Beat hackers at their own game: Part 1
Marty Weiner | Pinterest engineering manager, BlackOps
This post also appeared on Medium.
Passwords are the greatest gift we ever gave to the hacker community. An elegant combination of human nature and poor dev choices brings Christmas in July for hackers. And January. And February. And, well, every month.
We’re witnessing a sharp rise in the number of credentials being stolen and accounts hijacked across the web. Each new set of hijacked credentials gets a spammer into the inner sanctum of your friends on every social platform where they can spam as you. Spammers create content with links to their websites where they entice people with ads, knockoff products and scams.
Spammers are awesome marketers.
While their marketing is illegitimate, spammers are highly motivated. They’re great at posting targeted content and getting tons of views. They typically make a lot of money by posting content to a site which links back to spammy sites where they monetize users.
To post content, spammers first need a registered account on your site. There are two ways to get accounts.
- 1. They can make or buy fake accounts to post content. To be successful in this game requires building legitimate looking accounts and a fair amount of effort to get users to click on spammy content. A spammer may need to make “friends” with many good users so their posts are visible.
- 2. Alternatively, spammers can hijack your account. Now spammers can get their content right in front of your friends’ faces, which typically increases visibility and propensity to click. In this game they must acquire and use passwords before their competitors do and before anti-spam security teams discover them.
In one well-constructed estimate, spammers can make up to $2.4 million in a month. To spam with hijacked accounts, spammers purchase accounts from hackers or employ hackers who try to breach company databases. In the last three years, Adobe leaked 150 million emails and passwords, LinkedIn leaked 6.5 million, eHarmony 1.5 million, Gawker 1.3 million, Snapchat 4.6 million, Yahoo! Voices 500,000, Last.FM 2.5 million and Forbes 1 million. And there are more. These companies do protect user passwords, however this protection is often disastrously weak in the face of how passwords are used by people and how they’re stored by developers.
Problem the first — Humans
The human brain is a complicated meat sack with many competing inputs and many things to remember. Passwords are a tolerated nuisance. This sack of fats and lipids is also amazingly good at underestimating risk. The result is we often (A) have simple passwords, (B) use the same password in many different places or © both.
It’s also common for people to have a set of three passwords:
- 1. A simple password for Farmville, Candy Crush and Cranberry Silo Security Simulator 2014
- 2. A moderate password for Twitter, Facebook, Pinterest, Gmail and Secret
- 3. A strong password for banking (though “strong” is typically an over-exaggeration)
If a hijacker has a user’s password for one site, they generally have it for the rest where it has been “shared.” If I’m a spammer wanting to maximize profits, damn straight I’m going to try these credentials on all sites I can get my hands on. Your website included.
Problem the second — Devs
I listed several sites that leaked their passwords. They all used less than ideal methods for storing passwords. Why? My theory is this sort of thing is just not taught in school or discussed often. Commonly, whoever first wrote user authentication used something that sounded okay. Since that day, nobody has wanted to touch the authentication layer. Is it worth the engineering effort to perform a big scary change in preparation for an event that may never happen?
I think yes — if you are a product manager who makes the decision to indefinitely delay fixing your passwords, you should be liable for when you hand your users’ keys, which happen to match their bank keys, to a Russian spammer.
If we can fix either the human element or how devs store passwords, we could make hijackers’ jobs much harder. Let’s talk solutions.
One solution is to fix humans or get rid of them.
The problem with this approach is it’s generally impossible or bad for business. Even pushing your users to have stronger or unique passwords can decrease sign up rates in significant ways. You’ll have to weigh that balance with your growth czar. I’d at least recommend disallowing some set of 10,000 most common passwords, using the username or variants as the password and some passwords unique to your site (like ‘linkedin’ for LinkedIn). By disallowing these passwords, you make brute force against your database much harder.
I’m not going to dive further into fixing the human element until I perfect my global mind-control ray (patent pending).
Solution two, don’t use passwords.
Companies like Toopher and Clef are now offering ways to use your Phone-As-Your-Identity (PAYI). Facebook and Google offer single sign-on (SSO) options where they manage user authentication data so you don’t have to. At Pinterest we offer SSO via Facebook and Google and are now exploring PAYI mechanisms. A spammer sitting 6,500 miles away in Bulgaria who needs a million or more accounts to be successful would need to hack into as many phones. That’s far harder since the spammer must hunt for cracks in venerable Telco/Google/Apple security rather than for the databases of a website that has not yet spent many person-years on security. It gets better.
With passwordless login, the insecure human aspect is removed almost entirely. Users can’t give away their credentials for chocolate (caveat caveat caveat) because users don’t have access to the credentials buried in their phones. Better, users can’t use simple passwords or share them on multiple sites even if they wanted to. Needless to say, I’m closely following and pushing for this trend, but until passwordless login is the norm we must continue to clean up the password mess our forefathers left us.
Solution three, store your users’ passwords properly.
We, the devs, can solve this whole problem by simply storing passwords in a way that does not allow a hijacker to use them. Encryption, hashing, something…
Databases love to get leaked especially if they contain awesome data. Naturally you should work toward adopting a strong security stance to protect your database in the first place. But, should a hacker get a quick view of your database, make that view unappealing. Remember rule #1 of spamdom: “spammers want money or power.” A database with strong password protection and a bunch of recipe descriptions isn’t worth much. If hackers find you store your passwords correctly, they are less likely to extract your data — why bother? If your passwords still do leak, let’s minimize the risk to your users, your neighbors’ users, as well as the risk to your reputation.
Marty Weiner is a manager on the spam and abuse engineering team