Account takeover prevention: techniques and data quality

In recent years, credential stuffing attacks have been on the rise. Cyber criminals take over accounts with username and password combinations that were stolen at third parties.

The goal of Account TakeOver (‘ATO’) prevention services is to prevent unauthorized access to your accounts. There are several types of techniques that can be used to implement ATO prevention services. The characteristics of the techniques varies widely. Furthermore the data quality of an ATO prevention service has a great effect on the effectiveness and efficiency of the service. In this article we will take a closer look at both the used techniques and data quality.

Prevention techniques

There are several ways of flagging passwords as a digital threat. Although at first sight all services look similar, in fact they are very different:

Figure 1: techniques used for account takeover prevention

Banned-password list

A banned-password list is a collection of prohibited passwords. For example Pwned Passwords compiled a list of more than 570 million ‘real world passwords previously exposed in data breaches’. Azure AD Password Protection ‘detects and blocks known weak passwords and their variants, and can also block additional weak terms that are specific to your organization’. In essence, this type of service shares two important characteristics. The lists are based on:

• Passwords that were used at some time by someone somewhere in the world (‘123456’, ‘password’ etc.).
• Passwords based on context specific words (‘MyCompany’, ‘CompanyHometown’ etc.).

Although blocking of (a limited number of) very popular passwords is always a good idea, the number of both false positives and false negatives is high. If the list contains hundreds of millions of forbidden words, virtually every password is rejected including complex passwords that are safe in the context of a specific company (false positive). On the other hand, rejection of popular and company specific passwords does not cover the entire spectrum. It will not reject complex passwords that were breached at a third party and are publicly available but not as plain text (false negative).

Conclusion: a banned-password list might be a good idea but only if the quality of the list is adequate. A contextless list with passwords of hundreds of millions of world citizens is not adequate. A list that does not contain content based on actually breached and publicly available passwords specific for your organization is not adequate.

Email breach notification

An email breach notification service collects data breaches and filters out email addresses. If your email address is part of a breach, it is flagged. Receiving an alarm can mean different things:

1. Your email address is part of a data breach and no other details were stolen. This is a common case.
2. Your email address and other details including a password in an unknown format were stolen. This is a common case.
3. Your email address and other details including a hashed password in an uncrackable format were stolen. This is a common case.
4. Your email address and other details including a hashed password in a crackable format were stolen. This is a common case.
5. Your email address and other details including a plain text password were stolen. This case is less common.

In all cases it is important to know that your email address is part of a data leak. The impact differs significantly though. If you want to protect your organization, option 1, 2 and 3 are irrelevant since they are not actionable. Option 4 is relevant if the stolen password hash is actually cracked by an attacker. This possibility of a password being cracked depends on two things: the length of the password and the way the password was stored at the third party that was breached. Even short passwords can be safe against password cracking if a proper hashing algorithm was used, as you can read here. This effectively means that you just do not know if your or your organization’s passwords are at risk. Only option 5 is directly useful from a defender’s perspective, but a less common case.

Items 1,2 and 3 also explain why email breach notification services typically report alarms based on breached websites that are not reported by credential or password breach notification services: many of their sources do not contain credential data.

The most well-known example of an email breach notification service is Have I Been Pwnd. As you can see on their website, 5 items in their top 7 of largest breaches (#1, #2, #3, #4, #7) — totalling at 3.26 billion records — do not contain passwords or password hashes (category 1) and are no security threat at all. At least hundreds of millions of other records are using unknown formats or are uncrackable (category 2 and 3). Again: not an actionable threat. All of this, combined with the use of duplicate records, generates at least 50% of false alarms by design. Similar services show similar numbers. The rest of the alarms are not actionable since an email breach notification service does not provides plain text passwords. This means that you can not check the risk for live accounts: the actual threat remains unknown.

Conclusion: an email breach notification is not effective since it is not providing actionable threat intelligence (email + plain passwords combonations). By design, it mostly generates false alarms.

Credential breach notification

A credential breach notification service — just like an email breach notification service — collects data breaches and filters out email addresses. However, data is only processed if password information is present. So if your email address including credentials in any form is part of a breach, it is flagged. Receiving an alarm can mean different things:

1. Your email address and other details including a password in an unknown format were stolen.
2. Your email address and other details including a hashed password in an uncrackable format were stolen.
3. Your email address and other details including a hashed password in a crackable format were stolen.
4. Your email address and plain text password were stolen.

Most ATO prevention services are credential breach notifications. The quality of provided information is better than data coming from an email breach notification service since the biggest source of false alarms — an email address without credentials — is eliminated.

Credentials like password hashes are not actively cracked, still resulting in a lot of false alarms and non-actionable data. This explains why credential breach notification services also typically report alarms based on breached websites that are not reported by password breach notification services: many of their sources do not contain actionable credential data and thus are not part of the dataset of password breach notification services.

The best way to find out if an account takeover prevention service might be a password breach notification is checking their websites to see if they actively crack passwords. Virtually none of the parties even mention password cracking.

Conclusion: credential breach notification is not actionable in most cases. By design, it mostly generates false alarms which will take time and effort to investigate.

Password breach notification

A password breach notification service also collects data breaches, filters out email addresses and checks if password information is present. Additionally, passwords are actually cracked. If you receive an alarm, one of the following options is true:

1. Your email address and plain text password were stolen.
2. Your email address and hashed password in a crackable format were stolen and have successfully been cracked.

The main advantage of a true password breach notification service is that it delivers alarms that are actionable: the actual real-life threat can be verified by checking the found cracked passwords against the passwords used in your live systems.

Figure 2: actionable versus non-actionable data of hashed passwords in data breaches

So no more ‘maybe it is a risk, most probably not’ but ‘here is the data, determine the risk and if needed neutralize the threat’. If you are looking for effective and efficient account takeover prevention, a service based on password breach notification is the way forward.

The only true password breach notification service we know of is our own service, Scattered Secrets. You might think: that is too easy. You are right. That is why we take a closer look at data quality so you can verify it yourself.

Conclusion: password breach notification can be an effective and efficient way to protect against account takeover.

Data quality

For good account takeover prevention, a true password breach notification is required. A number of steps are needed to implement a quality password breach notification service:

1. Collect data breaches.
2. Filter out records with valid email addresses and plain text passwords. Add results to the database.
3. Filter out records with valid email addresses and credentials.
4. Verify if credentials are crackable:
   - No: tag as unknown format, do not add to the database.
   - Yes: proceed to the next step.
5. Crack hashed passwords.
6. Remove duplicate data from unknown sources.

Step 1 — collecting data breaches — is fairly easy: just monitor the locations where breach data is published and collect available data.

Step 2 and 3— filter out records with valid email addresses and plain text passwords or valid credentails— is also pretty straight forward. Correct filtering seems to be challenging for some parties though:

Figure 3: an obviously incorrect result as a result of poor email parsing

Step 4 — verify if credentials are crackable —is not (completely) done by the services we looked at. An easy verification can be performed by checking if breaches are included that do not contain credential data at all or contain uncrackable password data. Examples include Verifications.io (no passwords stolen) and Adobe (does not contain crackable hashes but encrypted passwords without the key). If one of those is in the list, the service is not a true password breach notification service, but at least partly an email breach notification service or partly a credential breach notification service. Furthermore we see many parties incorrectly categorizing the format of password hashes. In all cases they will by definition generate a lot of false alarms as a result of choosing a non-optimal design.

Figure 4: at least partly an email breach notification service

Figure 5: at least a credential breach notification service

Step 5 — crack hashed passwords — seems to be rare: besides our service we can find only one service that states it is actively cracking passwords. Please note that on the mentioned URL they state that their data also contains uncracked data, effectively stating that they are at least partly a credential breach notification service. Scattered Secrets is providing plain text passwords only. Our core business and competence is being best in class in password cracking, and delivering unique quality content. To do this we are using advanced custom build hardware and smart strategies.

Step 6— remove duplicate data from unknown sources— seems to be challenging for virtually all parties. For example, breaches from many specific sources are combined as one large file without the valuable source information and repackaged as a so-called ‘combo list’ or ‘combolist’. Once in a while some additional contextless records are added and the list is renamed. This process is repeated many times, resulting in mostly the same contextless data resurfacing every now and then. Most parties treat the renamed combolists as new sources. We do not do this since the source of the actual records is unknown. If data from a combolist is already known from a specific source we do not add it: it is less specific and redundant information. If the data was already available from an earlier combolist we also ignore it for the same reason: having exactly the same data (email + password + original breach source unknown) is not beneficial for anyone.

Figure 6: one source record, seven(!) duplicates from combo list data

Implementing effective and efficient true password breach detection seems to be difficult for virtually all available services.

Conclusion

For quality account takeover prevention, a service based on true password breach notification is required. Implementing it seems to be difficult. All other parties we have looked at are cutting corners by using easy but low quality techniques. Using those techniques introduces non-actionable data and false alarms. If you do not want this, use Scattered Secrets, for best in class true password breach notification services. Scattered Secrets ♥ passwords ;) Don’t forget to check if your passwords are breached!