IT.COM

advice PSA: If you use the same password on multiple websites, change it now

NameSilo
A few months ago, NamePros started observing aggressive credential stuffing attacks. This marked a new chapter in security at NamePros. We have rather secure infrastructure, especially for a site of our size. However, we've been growing at a steady pace, which makes us a bigger target.

The credential stuffing attacks we're observing are simple, yet they're difficult to block without your help. They don't compromise the security of NamePros itself, but they do mean that attackers are able to gain access to certain NamePros accounts that have made the mistake of using the same password on other (sometimes less secure) websites, and there's very little we can do to stop it. This may sound surprising or counterintuitive, but it all stems from one simple fact: most people use the same password everywhere.

Here's how a typical credential stuffing attack works:
  1. Alice registers for an account at NamePros.com. She uses the same email address and password combination that she uses everywhere: [email protected] and password123, respectively.
  2. Another site on which Alice has an account, Acme.example, is compromised. Alice never realizes it, but the attackers abscond with her email address and password for Acme.example.
  3. Alice's email address and password are added to combo lists. These combo lists contain known email addresses and passwords for millions of users. They're distributed among hackers; sometimes in private marketplaces for a fee, sometimes publicly at no cost.
  4. Mallory, a hacker, obtains a combo list that contains Alice's username and password.
  5. Mallory uses automated tools to attempt to log into all the accounts in the combo list on NamePros.com.
  6. Most of the credentials don't work because they came from Acme.example, not NamePros.com. However, since Alice has an account at both websites with the same email address and password, Mallory successfully logs into Alice's account on the first attempt.
  7. Now that Mallory knows that Alice has poor security hygiene, in addition to gaining full access to Alice's NamePros account, Mallory can use the credentials on other websites that might be of interest to the a NamePros user. Registrar accounts are likely targets.
  8. Mallory uses the same credentials to log into Alice's registrar account and absconds with her domains.

NamePros isn't typically the target here, and this attack doesn't rely on weaknesses in NamePros' security, which makes it difficult for us to block.

This is especially problematic for a few reasons:
  • As far as Alice is concerned, it makes little difference which website leaked her password. From her perspective, she's now lost her domains, her NamePros account, and possibly countless other valuable accounts. It's utterly devastating.
  • NamePros can play a game of cat-and-mouse in an attempt to block some of the attacks, but that just encourages the attackers to be stealthier. Furthermore, it's not going to protect Alice's accounts elsewhere.
  • If an attacker guesses Alice's password correctly on the first try, we may never even know that Alice was hacked, or it may take years to discover.
  • NamePros itself isn't being hacked; we can't simply improve our security to stop these attacks.

When the attacks picked up, we doubled-down on our game of cat-and-mouse. Our mitigations are quite thorough; a naïve attack is likely to fail. However, attackers have been getting more creative. They're spreading their attack out over large numbers of IP addresses to circumvent rate limiting. They're making login attempts from residential connections in the US rather than datacenters, presumably using compromised consumer devices. Some of the connections come from companies that provide cheap labor, hinting that the attacks may even be capable of passing captchas.

Initially, we could at least determine with a moderate degree of certainty which accounts were compromised. They were invariably old, inactive accounts with almost no data. As time went on, we started seeing a small number of active accounts targeted.

We notice these attacks because they're noisy. If we see thousands of suspicious login attempts over the span of an hour, we're going to dig deeper. Likewise, if someone reports that their account has been hacked, we'll investigate.

When this happens, it's not unusual for the same account to be hacked by multiple actors; after all, these passwords are floating around the internet for anyone to grab. If we know an account has been targeted, it's not hard to manually dig through their login history and pick out anything unusual, then branch out from there.

Sometimes the attacks are quite sneaky. Several months ago, a multi-day investigation revealed that one NamePros member was hijacking other members as far back as 2019. They managed to evade detection for quite some time, during which time they posted from both a hijacked account and their real account. They were careful enough that there was no reasonable way an automated system could have detected this; it required hours of careful research by a professional. More concerning are the accounts they accessed but didn't hijack: how long were they lurking, reading direct messages and other sensitive information?

We can't combat this on our own--it's impossible. If someone knows your password and tries to log in from the same location as you, we have no way to tell that you've been hacked. We can block the majority of credential stuffing attempts, but some will inevitably slip through the cracks. The only real defense is to avoid using the same password across multiple websites.

Look, passwords are bad. Contrary to popular belief, if you can remember a password, it's a bad password. This is, of course, problematic: you are expected to remember your password, but if you do, it's a bad password, and you will get hacked. Various intelligent people have come up with fancy software known as "password managers" to get around this, although a simple paper notebook will suffice if you'd rather go that route. You need a random, unique password for every website. Not mydogisawesome@7, not Ilik3gr##nEggz&Ham, not myCoolPassword!NamePros, not something even remotely similar to any other password you have ever used. Don't take my word for it; see what Bruce Schneier has to say on the matter. Security professionals are working hard to replace passwords with human-friendly alternatives, but, for now, we're stuck with passwords.

Do you use the same password across multiple websites? Is your password mydogisawesome@7? Stop. There's little we can do to protect an account with poor security hygiene; it will get hacked eventually. Everyone likes to think it won't happen to them, but it will. Are you willing to risk your NamePros account? Your domains? Your livelihood?
  1. Get a password manager or a notebook.
  2. Change your password.
  3. Enable two-step authentication.
 
72
•••
The views expressed on this page by users and staff are their own, not those of NamePros.
4
•••
Thanks for the info. How secure is it then to let browsers remember your username and passwords even after having them changed?
 
5
•••
3
•••
There is a site called haveibeenpwned.com
you can check there and see if your email is in a data breach,

And also monitor.firefox.com , You can register here and subscribe for alerts. And when your sensitive information was found on a Data breach , Mozila will send you a notification.

Coolhands
 
Last edited:
15
•••
Thanks for posting....in light of the recent Afternic compromise, this is very relative information.
 
3
•••
1
•••
1
•••
Thanks Paul - I signed up for BitWarden and have utilised their password generator - no brainer for $10

Was surprised how many sites I was using the same password on.......
 
4
•••
Thanks for the eye opener, google recently told me of such, I will do what is needed.
 
1
•••
My NP password was always different.

Scary situation, nonetheless.

Thank you for sharing, @Paul.
 
Last edited:
2
•••
Hello,

Learn more about two-step verification:

How secure is it then to let browsers remember your username and passwords even after having them changed?
It's a lot more secure than using the same password on every website.

Here's a free password manager that works on many devices (e.g., mobile and desktop):

There is a site called haveibeenpwned.com
you can check there and see if your email is in a data breach
Here's a related article:

We hope that helps.
 
6
•••
I'm starting to think that in this world it is better to use different "identities" if possible, not only different passwords - but different usernames, emails etc. for each service which is asking for it. Unique email and username for each service. Also, not providing real data if not obligatory (a bank is supposed to know real name, but for regging at some public forum First Last name, even if not publicly visible, may well be random), etc. In our business some services are now tending to ask to perform KYC for bitcoin payouts - so the question to be answered is it really necessary to give them what they are asking (e.g. ID copy, even with watermark, is still sensitive info...). Is the particular platform reasonably secure both technically and in administrative aspect [who has access to the data, who works there, are their employees 100% trusted... tons of questions ;-() ]. In case of doubts - let them send fiat money instead. And, the last but not the least, anything (or almost anything) still can (and probably will ) be hacked - earlier or later.
 
Last edited:
7
•••
Thank you for the detailed explanation. The rule is don't use the same username/password for multiple websites.
 
3
•••
0
•••
0
•••
Some tips for keeping track of user names and passwords for multiple sites.
Put them into a Excel spreadsheet with 3 columns.
The Excel spreadsheet should also have password.
Example:
Site - User Name - Password (8 characters to comply with most requirements)
Namepros - Jerry - X12345P4
Facebook - JerryP - W22342PL
Youtube - PJerry - JKLjkl223

Then add random characters and numbers to Prefix and Suffix user name and Password - You decide how many. In this example I will do 2 Prefix and 4 Suffix
Your Excel file will look like this after the changes

Namepros - 12Jerry9324 - QQX12345P242434
Facebook - 45JerryP333d5 - W22342PL115564
Youtube - 38PJerry7724 - JKLjkl22343233

Only you will be able to decode the Real User Names and Passwords based on the pre-defined Prefix and Suffix


Namepros - 12Jerry9324 - QQX12345P242434
Facebook - 45JerryP333d5 - W22342PL115564
Youtube - 38PJerry7724 - JKLjkl22343233
 
Last edited:
3
•••
I personally do not trust any password saving tools, even the browser is suspicious in this matter.
The safest way is your memory and a diary locked in a safe!
I think CIA invented all pass saving tools to login in our accounts without hacking them.
 
2
•••
I personally do not trust any password saving tools, even the browser is suspicious in this matter.
The safest way is your memory and a diary locked in a safe!
I think CIA invented all pass saving tools to login in our accounts without hacking them.
Not sure about the CIA or browser conspiracy part of that, but I completely agree with having a hard copy that's not remotely/wirelessly accessible and placed in a fire/water proof safe that requires both; a key and combination (not digital or anything with a motherboard or memory that could be wiped or hacked). 😁
 
Last edited:
3
•••
Not sure about the CIA or browser conspiracy part of that, but I completely agree with having a hard copy that's not remotely/wirelessly accessible and placed in a fire/water proof safe that requires both; a key and combination (not digital or anything with a motherboard or memory that could be wiped or hacked). 😁

Not having any physical connection to the Internet is highly preferred.

The only thing to worry about then is the category https://en.wikipedia.org/wiki/Van_Eck_phreaking

And probably more.
 
2
•••
1
•••
The safest way is your memory and a diary locked in a safe!

Passwords in general are terrible. As an industry, we're trying quite hard to move past them.

Password reuse is a very real risk. There are plenty of secure offline methods of storing passwords, but your memory is not a safe place for more than a few. However, chances are you have more than a few online accounts. The password for each of those sites needs to be completely different from all the others, or you will get hacked.

As for the CIA...

security.png


Image copyright Randall Munroe of xkcd. Original source: https://xkcd.com/538/. Licensed under CC-BY-NC 2.5.
 
3
•••
Use my technique.
According to the Math Society Association, it would take them 15 years to hack into your account.
 
0
•••
Use my technique.
According to the Math Society Association, it would take them 15 years to hack into your account.

You already told us a lot about your pattern, where's the entropy @johnn
 
2
•••
Hang on let me check with my wife.
 
2
•••
Back