Placing a Value on Passwords
Posted by Gunter Ollmann on November 20, 2007 at 8:01 PM EST.
How much is your password worth? Talk about a difficult question to answer!
Back in 2004 a survey conducted at one of the UK’s busiest railway stations revealed that 70% of people would reveal their computer password for a chocolate bar. What if I was to tell you that, today, your password is worth something less than four cents?
While most people probably have some appreciation of the value of credit card credentials (see my last blog posting about buying credit cards) and an idea about the likely value of the identity information needed to access an online bank account, not many are likely to know the value of the passwords they use every day.
Hidden in the murky parts of the Internet there are exchanges for passwords and other identity information. Accessible through various invite only bulletin boards and IRC channels, identity information is sold or, more commonly, exchanged for goods and services. ‘Identity’ itself is now a form of currency.
A list of 2,000 credit cards (which includes card number, name, issue/expiry date, CVV2 code and magstripe data) is worth about 40 standard identities (i.e. name, address, phone number, social security number, date of birth) or around 5 complete banking identities (i.e. all of the above, but also includes mother’s maiden name, bank account number, account password) – depending upon the bank the identity theft victim is with. Cracks and keygens to the latest software or warez can similarly be exchanged for identity information. It’s a little bit like those packs of cigarettes being traded in prison movies.
Perhaps more interestingly, it appears that some entrepreneurs have now focused on the buying and selling of big batches of stolen login accounts and passwords.
For example, a batch of 7,000 login names, passwords and email addresses can be found for $250. The brief blurb I read about the batch said it was from a popular porn site. So, why would anyone want to buy 7,000 login ID’s for a porn site when they could probably get all the access they need for only $20 per month.
The value of the batch wasn’t based upon the site it was obtained from, nor the access that could be granted to the site, neither was it based upon its usefulness as a source of spam email addresses – instead, the value was based upon an attacker’s ability to recycle the login credentials for breaking in to other (unrelated) Web sites.
You see, despite all the warnings and guidance security experts from around the world have been extolling for over a decade, people still insist on using the same old passwords on multiple Web sites. It’s not surprising really – just about every site you visit nowadays wants to offer you some custom service or offering – but to do so they want to know who you are, so you have to login with some “unique” credentials – so, in the end, we’re all overloaded with having to remember another bunch of passwords etc. The attackers know all this too.
Where there’s complexity or confusion, there’s opportunity.
So, one group of hackers breaks into “Bobs Tire-Mart” in Dubai (fictional example) and gets away with the login details of a few hundred customers. They offer the list for sale. The final purchaser adds their new batch of login details (in particular Login name, email address and password) to the other batches they have already purchased, loads them in to their brute-forcing tool, points it a list of Web sites the attacker is interested in and quickly discovers if any of the credentials they have work on it.
Really, it’s that simple.
It doesn’t really matter which sites were hacked for their login credentials – in fact you could almost argue that lesser known sites may be more valuable because they are probably softer targets and the users probably used their most common “throwawayable” passwords there.
I’ve seen many postings around the Web with people going on about how their account has been hijacked and used for spam or other fraudulent purposes, and ranting about how the security of the major site should have been better. When in fact they had used the same password on some other site they forgot about or stopped using a few years ago, and in the meantime an attacker found it worked on a different site.
Given the way new sites are springing up and how many passwords were all expected to remember, I expect this attack vector to become more popular and more successful. Similarly I’d expect the proliferation of these underground exchanges to increase and the price per password to fall over time.
In addition, it doesn’t take a genius to correlate multiple batches of credentials and spot common password generation schemes being used by the users. Think of the victims email address as the unique key within a database for matching to. It would be easy to spot that the victim uses the format “fr3ddy-eBay” for each site – and guess their password for PayPal etc.
I think another important aspect of this threat is that there’s probably no age limit to the attack. By that I mean passwords that were used 5 years ago on some dark and forgotten Web site are likely almost as valuable as the password used for a new account created only yesterday.
Let’s not forget all the other “recover your forgotten password” credentials as well. These will be similarly valuable – perhaps maybe even more valuable in the long term than the passwords themselves if the victim actually manages to use unique passwords at each site they use. Knowing the answers to “Your first high school”, “Your favorite color”, “Your first pets name”, etc. will likely be more portable between sites when trying to crack accounts.