so it's a little pointless. The only potential threat it might help with is keyloggers, but using the secure desktop unlock solves that too.

    The problem with 1Password, is not agile bits servers. It's any cloud service. Syncing is a very valuable feature. It actually makes the product more effective. However with bits going up and down, and the NSA listening, and you know if they are listening, there are others - where I am going may be impossible, but it's a target for your, a wish list item - is there a way to determine if someone is listening, a man in the middle, or if someone has copied our data in the cloud. Is there a way for an encrypted packet to notify "home" it's not where it should be?

    Your master password is not stored in the vault, so even if someone did break into your cloud service and steal you vault, they'd still need to brute force the master password. If you've been a good boy and used a randomly generated password of a good strength then this will be impractical.

    As for a "call home" packet, no, that's no possible. A vault is just data. There is no software in there, and even if there were, what would run it? An attacker is not going to run the 1Password app to break in. They'll just attack the encryption directly.

  • [Deleted User]
    [Deleted User]
    Community Member
    edited August 2014

    Wouldn't multi-factor authentication with YubiKey solve these problems? See here: https://lastpass.com/go-premium/. With a unique second authentication for each login instance, stolen passwords will be useless. This is available on LastPass, but is it available on 1Password?

    I think it's a good idea to use two factor authentication (2FA) which each individual account that supports it. For example Gmail, Outlook, Facebook, Dropbox and Amazon all works with Google Authenticator or similar.

    However, it seems rather pointless to use 2FA if you are using the authenticator app on the same device as your 1Password app. I have read some request on this forum about a built-in authenticator in 1Password, so people only have to use 1 security app (1Password) instead of 2 (1Password + Google Authenticator).

    Basically, you can lose passwords in 2 different ways, if you are using 1Password

    1. A website gets hacked. The attacker steals the site's database with passwords. Since you're using strong, unique passwords on every site, the rest of your logins are not in danger. And even your login on the hacked website should probably be secure, given that sites that know they lost their password database tend to reset all passwords. Of course, it might take some time before the attack is known to them. In this case, 2FA can help. But, if the site lost their password database, do your really trust them of having a secure 2FA system in place? See for example how Paypal's system got bypassed by some random person on the internet: http://arstechnica.com/security/2014/08/paypal-2fa-is-easily-bypassed-teenage-white-hat-hacker-says/

    2. Someone gets access to your 1Password vault. Probably because you lost your phone. If you have chosen the wrong unlock settings, they might have access to your actual data, not just an encrypted copy. In this case, 2FA can help. But since they already got your phone, it doesn't help you. They have the 1Password vault and they have the one time codes generated by the authenticator app.

    Of course, enabling 2FA and having the authenticator app on the same device as your 1Password vault doesn't hurt directly, but it can give you a false sense of security.

  • khad
    khad
    1Password Alumni

    I really wish I had time today to draft a much longer reply, but I want to make sure to link to this before I have to head out for the night. (It's been a super busy day.) This is one of the most sensible takes on this I've read so far:

    Security firm that revealed “billion password” breach demands $120 before it will say if you’re a victim

    Don't miss the link to Troy Hunt's great tool:

    Have I Been Pwned?

    It doesn't require you to enter any password (which you should never do, even/especially on a site claiming to check for breaches).

    Regarding MFA, our own @jpgoldberg is actually away at this very moment — or I'm sure he would have jumped in here — giving a talk on the different between authentication and encryption passwords. You can read some of his thoughts here, and I encourage you to do so if you have questions about how MFA related to 1Password:

    Authentication vs Encryption

    Again, I wish I had more time to reply to posts individually, but please read the above links as I believe they address the issues very well. I or one of my colleagues will reply further as soon as possible.

    Cheers!

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited August 2014

    Hello, I'm sorry for jumping into this so late and still just to give a fly-by comment.

    I'm in Las Vegas where PasswordsCon has just wound up (but other security conferences continue). While of course we may be proved wrong, pretty much everyone here thinks that this claim of "Russian gang with 1.2 billion password records" is a highly suspect claim. Because those who are making the claim have not yet (to my knowledge) allowed researchers to look at the data, nor have they provided details of the nature of it, the suspicion is that there isn't a lot that is new on their list. We also don't know whether those passwords are plaintext (unencrypted) or hashed.

    Again, I may be proved wrong, but one plausible scenario is that there are lots of lists floating around, many with old data, and that these lists overlap with each other., But if you combine them all (without eliminating overlaps) you might get 1.2 billion.

    Even if this is truly as bad as the press and the promoters of it make out, the lesson still remains that the most important thing that people can do is have unique passwords for different sites and services.

  • [Deleted User]
    [Deleted User]
    Community Member

    For what its worth, this is what I did to minimise the impact of having to change hundreds of passwords in the case of an 'event' or scare like Heartbleed or this Russian thing....

    When Heartbleed was announced, I changed every password for every site. Thanks to Agile's Watchtower this was able to be done effectively - at least the password was changed only once - after I knew the site had been remediated - but clearly it is a laborious to actually execute the changes and it took me ages to do.

    To obviate this massive task

    1/ I prioritised all my site logins adding a Tag "Critical" to those 1Password Login records that would cause damage if compromised (Bank Sites, Other Financial Institutions, anything that provides information that aids identity theft, ISP's etc (your list will vary) - but I ended up with about a dozen sites on this list.

    2/ In 1Password, I created some Smartfolders that, for Critical Tagged records, show "Critical Logins with PW change less than 1 day ago" and "Critical Logins with PW change greater than 1 day ago".

    3/ Then, in the case of an 'event' I only worry about changing passwords for these Critical sites by going thru the list of "Critical Logins with PW change greater than 1 day ago" changing the PW for each, until that list is empty.

    The other (not so critical) Logins have either Dual Factor Site Authentication in place or don't matter all that much (because the site doesn't have my credit card on file, or my full address, or my core email address, or information that can be used for ID theft, and I have unique complex passwords for every site) ......so I took the view that I would only worry about these if or when the site owner advised of a specific problem.

    Its a bit of a judgement call but it sure beats changing several hundred passwords each time.

    (It also made me think about how many sites I really needed to access - and risk any of my information with - and to cull that list of providers)

  • prime
    prime
    Community Member
    edited August 2014

    This is how I started to change my passwords, by what's important. Anything billing like my cc companies and banks are changed 1st, then I am slowly doing the rest. I read somewhere that email accounts weren't effected, but I'll still change them. Now I do have a question and what you guys opinion. I have 2 step verification set up on my outlook email, Dropbox, Facebook, and a few others. How important is it to change those passwords right away? 2 step verification adds that extral level of secuirty, so that "should" stop a hacker. Even my bank has 2 step verification to a point. Whenever I use a new device for the 1st time, my banks sends a code to my phone.

  • khad
    khad
    1Password Alumni

    Good question, @prime. If you have weak or reused passwords, you should change them immediately. The best defense continues to be strong, unique passwords. As for the benefit of multifactor authentication or two-step verification, you may want to read:

    How much benefit is there to two-step verification for Dropbox, Apple ID, etc.?

  • prime
    prime
    Community Member

    That was a good read! Thank you @khad‌

  • khad
    khad
    1Password Alumni

    You're quite welcome, @prime. It is my pleasure. :D

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited August 2014

    The discussion among journalists and security professions about this 1.2 Billion password issue has gotten very acrimonious.

    A plausible account

    I am giving it more credibility than I had initially, but the only usable advice that comes out of this is to have unique passwords for each site and service.

    From my read of things, a larger number of sites were broken into from April through June using a previously unknown SQL Injection attack. The attacks were automated and run from botnets. (Fleets of compromised home computers.)

    Thus the stored password databases from these many sites then fell into the hands of criminals. A number like 4.5 billion records is not implausible (reduced to 1.2 billion when duplicate records are eliminated).

    Presuming that these passwords were hashed, the criminals would have had to "crack" them. Depending on how the passwords were hashed and how much effort the criminals were willing to put into things, it is perfectly plausible that 500 million of them would be cracked. (If these were hashed, then passwords created by the 1Password Strong Password Generator are unlikely to be among the ones that were cracked.)

    Alex Holden may very well have found a way to steal this data from the group of criminals who had created it.

    What makes this different?

    From a researcher's point of view, this disclosure is very unlike what we have seen before. The typical "disclosure" is someone anonymously posting (a portion of) the stolen password records. We, the security researchers, then go and analyze that see where it may have come from, and get a sense of what is there. We don't know who is posting the data, but we have the data itself and we torture that data until it speaks to us.

    In this case, however, we don't have the data. We have someone claiming that he has the data. In the first report, we had only an unnamed expert look at the data. (Since then, other more credible experts have had a chance to look at it, and have confirmed that it is what it seems to be.) And the business that Holden tried to set up around the data looks nasty. Also the initial report didn't mention the kinds of questions that people like me ask first (duplicates, time period, etc). And so I had been extremely skeptical. I am less so now.

    What can we advise?

    A large number of passwords have been stolen and cracked from a large number of websites. We don't know which, so we can't say "change your passwords for sites X, Y, and Z." We don't know to what extent the passwords had been hashed and to what extent those have been cracked. My guess is that most were hashed and that most have been cracked. Very strong randomly generated passwords are beyond the reach of cracking.

    So all of this is a reminder to not reuse passwords. The less you reuse passwords, the smaller the consequences of these sorts of breaches are.

  • DavidB
    DavidB
    Community Member

    @jpgoldberg wrote:

    My guess is that most were hashed and that most have been cracked.

    Could you please elaborate a little? Why didn't hashing keep them from being cracked? Also, were most cracked because they were not strong?

    Thank you,

    David

  • Hi @DavidB,

    There are two different type of hashing, the one they typically use on the websites are not generally the strongest. This blog post that Jeff wrote will explain: http://blog.agilebits.com/2012/06/06/a-salt-free-diet-is-bad-for-your-security/

This discussion has been closed.