Account takeover prevention: techniques and data quality

Prevention techniques

There are several ways of flagging passwords as a digital threat. Although at first sight all services look similar, in fact they are very different:

Figure 1: techniques used for account takeover prevention

Banned-password list

A banned-password list is a collection of prohibited passwords. For example Pwned Passwords compiled a list of more than 570 million ‘real world passwords previously exposed in data breaches’. Azure AD Password Protection ‘detects and blocks known weak passwords and their variants, and can also block additional weak terms that are specific to your organization’. In essence, this type of service shares two important characteristics. The lists are based on:

  • Passwords that were used at some time by someone somewhere in the world (‘123456’, ‘password’ etc.).
  • Passwords based on context specific words (‘MyCompany’, ‘CompanyHometown’ etc.).

Email breach notification

An email breach notification service collects data breaches and filters out email addresses. If your email address is part of a breach, it is flagged. Receiving an alarm can mean different things:

  1. Your email address is part of a data breach and no other details were stolen. This is a common case.
  2. Your email address and other details including a password in an unknown format were stolen. This is a common case.
  3. Your email address and other details including a hashed password in an uncrackable format were stolen. This is a common case.
  4. Your email address and other details including a hashed password in a crackable format were stolen. This is a common case.
  5. Your email address and other details including a plain text password were stolen. This case is less common.

Credential breach notification

A credential breach notification service — just like an email breach notification service — collects data breaches and filters out email addresses. However, data is only processed if password information is present. So if your email address including credentials in any form is part of a breach, it is flagged. Receiving an alarm can mean different things:

  1. Your email address and other details including a password in an unknown format were stolen.
  2. Your email address and other details including a hashed password in an uncrackable format were stolen.
  3. Your email address and other details including a hashed password in a crackable format were stolen.
  4. Your email address and plain text password were stolen.

Password breach notification

A password breach notification service also collects data breaches, filters out email addresses and checks if password information is present. Additionally, passwords are actually cracked. If you receive an alarm, one of the following options is true:

  1. Your email address and plain text password were stolen.
  2. Your email address and hashed password in a crackable format were stolen and have successfully been cracked.
Figure 2: actionable versus non-actionable data of hashed passwords in data breaches

Data quality

For good account takeover prevention, a true password breach notification is required. A number of steps are needed to implement a quality password breach notification service:

  1. Collect data breaches.
  2. Filter out records with valid email addresses and plain text passwords. Add results to the database.
  3. Filter out records with valid email addresses and credentials.
  4. Verify if credentials are crackable:
    - No: tag as unknown format, do not add to the database.
    - Yes: proceed to the next step.
  5. Crack hashed passwords.
  6. Remove duplicate data from unknown sources.
Figure 3: an obviously incorrect result as a result of poor email parsing
Figure 4: at least partly an email breach notification service
Figure 5: at least a credential breach notification service
Figure 6: one source record, seven(!) duplicates from combo list data

Conclusion

For quality account takeover prevention, a service based on true password breach notification is required. Implementing it seems to be difficult. All other parties we have looked at are cutting corners by using easy but low quality techniques. Using those techniques introduces non-actionable data and false alarms. If you do not want this, use Scattered Secrets, for best in class true password breach notification services. Scattered Secrets ♥ passwords ;) Don’t forget to check if your passwords are breached!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store