NameSilo
Paul Buonopane

PSA: If you use the same password on multiple websites, change it now

Views:
4,685
Comments:
52
By Paul Buonopane, Mar 6, 2021
  1. Paul

    Paul CTO, NamePros CTO VIP

    Posts:
    1,602
    Likes Received:
    2,913
    A few months ago, NamePros started observing aggressive credential stuffing attacks. This marked a new chapter in security at NamePros. We have rather secure infrastructure, especially for a site of our size. However, we've been growing at a steady pace, which makes us a bigger target.

    The credential stuffing attacks we're observing are simple, yet they're difficult to block without your help. They don't compromise the security of NamePros itself, but they do mean that attackers are able to gain access to certain NamePros accounts that have made the mistake of using the same password on other (sometimes less secure) websites, and there's very little we can do to stop it. This may sound surprising or counterintuitive, but it all stems from one simple fact: most people use the same password everywhere.

    Here's how a typical credential stuffing attack works:
    1. Alice registers for an account at NamePros.com. She uses the same email address and password combination that she uses everywhere: [email protected] and password123, respectively.
    2. Another site on which Alice has an account, Acme.example, is compromised. Alice never realizes it, but the attackers abscond with her email address and password for Acme.example.
    3. Alice's email address and password are added to combo lists. These combo lists contain known email addresses and passwords for millions of users. They're distributed among hackers; sometimes in private marketplaces for a fee, sometimes publicly at no cost.
    4. Mallory, a hacker, obtains a combo list that contains Alice's username and password.
    5. Mallory uses automated tools to attempt to log into all the accounts in the combo list on NamePros.com.
    6. Most of the credentials don't work because they came from Acme.example, not NamePros.com. However, since Alice has an account at both websites with the same email address and password, Mallory successfully logs into Alice's account on the first attempt.
    7. Now that Mallory knows that Alice has poor security hygiene, in addition to gaining full access to Alice's NamePros account, Mallory can use the credentials on other websites that might be of interest to the a NamePros user. Registrar accounts are likely targets.
    8. Mallory uses the same credentials to log into Alice's registrar account and absconds with her domains.

    NamePros isn't typically the target here, and this attack doesn't rely on weaknesses in NamePros' security, which makes it difficult for us to block.

    This is especially problematic for a few reasons:
    • As far as Alice is concerned, it makes little difference which website leaked her password. From her perspective, she's now lost her domains, her NamePros account, and possibly countless other valuable accounts. It's utterly devastating.
    • NamePros can play a game of cat-and-mouse in an attempt to block some of the attacks, but that just encourages the attackers to be stealthier. Furthermore, it's not going to protect Alice's accounts elsewhere.
    • If an attacker guesses Alice's password correctly on the first try, we may never even know that Alice was hacked, or it may take years to discover.
    • NamePros itself isn't being hacked; we can't simply improve our security to stop these attacks.

    When the attacks picked up, we doubled-down on our game of cat-and-mouse. Our mitigations are quite thorough; a naïve attack is likely to fail. However, attackers have been getting more creative. They're spreading their attack out over large numbers of IP addresses to circumvent rate limiting. They're making login attempts from residential connections in the US rather than datacenters, presumably using compromised consumer devices. Some of the connections come from companies that provide cheap labor, hinting that the attacks may even be capable of passing captchas.

    Initially, we could at least determine with a moderate degree of certainty which accounts were compromised. They were invariably old, inactive accounts with almost no data. As time went on, we started seeing a small number of active accounts targeted.

    We notice these attacks because they're noisy. If we see thousands of suspicious login attempts over the span of an hour, we're going to dig deeper. Likewise, if someone reports that their account has been hacked, we'll investigate.

    When this happens, it's not unusual for the same account to be hacked by multiple actors; after all, these passwords are floating around the internet for anyone to grab. If we know an account has been targeted, it's not hard to manually dig through their login history and pick out anything unusual, then branch out from there.

    Sometimes the attacks are quite sneaky. Several months ago, a multi-day investigation revealed that one NamePros member was hijacking other members as far back as 2019. They managed to evade detection for quite some time, during which time they posted from both a hijacked account and their real account. They were careful enough that there was no reasonable way an automated system could have detected this; it required hours of careful research by a professional. More concerning are the accounts they accessed but didn't hijack: how long were they lurking, reading direct messages and other sensitive information?

    We can't combat this on our own--it's impossible. If someone knows your password and tries to log in from the same location as you, we have no way to tell that you've been hacked. We can block the majority of credential stuffing attempts, but some will inevitably slip through the cracks. The only real defense is to avoid using the same password across multiple websites.

    Look, passwords are bad. Contrary to popular belief, if you can remember a password, it's a bad password. This is, of course, problematic: you are expected to remember your password, but if you do, it's a bad password, and you will get hacked. Various intelligent people have come up with fancy software known as "password managers" to get around this, although a simple paper notebook will suffice if you'd rather go that route. You need a random, unique password for every website. Not [email protected], not Ilik3gr##nEggz&Ham, not myCoolPassword!NamePros, not something even remotely similar to any other password you have ever used. Don't take my word for it; see what Bruce Schneier has to say on the matter. Security professionals are working hard to replace passwords with human-friendly alternatives, but, for now, we're stuck with passwords.

    Do you use the same password across multiple websites? Is your password [email protected]? Stop. There's little we can do to protect an account with poor security hygiene; it will get hacked eventually. Everyone likes to think it won't happen to them, but it will. Are you willing to risk your NamePros account? Your domains? Your livelihood?
    1. Get a password manager or a notebook.
    2. Change your password.
    3. Enable two-step authentication.
     
    The views expressed on this page by users and staff are their own, not those of NamePros.
  2. Next Article
    Top Topics: 21 Tips for Selecting .COM Domains; When Did Your First Sale Happen?...
    Previous Article
    Taking A Close Look At Domain Name Appraisals
  3. Loading...
  4. Paul

    About The Author — Paul Buonopane

    CTO of NamePros.

    This is Paul Buonopane's 9th blog post on NamePros. View all blog posts

    Home Page:
    http://www.namepros.com
    Actions:
    Follow
  5. Comments (52)

  6. DuDD

    DuDD Established Member

    Posts:
    1,110
    Likes Received:
    1,283
  7. Kenralph

    Kenralph Established Member

    Posts:
    22
    Likes Received:
    17
    Thanks for the info. How secure is it then to let browsers remember your username and passwords even after having them changed?
     
  8. Domaining Ocean

    Domaining Ocean Top Contributor VIP

    Posts:
    1,298
    Likes Received:
    565
  9. coolhands

    coolhands Established Member

    Posts:
    664
    Likes Received:
    395
    There is a site called haveibeenpwned.com
    you can check there and see if your email is in a data breach,

    And also monitor.firefox.com , You can register here and subscribe for alerts. And when your sensitive information was found on a Data breach , Mozila will send you a notification.

    Coolhands
     
    Last edited: Mar 6, 2021
  10. Mister Funsky

    Mister Funsky Top Contributor VIP

    Posts:
    5,145
    Likes Received:
    19,501
    Thanks for posting....in light of the recent Afternic compromise, this is very relative information.
     
  11. Arjun Oli

    Arjun Oli white.network

    Posts:
    632
    Likes Received:
    353
    Thanks. Great Information.
     
  12. Mytz.com

    Mytz.com Top 4L [email protected] ieie.com CuTu.com NeSu.com QAMI.com PRO VIP Gold Account

    Posts:
    10,696
    Likes Received:
    1,204
  13. NickB

    NickB Wales.org VIP

    Posts:
    4,876
    Likes Received:
    11,046
    Thanks Paul - I signed up for BitWarden and have utilised their password generator - no brainer for $10

    Was surprised how many sites I was using the same password on.......
     
  14. keston57

    keston57 Established Member

    Posts:
    196
    Likes Received:
    123
    Thanks for the eye opener, google recently told me of such, I will do what is needed.
     
  15. Samer

    Samer Top Contributor VIP

    Posts:
    9,854
    Likes Received:
    18,856
    My NP password was always different.

    Scary situation, nonetheless.

    Thank you for sharing, @Paul.
     
    Last edited: Mar 6, 2021
  16. Bravo Mod Team

    Bravo Mod Team Moderator, NamePros Moderator PRO VIP Gold Account

    Posts:
    1,494
    Likes Received:
    2,053
    Hello,

    Learn more about two-step verification:

    It's a lot more secure than using the same password on every website.

    Here's a free password manager that works on many devices (e.g., mobile and desktop):

    Here's a related article:

    We hope that helps.
     
  17. tonyk2000

    tonyk2000 Top Contributor VIP ★★★★★★★★★★

    Posts:
    2,269
    Likes Received:
    3,831
    I'm starting to think that in this world it is better to use different "identities" if possible, not only different passwords - but different usernames, emails etc. for each service which is asking for it. Unique email and username for each service. Also, not providing real data if not obligatory (a bank is supposed to know real name, but for regging at some public forum First Last name, even if not publicly visible, may well be random), etc. In our business some services are now tending to ask to perform KYC for bitcoin payouts - so the question to be answered is it really necessary to give them what they are asking (e.g. ID copy, even with watermark, is still sensitive info...). Is the particular platform reasonably secure both technically and in administrative aspect [who has access to the data, who works there, are their employees 100% trusted... tons of questions ;-() ]. In case of doubts - let them send fiat money instead. And, the last but not the least, anything (or almost anything) still can (and probably will ) be hacked - earlier or later.
     
    Last edited: Mar 6, 2021
  18. iAdam

    iAdam iadam.com Gold Account ★★★★★★★★★★

    Posts:
    523
    Likes Received:
    1,123
    Thank you for the detailed explanation. The rule is don't use the same username/password for multiple websites.
     
  19. The Durfer

    The Durfer Top Contributor VIP Gold Account

    Posts:
    9,467
    Likes Received:
    13,870
  20. MH Mamun

    MH Mamun New Member

    Posts:
    5
    Likes Received:
    0
    Thank you
     
  21. johnn

    johnn WeSellName.com PRO VIP ★★★★★★★★★★

    Posts:
    16,906
    Likes Received:
    6,445
    Some tips for keeping track of user names and passwords for multiple sites.
    Put them into a Excel spreadsheet with 3 columns.
    The Excel spreadsheet should also have password.
    Example:
    Site - User Name - Password (8 characters to comply with most requirements)
    Namepros - Jerry - X12345P4
    Facebook - JerryP - W22342PL
    Youtube - PJerry - JKLjkl223

    Then add random characters and numbers to Prefix and Suffix user name and Password - You decide how many. In this example I will do 2 Prefix and 4 Suffix
    Your Excel file will look like this after the changes

    Namepros - 12Jerry9324 - QQX12345P242434
    Facebook - 45JerryP333d5 - W22342PL115564
    Youtube - 38PJerry7724 - JKLjkl22343233

    Only you will be able to decode the Real User Names and Passwords based on the pre-defined Prefix and Suffix


    Namepros - 12Jerry9324 - QQX12345P242434
    Facebook - 45JerryP333d5 - W22342PL115564
    Youtube - 38PJerry7724 - JKLjkl22343233
     
    Last edited: Mar 7, 2021
  22. iTesla

    iTesla Established Member

    Posts:
    93
    Likes Received:
    89
    I personally do not trust any password saving tools, even the browser is suspicious in this matter.
    The safest way is your memory and a diary locked in a safe!
    I think CIA invented all pass saving tools to login in our accounts without hacking them.
     
  23. Not sure about the CIA or browser conspiracy part of that, but I completely agree with having a hard copy that's not remotely/wirelessly accessible and placed in a fire/water proof safe that requires both; a key and combination (not digital or anything with a motherboard or memory that could be wiped or hacked). 😁
     
    Last edited: Mar 7, 2021
  24. Future Sensors

    Future Sensors 78% of human domainers will be replaced by robots Gold Account

    Posts:
    878
    Likes Received:
    2,874
    Not having any physical connection to the Internet is highly preferred.

    The only thing to worry about then is the category https://en.wikipedia.org/wiki/Van_Eck_phreaking

    And probably more.
     
  25. Future Sensors

    Future Sensors 78% of human domainers will be replaced by robots Gold Account

    Posts:
    878
    Likes Received:
    2,874
  26. Paul

    Paul CTO, NamePros CTO VIP

    Posts:
    1,602
    Likes Received:
    2,913
    Passwords in general are terrible. As an industry, we're trying quite hard to move past them.

    Password reuse is a very real risk. There are plenty of secure offline methods of storing passwords, but your memory is not a safe place for more than a few. However, chances are you have more than a few online accounts. The password for each of those sites needs to be completely different from all the others, or you will get hacked.

    As for the CIA...

    [​IMG]

    Image copyright Randall Munroe of xkcd. Original source: https://xkcd.com/538/. Licensed under CC-BY-NC 2.5.
     
  27. johnn

    johnn WeSellName.com PRO VIP ★★★★★★★★★★

    Posts:
    16,906
    Likes Received:
    6,445
    Use my technique.
    According to the Math Society Association, it would take them 15 years to hack into your account.
     
  28. Future Sensors

    Future Sensors 78% of human domainers will be replaced by robots Gold Account

    Posts:
    878
    Likes Received:
    2,874
    You already told us a lot about your pattern, where's the entropy @johnn
     
  29. johnn

    johnn WeSellName.com PRO VIP ★★★★★★★★★★

    Posts:
    16,906
    Likes Received:
    6,445
    Hang on let me check with my wife.
     
Topics / Tags:
biix
  1. NamePros uses cookies and similar technologies. By using this site, you are agreeing to our privacy policy, terms, and use of cookies.
    Dismiss Notice
Loading...