This article is part of the Handling Secrets series. In this first part, Valuing Secrets, we describe how to rate the likelihood of theft for common types of secrets. In the second, Protecting Secrets, we describe the easiest ways to prevent their theft.
One of the workhorses of modern internet crime is something boring and simple: a username and password. A pair that works together is called a credential (or cred): it lets people in.
A credential is a secret between two parties. It lets one of them prove to the other who they are. It’s like the secret knock or code word needed to get into a 1930s speakeasy.
If you let people log in to a service you provide, you have this information—they gave it to you when they registered. This information often enables criminals to defraud or damage them.
Almost no one in the world follows the Simple Salt approach to passwords. We’re working on it.
Until that day, most of the people logging into your platform will have passwords they also used at other platform. They told others the secret code you have together!
This is a problem: any other service or company they have reused this password for also has access to their account on your platform. Likewise, you have access to their account on the other platform.
Because you both have access to this shared credential, the account is only as resistant to theft as the weakest service: any one of you can lose it, including the person named on the account.
Separating the Wheat from the Chaff: Credential Stuffing
There are millions of stolen usernames and passwords available for free and for sale. All criminals know that most are shared with other services, but the hard part is knowing which services they each work on. Of those, some are easily monetized (e.g., bank accounts) and some are not (e.g., knitting forums).
A healthy cottage industry has arisen to meet this need by categorizing stolen usernames and passwords by service they work on and selling them to other criminals who focus on monetizing a particular type.
These criminals buy stolen passwords in bulk, then try logging into major websites using each one. They sell the ones that work. A computer can do this at great volume and is called credential stuffing. Certain tricks block these attempts, but the tricks to avoid the blocking are equally plentiful.
It is all a numbers game: more information about the source or profile of the stolen credentials will drive up the value because stuffers can target the websites they are good at testing.
Passwords go through a natural lifecycle. They are most valuable when they are new and on high-value platforms, and they lose value the older they get. Monetizing old passwords isn’t practical.
How valuable are these secrets?
See here for a review of how these factors contribute to the overall chance that someone will steal them.
Fresh creds average $15 apiece depending on the source: Stolen creds from an attorney’s client portal sell for much more than passwords from a Farmville clone. Low-value creds can be exchanged for social capital with other criminals—the black-market version of your financial planner sending you a box of Harry & David every Christmas. Consider the following typical commodity rates:
Working Netflix and Spotify accounts: $10
Facebook and Google accounts: $50
Amazon Prime or eBay accounts: $100
bank or PayPal accounts with high balances: thousands
Passwords for certain employees at secretive organizations can even sell for hundreds of thousands.
There is a steady and mature credential-stuffing industry, and the barrier to entry is low. Cheap tools and a basic computer proficiency are all that is needed to get started. It is easy to find a buyer for freshly stolen passwords.
There are two approaches this question.
First, lost passwords automatically include whatever website the passwords were to. If someone got deep enough into a system to steal the passwords, it is likely they had access to everything else in there as well.
The cost to you of the passwords alone is low. In the US, affected consumers must be notified if their information is stolen. Each state has a slightly different requirements. While you can do it yourself, it is usually cheaper to pay a company; it often works out to $4 per person. Most countries have similar laws, and the cost to do so can vary.
Individuals are seriously impacted by lost passwords, but the organizations who lose them are less so. This is especially true for small organizations because their failure is usually lost in the continuing flood of password theft. This makes it unlikely that anyone would conclusively attribute the breach to them.
There are at least two exceptions: first, if you lose hundreds of thousands of passwords, that is enough for people to notice and identify you as the common point of failure. Second, if the people who use your service are careful and, they may tie the loss of their password directly to you.
Passwords are an important staple to the internet crime community, and passwords you store are valuable. Luckily, there are excellent and easy ways for you to eliminate and protect them. The second half of the Handling Data series will explain how. Stay tuned!
Want to phone a friend? Give us a ring.