Data Breaches, Attacks, and Password Hygiene

Introduction

October is cybersecurity awareness month, so let’s talk about data breaches, what typically happens after, and a few defensive tips for better personal password hygiene.

Breaches

In 2024 alone, it is estimated that over 1 billion records have been stolen as a result of breaches with two of the largest being Ticketmaster and National Public Data, containing 560 million and up to 2.9 billion records respectively. The latter, National Public Data (NPD), contained full names, addresses, email addresses, and social security numbers for possibly every US citizen, as well as other sensitive data for many/most citizens of Canada and the UK. NPD is facing a class action lawsuit and has since filed for bankruptcy.

Breaches can contain a variety of data - sometimes actual usernames and/or passwords, but more often, password hashes or personal data, like email addresses or broader sets of metadata (data that provides information or context about other data.) When reading these all-too-common breach notifications and headlines, it is easy to fall into the trap of thinking metadata or non-sensitive personal data is inconsequential, but it is important to understand that this data is not used alone and is often combined with other data, from publicly available sources or previous breaches, to craft attacks.

A quick note on password hashes - From a development perspective, storing plaintext passwords is an incredibly poor and dangerous practice. Typically, when you create an account on a website for example, your actual password is not stored in the backend, but rather is processed via a one-way cryptographic hash function resulting in a fixed-length “message digest”, otherwise known as a hash. This hash is stored instead and referenced moving forward when you authenticate. More details on password hashing can be found here.

Attacks

Consider the “rockyou.txt” file - a growing wordlist of plaintext passwords compiled from various breaches. Earlier this summer, it approached 10 billion unique passwords. Realistically, if you are using a simplistic password that is easy to remember, it is likely on this list, which is included by default in many penetration testing and hacking tools used by both ethical and criminal hackers.

Now, consider the following scenario: your email address and a hash of your password are available on the dark web as part of a recent breach.

A common path for an attacker would be to use a tool like John the Ripper, which uses a wordlist (like the aforementioned rockyou.txt file), combined with a file of hashed passwords (in this scenario, from the breach.) The tool attempts to determine the hashing algorithm used in the hashed password file, then uses that algorithm to hash the passwords in rockyou.txt, comparing the two until it finds a match for password records between the files, resulting in your password being discovered or “cracked.”

From here, the first target for the attacker would be using your email address (commonly used as a username) and the now cracked, plain text password on the site, service, or application that was breached, granting them access to your account. If you reuse passwords, this is where things tend to spiral as the next step would be expanding the attack in what is known as credential stuffing - attempting to use this same set of credentials on other sites, services, or applications. This is why it is critical to use unique passwords.

While stolen credentials, combined with using and reusing simplistic passwords, is a clear danger, metadata and seemingly innocuous personal information can become just as dangerous. For example, what if the above scenario led to the attacker breaking into your email account itself? In this case, even if you use unique passwords, personal information and metadata can be used to expand the attack by targeting “forgot password” flows that depend on security questions (e.g. the street you grew up on, your favorite hobby, etc.)

Penetration testing/hacking tools, phishing, and password attacks are topics that I will explore in more detail in future posts, but for now, let’s pivot to ways that we can better protect ourselves against all of the above.

Password Hygiene

As mentioned previously, and something you have certainly heard elsewhere, making use of long/strong/complicated and unique passwords has always been and remains to be the best defense. As we all know, however, adhering to this can be a pain in the ass, leading many individuals to stick or fall back to bad habits. This is where a password managers can not only help, but actually result in a flow that is easier than just using the same, easy-to-remember password everywhere.

There are a myriad of things to think about when picking a password manager, but perhaps the most important is interoperability - does it work across all of the devices or systems where you are typically entering passwords. Browser or operating system based password managers will likely suffice for many users, but if you use multiple browsers or operating systems, a more agnostic tool may be a better solution. In this latter category, two options to consider are Bitwarden and Proton Pass, both of which are open source and work across all desktop and mobile operating systems as well as most common web browsers. This is obviously not an exhaustive list, so be sure to do some research and pick what is best for you. That said, do not let the variety of options, features, etc. get in the way of just picking a manager; anything is better than nothing!

After you choose the manager best suited for you, the likely tedious process of inputting all of your passwords, then adding the manager software to all of your devices and browsers is next. If you are coming from not using a password manager and often reuse the same password, use this as an opportunity to change your password on each site, service, or application, using the password manager to generate and store a new, unique, strong password. Again, this is tedious, there is no way around that, but it is well worth the trouble. After this initial setup, typically, you will only ever need to know the password to your password manager. Additionally, and this will vary slightly based on your choice, you will likely never have to type or copy/paste any other password again as many common managers have the option to automatically fill password fields.

Two final recommendations from a defensive perspective would be to enable multi factor-authentication (MFA) on any and every site, service, or application that supports it and consider scrubbing data from, or outright deleting accounts on sites, services, and applications that you no longer use.

In Closing

This post barely scratches the surface of the topics presented, but hopefully provides a holistic view of how the topics relate, generally, and to your personal password usage as well.

If you found this useful or informative, you liked it, hated it, or have any questions about the topics and material covered, email me or send me a message on bluesky and let me know.

Thanks for reading!