The Wages of Password Re-use: Your Money or Your Life (Krebs on Security)

When normal computer users fall into the nasty habit of recycling passwords, the result is most often some type of financial loss. When cybercriminals develop the same habit, it can eventually cost them their freedom.

Our passwords can say a lot about us, and much of what they have to say is unflattering. In a world in which all databases — including hacker forums — are eventually compromised and leaked online, it can be tough for cybercriminals to maintain their anonymity if they’re in the habit of re-using the same unusual passwords across multiple accounts associated with different email addresses.

The long-running Breadcrumbs series here tracks how cybercriminals get caught, and it’s mostly through odd connections between their online and offline selves scattered across the Internet. Interestingly, one of the more common connections involves re-using or recycling passwords across multiple accounts.

And yes, hackers get their passwords compromised at the same rate as the rest of us. Which means when a cybercrime forum gets hacked and its user databases posted online, it is often possible to work backwards from some of the more unique passwords for each account and see where else that password was used.

SWATTING THE FLY

Of all the stories I’ve written here over the last 11 years, probably the piece I get asked most to recount is the one about Sergey “Fly” Vovnenko, a Ukrainian man who in 2013 hatched and executed a plan to buy heroin off the dark web, ship it to our house and then spoof a call to the police from one of our neighbors saying we were dealing drugs.

Fly was the administrator of a Russian-language identity theft forum at the time, and as a secret lurker on his forum KrebsOnSecurity watched his plan unfold in real time. As I described in a 2019 story about an interview Fly gave to a Russian publication upon his release from a U.S. prison, his propensity for password re-use ultimately landed him in Italy’s worst prison for more than a year before he was extradited to face charges in America.

Around the same time Fly was taking bitcoin donations for a fund to purchase heroin on my behalf, he was also engaged to be married to a young woman. But Fly apparently did not fully trust his bride-to-be, so he had malware installed on her system that forwarded him copies of all email that she sent and received.

But Fly would make at least two big operational security mistakes in this spying effort: First, he had his fiancée’s messages forwarded to an email account he’d used for plenty of cybercriminal stuff related to his various “Fly” identities.

Mistake number two was the password for his email account was the same as his cybercrime forum admin account. And unbeknownst to him at the time, that forum was hacked, with all email addresses and hashed passwords exposed.

Soon enough, investigators were reading Fly’s email, including the messages forwarded from his wife’s account that had details about their upcoming nuptials, such as shipping addresses for their wedding-related items and the full name of Fly’s fiancée. It didn’t take long to zero in on Fly’s location in Naples.

POOR PASSWORDS AS GOOD OPSEC?

While it may sound unlikely that a guy so enmeshed in the cybercrime space could make such rookie security mistakes, I have found that a great many cybercriminals actually have worse operational security than the average Internet user.

Countless times over the years I’ve encountered huge tranches of valuable, dangerous data — like a botnet control panel or admin credentials for cybercrime forums — that were full of bad passwords, like password1 or 123qweasd (an incredibly common keyboard pattern password).

I suspect this may be because the nature of illicit activity online requires cybercrooks to create vast numbers of single- or brief-use accounts, and as such they tend to re-use credentials across multiple sites, or else pick very poor passwords — even for critical resources.

Regardless of their reasons or lack thereof for choosing poor passwords, it is fascinating that in terms of maintaining one’s operational security it actually benefits cybercriminals to use poor passwords in many situations.

For example, it is often the denizens of the cybercrime underground who pick crappy passwords for their forum accounts who end up doing their future selves a favor when the forum eventually gets hacked and its user database is posted online.

SOME ADVICE FOR EVERYONE

It really stinks that it’s mid-2021 and we’re still so reliant on passwords. But as long as that’s the case, I hope it’s clear that the smartest choice for all Internet users is to pick unique passwords for every site. The major Web browsers will now auto-suggest long, complex and unique passwords when users go to set up a new account somewhere online, and this is obviously the simplest way to achieve that goal.

Password managers are ideal for people who can’t break the habit of re-using passwords, because you only have to remember one (strong) master password to access all of your stored credentials.

If you don’t trust password managers and have trouble remembering complex passwords, consider relying instead on password length, which is a far more important determiner of whether a given password can be cracked by available tools in any timeframe that might be reasonably useful to an attacker.

In that vein, it’s safer and wiser to focus on picking passphrases instead of passwords. Passphrases are collections of multiple (ideally unrelated) words mushed together. Passphrases are not only generally more secure, they also have the added benefit of being easier to remember. Their main limitation is that countless sites still force you to add special characters and place arbitrary limits on password length possibilities.

Finally, there’s absolutely nothing wrong with writing down your passwords, provided a) you do not store them in a file on your computer or taped to your laptop, and b) that your password notebook is stored somewhere relatively secure, i.e. not in your purse or car, but something like a locked drawer or safe.

Further reading: Who’s Behind the GandCrab Ransomware?