Russian hackers show who values passwords

Russian hackers show who values passwords

Summary: Authentication tools are emerging to minimize hack exposure, but can they kill end-user apathy?


It appears the tide has shifted; the passwords are now more valuable to hackers than they are to the enterprise users and consumers that create them.

The New York Times reported Tuesday that “a Russian crime ring has amassed the largest known collection of stolen internet credentials, including 1.2 billion username and password combinations and more than 500 million email addresses.”

Once again, Milwaukee-based Hold Security was the discoverer of the pilfered passwords cache, which the hackers built by breaking into some 420,000 large and small websites.

But while trouble is on the doorstep, help is on the way in the form of new authentication schemes, including multi-factor, and other attribute services — such as location and context — that when used together offer better security for users and harder challenges for hackers to re-use stolen usernames and passwords.

As I’ve said here before, it is time end-users realize their personal data has value, including username and password. For those who can’t calculate that value, know that Facebook didn’t develop a $189 billion market cap harvesting corn on Farmville. That cap was built on personal data willingly provided by its end-users.

And protecting that value is getting to be more than passwords can handle. Consider the effort of changing your password at dozens upon dozens of web sites, some of which may be your bank and other financial services (with the names of those institutions conveniently pulled from your hacked email account). And compare that pain to credit card theft, which is solved by a single phone call and a liability contract that puts the cardholder’s responsibility at $0 but nevertheless puts a sense of doom into consumers.

And consider the multitude of avenues open once hackers have your credentials. Stolen passwords are sold on the black market and are used for new hacks that come at users from unexpected and unusual angles.

Given the continuing use of passwords such as “Password” and “12345” the perception is identity, and personal data, hold little value. But it's high time prevailing wisdom questions that perception; hackers sure are.

In 2013, Deloitte Canada’s research organization said 90 percent of user-generated passwords would be relevant for mere seconds under pressure from hackers.

The Russian contingent set a new benchmark, pushing the needle into the billions of records — a potential black-market bonanza on the backs of user credentials, typically weak and replayed across sites on the internet.

And if you're hoping the carnage will end, consider that the hundreds of millions of records stolen from Target last December had lost 70 percent of their value on the black market in the first two months post-breach, according to a report by security expert Brian Krebs. That gives internet users roughly a 60-day window before a new batch of stolen credentials starts the assault cycle once again.

What’s the answer? Is there an answer?

There is not one answer, but a series of methods savvy enterprises and end-users can use to get out of the line of fire and into a foxhole. Face it, passwords are not going away any time soon; what they need is a call for back-up and a culture shift in the security vs. convenience pattern.

Multi-factor authentication (MFA) options built on smartphones have emerged in mainstream sites from Facebook to Google to GitHub to Twitter. The FIDO (Fast Identity Online) Alliance — formed in July 2012 to address strong authentication and reduce the use of passwords through a combination of hardware, software, and services — is gaining steam.


The guide to password security (and why you should care)

The guide to password security (and why you should care)

Find out how your password security can be compromised, and how to create and manage secure passwords.

Google has said it will include FIDO’s U2F open standard in its Chrome browser later this year, which will bring with it options for a new range of devices and strong authentication from security vendors.    

The historical resistance to today’s MFA — tedious typing and re-typing of credentials — will test end-user’s willingness to bend the security/convenience continuum.

Look for biometrics to help with the bending. Fingerprint readers on Apple's iPhone 5 and Samsung’s Galaxy S5 show that more effort and more money are being pumped into biometric-based authentication options that include voice and facial recognition. And look for devices to provide location and context, among other attributes, that will also help triangulate the identity of a user.

Online identity services that take on the task of authentication, federation and user ID management are increasing in popularity among enterprises. End-users will need to pay attention to pick out options that are defining the future, while IT will need to pay attention to the construction of hybrid identity infrastructures that leverage existing build-outs and regulatory-inspired internal security boundaries.

The authentication space is gaining momentum with end-user awareness, vendor tools (both hardware and software), and online services. But they better hurry in order to catch hackers already up to warp speed.

Topics: Security, Smartphones


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • People Just Won't Help Themselves

    A lot of anguish could be prevented if folks would just assign a different (and appropriately competent) password to each site they use -- and then use a password manager so they will only have to memorize one good master password.

    But like telling people to backup their files, many (if not most) just won't do it. Something about no one can help you if you don't help yourself first.
    • Re: People Just Won't Help Themselves

      I don't understand how folks assigning a different password to each site they use will fix this issue? The hackers have stolen a lot of those passwords from the information provided in this article - I am now worried that the more complex and longer the password that is input to a website login, the more valuable this password becomes as it may indicate you are concerned about the security and preventing unauthorized access to the account? These accounts may be hacked into first for all we know.. Unfortunately the answer seems to be changing your passwords weekly/monthly will need to be done until measures are put in place to add another layer of authentication.
  • Here we go again

    Were the 420,000 websites that were compromised storing the user/password data in plain text and not in a salted hash? Jeez, I just got done changing all of my passwords from the Heartbleed fiasco. This is getting exhausting.
  • One Major Roadblock...

    Is the increasing use of fields in web pages that can't accept a pasted input, or an automated input from a browser. I use a password manager to generate very strong passwords. Yet this morning I'm trying to paste that long, unpronounceable password into my bank's Change Password page, and it won't allow me to paste. I have to tediously hand type the characters, not once but twice. Then when testing the log in, which did let me paste it in, of course I had gotten one character wrong and I was forced to modify the password that had been generated (or worse, go back and change it with the bank again). I see NO improvement in security if web pages won't allow you to paste info in from a password manager in all fields.

    I also frown upon sites that block auto-population fields. That stuff is protected with my strong Google password in Chrome (likewise my Keychain provided info in Safari).
    • why not allow pasting into fields?

      @JoeFoerster, you complain about web sites blocking pasted entries. I suggest they are blocked because otherwise it is trivial to allow computer to connect and enter the data - requiring a person prevents automation.

      If a password manager can paste into any field, then so can any other program, and those other programs don't sleep...

      Anyone knowledgeable about software testing can challenge that there are tools to automate testing which must be able to get around any such blocks, so why bother? Well, I agree the system isn't worked out correctly yet, although it worked for a while. We need something else - perhaps biometric devices are a useful next step, as this article suggest.
      Bret Waldow
  • I'd love to know...

    how they know the hackers were Russian and not someone using "Russian" as cover. Unless the breach is claimed with bravado, I'm not sure why anyone would not bother to cover their tracks better than to be so easily identified.

    The other thing that is very curious is that this whole more toward greater security in virtually every aspect of our lives is coming at the expense of only one big but rapidly vanishing hurdle - and everyone understands what that hurdle is.