Anything can be monetized online, especially the credentials of your email account. Here is how they are abused.

Botnets are one of the main distribution channels for malware and phishing email. A botnet can be composed of hundreds of thousands of compromised devices (increasingly IoT devices) and the command-and-control (C&C) center coordinates the activity of all these devices.

Once upon a time the bots connected directly to the destination mail server in order to attempt the delivery of a malicious email but ISP firewalls and reputation data easily could identify and block these attempts. Sending malicious email from legit email accounts is much more effective: reputation is good (email is coming from big players like Google or Microsoft), malicious email is technically identical to legit email and this makes life harder for spam filters, they have higher chances to end up in the inbox of the recipient.

The C&C periodically distributes to the bots fresh valid credentials to be abused and send bad stuff in the name of the legit email account owner, but how to they get the credentials of your email account?

The first source of valid email credentials are data breaches. There are lots of data breaches, more than you can imagine. I had to unsubscribe from the privacyrights.org data breach notification service because of the flooding: 828 databases became public in 2018 for a total of over 1.3 billion records. On average 2.2 breaches per day. Lots of data.

Data breaches contain credentials, which are usually an email address and a password. Lots of users re-use the same password on many services and this means that a lot of these breached records contain valid credentials for email accounts, ready to be abused. The C&C collects and dispatches these credentials to the bots.

What about the email accounts for which the breached password is not valid? You can always guess it.

Many users use passwords that are really simple: the most used password on the planet is “123456”, followed by “password”, on the 3rd place we have the slightly more complex “123456789”, then “12345678” and so on. In the 8th position we find “sunshine”, followed by “querty”, then “iloveyou”, “princess” and so on. Lots of passwords are present in dictionaries, lots are first names, dates, combinations of those and simple variations like “monkey2018”.

You don’t need to make a lot of attempts to guess the password of many email accounts, with a few thousand attempts you get lots of them and if you have a botnet you can make hundreds of thousands of attempts all at once, each one from a different IP address, without triggering rate-limiting protections.

Got it?

Now, what can you do to prevent this and relax?

First: use a different password for each service. Data beaches happen all the time, if you go on haveibeenpwned.com an enter your email address you will probably find out that your credentials are already public. If you use the same password everywhere a single data breach compromises all of your accounts, so don’t do it. Use a different password for each service.

You may now be tempted to choose a “smart” technique to generate different passwords from the same root. For example monkey_linkedin, monkey_facebook_2019 and so on.

Not so smart. These variations are easily guessed if you can perform hundreds of thousands of authentication attempts at once. Most of these passwords can be found easily. Don’t think you can easily outsmart brute-force attempts with your limited memory resources.

Entropy is the keyword here. I will tell you something that you won’t like: if you can memorize it, it is low-entropy and if it is low-entropy it can be easily guessed. This means that if you can memorize it, it’s not strong enough. That’s it.

The only way to have passwords that cannot be easily guessed is to have high-entropy passwords which means that you cannot memorize them. Sorry, someone had to tell you.

A password manager is the best way to go today: with a minimal effort you can manage hundreds of un-guessable high-entropy passwords that are all different.

I can understand that a password manager can be a huge obstacle for your aunt and (I don’t want to open a hot debate here) I personally think that for some people a decent fallback is to write passwords on paper. Yes, they are more vulnerable but they are offline and in the end it is much better than having a weak password.

Security means compromise. Choose your compromise but don’t ignore this: if you can memorize it, then it’s not strong enough.

 

Rodolfo Saccani
Security R&D Manager at Libraesva