Tales of Password Reuse

Published: 2013-11-22
Last Updated: 2013-11-22 15:45:51 UTC
by Rick Wanner (Version: 1)
7 comment(s)

As a security practitioner I try really hard to drink the Kool-Aid, in other words practice what I preach.  I have been a strong advocate, for well over a decade, of avoiding password reuse.  There is one consolation I personally made to password reuse. For years I  used one "throwaway" password for services where I didn't care about the account.  You know those annoying sites that make you sign up just to access some mundane capability.  In my case, my throwaway password is still a high quality password, but it is used on literally dozens of sites where there is no data of value, like Adobe.   After the Adobe breach I changed my throwaway password on as many sites as I could remember using it at, and developed a better methodology for passwords on these sites (i.e. no more reuse).  

Apparently I missed one. Yesterday I got an email from Evernote telling me that I had used the same password at Evernote that I had used at Adobe. The Evernote account  probably got my throwaway password before I realized the value of the Evernote service.  I now use Evernote nearly every day from my mobile devices; where I don't get prompted for the credentials; but never log into it over the web, so I didn't remember what the password was set to.

Needless to say I quickly changed my Evernote password and enabled Evernote's two-step authentication.

Shortly later an ISC reader forwarded a The Register article about a brute force authentication attack against github. While there aren't a lot of technical details in the article, this attack is interesting because it is a relatively slow attack from over 40,000 IP addresses, obviously designed to reduce the likelihood of any anti-brute-forcing controls kicking in. 

"These addresses were used to slowly brute force weak passwords or passwords used on multiple sites. We are working on additional rate-limiting measures to address this".  Suggesting that this was not your typical  brute force employing obvious userids and incredibly inane passwords, but a targeted attack against password reuse. 

The article also goes on to lament; "It strikes us that GitHub's recent bout of probing may stem from crackers using the 38 million user details that were sucked out of Adobe recently to check for duplicate logins on other sites."

Guess I will be looking at all my passwords again, including the ones used by my mobile devices!


-- Rick Wanner - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

7 comment(s)


Maybe I misunderstand the Evernote message, but they are not saying you are using the same password between Adobe and Evernote, they are saying if you are, you should change it, no?
The subject implies that, but the content says "We compared this list to our user email addresses and found that the email address you used to register for an Evernote account is on the list of exposed Adobe accounts."

I'm pretty sure that the passwords not in the top 100 or so haven't been compromised yet, so they really wouldn't know if your throwaways aren't in the really really bad category. from the sound of things the list was encrypted reversibly but in triple DES.
You are absolutely correct. Just playing the role of paranoid security guy. (-;
Just because you are paranoid doesn't mean they aren't after you!

It would be a very poor reflection on Evernote if they were able to know your password. Although, I guess they could have changed the logic when a user enters a password (during login or password change) and compare to the known Adobe passwords at that time.
I have this task on my todo list as well. Using a password manager eliminates most of the need for a throwaway password.

Evernote does not need to know your password from their database. If they have an email from adobe and the adobe password produces the same hash stored for the evernote email matching account, you have used the same password at both locations.

I heard reports of about 150 million records in the adobe data breach. Only 38 million are active with adobe. Just because the remaining accounts are not active with adobe, does not mean a password was not reused at another location that is active.
Or they could apply their own hash to the passwords published by the Adobe breach and compare to what they store.

Diary Archives