Credential Theft

Credential theft is the most common security breach. This can be surprising since much of security and attack prevention is about preventing technical vulnerabilities in other dozens of other areas. The CBS News program 60 Minutes reported that forensic evidence revealed that 80% of security breaches were caused by weak or stolen passwords.

Using valid credentials is preferable for an attacker. Why go over the high walls when they can walk through the front door? There is less chance of discovery at the time because valid credentials will not set off any intruder alerts. There is less chance of discovery after the fact because valid credentials will leave less evidence of the intrusion behind. Attackers also like that credentials are frequently re-used so that one password unlocks multiple locks. This allows an attacker to move between devices throughout a network.


There are three primary techniques used for credential theft.

  • Phishing
    The attacker sends a spear-phishing email with a link to a fake login page. When the target tries to log in, the credentials are captured by the attacker.

  • Key-logging
    The attacker installs malware on a target's computer which will capture the target's keystrokes during log in and forward them to the attacker.

  • Database theft
    The attacker obtains a large set of credentials, usually using SQL Injection or other attack, which include the target's credentials. This could be a local vulnerable database, but more often it is a third-party database which has been breached and decrypted.

Password re-use is a major security issue because a third-party data breach requires many steps for the user to regain their security. First, a user has to hear or be notified about a breach. If they do not know it has occurred then they will remain an unsuspecting victim. Then the user has to remember which credentials were used for the third-party site and know all of the other places where they used those credentials. After developing a list, the user has to invest considerable time to reset each and everyone of those passwords. It is only then that the breached credentials are no longer a threat.


Credential Theft Preventions

The first defense against credential theft is educating users. Users need to understand the best practices for keeping credentials secure and on the various techniques which are used to obtain credentials such as phishing attacks.

As an organization, the best defense is to require strong passwords for all users and to offer [Multi-Factor Authentication] as an option or, ideally, as a requirement. Biometric Authentication should be used whenever possible, especially for the most secure resources. It is easy to steal a password or a phone, it is harder to steal both at once, but it is extremely difficult to steal a biometric identifier.

Use SSH keys whenever possible. SSH keys provide authentication using Public-Key Cryptography to identify trusted computers without needing passwords.

Forbid the re-use of credentials, both for internal systems and for external logins. This can be a policy, or in some cases it can be enforced using authentication software.

Recommend or require password managers to users. Provide support to make the software easy for them to use. Demonstrate how password managers allow stronger passwords, discourage password re-use, and make it harder to trick users with fake login forms.


High-Profile Credential Thefts

Some of the largest and most high-profile security breaches have been due to credential theft.

Fork me on GitHub