The JW Secure Informer logo

archive blog contact


JWSecure informer imagery

The Problems with Reusing Online Credentials

Users make their lives easier in the short term by reusing passwords. This is a classic tradeoff between usability and security. Reusing a password on multiple services is likely to lead to compromise of those accounts. Even reusing just a logon name reduces user privacy. This article discusses online credential reuse risk and mitigations.

Security and Complexity Aren't Friends

As password cracking software has gotten ever more effective, IT professionals have been pushing hard for longer and more complex passwords. The problem is human memory; it just is not good at remembering jumbles of letters, numbers, and symbols. In a previous article on Identity Theft and Derived Credentials we described how to create derived credentials to avoid the user cognitive overload caused by multiple online accounts with high quality passwords.

Even so, a problem is created by the complex matrix of identities (such as email addresses) and online accounts, for personal and professional purposes, managed by a typical user. For example, the user may use a corporate email address to access work-related and non-work related online services. The same user may use a personal email address to access other work-related (for example, outsourced) and non-work related online services. In all cases, the same email address can be used for multiple identity providers (for example, Facebook; Google ID; Microsoft Account; Salesforce; etc.) that are in turn used to access multiple websites.

Frequently, that mixing and matching of email-based identities, online identity providers, and website logon sessions is happening simultaneously in a single web browser session. While most web browser software offers sophisticated controls for privacy and cookie handling, achieving the right balance between usability and security is a tall order in the face of such complexity. Adding to that the inherent insecurity of secrets in any digital internet-accessible storage and you have the perfect target for attackers looking to compromise large populations of computer accounts.

The biggest threat to internet-accessible services is remote attacks. Why come to your house when the bad guy can safely obtain all of the personal and financial information he desires from the comfort of his own home overseas? As we suggested in Improving User Passwords, you're better off using strong unique passwords that you write down on a piece of paper than weak reused passwords that you can remember.

Password Reuse in the Enterprise

When a user authenticates using Active Directory, the Kerberos protocol reduces the user password to a digital ticket that is valid for a configurable number of hours. The ticket is domain-specific. However, that means tickets resident on a compromised host can be used by an attacker to leap frog to other hosts in that domain. Password reuse makes the situation even worse. When the user re-authenticates on a compromised host, the attacker is able to capture the password itself, in addition to the tickets. If the same password has been used in other domains, the attacker can now hop directly over those carefully managed trust boundaries.

Credential theft tools such as mimikatz and Windows Credential Editor have been circulated in the hacker communities for years. These tools enable attackers to escalate from one compromised device to gaining control of most of the computers in the enterprise domain. This is called a "lateral traversal attack." The attack becomes particularly easy in an environment where a large community of computers has been deployed with the same pre-configured account passwords. Worse, traditional security event monitoring software has difficulty detecting the traversal attack, since it looks like authorized user behavior. Starting with a single compromised device, the attacker becomes free to run rampant inside the enterprise without fear of detection.

Identifier Reuse versus Password Reuse

Looking at the attacks shown above it seems that the only problem is password reuse. That is partially true, until user privacy is considered as one of the desired features of an identity scheme. Where the user is concerned with some attacker (or some unscrupulous internet vendor) linking their usage of one service with other networked service, the user needs to consider having a completely separate identity among the services that they access. In other words, different registered email account, cell phone, home address, etc. This is easier said than done.

Take the First Step

At a conceptual level the secure solution is simple: have a unique identifier and credential for every service provider. The reality is a little more complex, though, since any security solution must be both convenient and manageable in order to be accepted by users and service providers alike. Today most authentication protocols, like Kerberos and TLS, are based on outdated security models. They have been optimized for convenience by storing password hashes and digital cookies so that they can be as frictionless as possible. This creates an attractive target for hackers.

If you must stick with static passwords, a solution that is used in enterprises is password management. One example of password management is creation of short lived random numbers that are centrally managed for each user (for example, CyberArk and Lieberman offer such products). However, password management servers create yet another attractive target for hackers. Still, this may be the best available solution for deployment in the short term.

Defense in Depth is Always the Way

Active Directory allows security boundaries to be defined using Organizational Units, Domains, and Forests. However, these boundaries are only effective with careful planning, execution, and continuous enforcement. Creating trust across those boundaries, while simplifying management, effectively destroys security.

In the enterprise, JW Secure recommends that high-value assets (HVA, a concept borrowed from the military) be protected by isolation. Isolation encompasses the implementation of separate networks as well as separate categories of user privilege and HVA access. For more information, please see our previous article on Strongholds. Each enterprise user of the isolation network is provisioned with a separate account from the one used for reading email and surfing the web. The goal is isolation of the HVA from the attacks that occur every day against standard corporate network accounts. Unfortunately, password reuse defeats isolation since, once the standard account password is compromised, the attacker can use it to log into the isolation account. Partly for this reason, isolation is largely a waste of time unless static passwords are eliminated. On the other hand, isolation in tandem with two-factor authentication creates a strong defensive posture.

Windows Server 2012 R2 introduced the concept of a Bastion AD forest where HVA user accounts can be given limited one-way access to specific assets in another forest. A related feature called time-to-live, or TTL, group membership is being introduced in Windows Server 2016. The bastioned forest is still an attractive attack target, but if policy is strictly enforced, it has a higher level of protection.

For state of the art protection, combine isolation, strong authentication, and hardening of the client device in order to mitigate the threat of Pass the Hash and offline attacks. The idea is to frustrate opportunistic hackers as well as determined adversaries with a broad range of security configuration enforcement applied to all network endpoints. JW Secure provides this advanced defensive in depth with our StrongNet Secure Admin solution.


Keep in touch


Just for laughs

JW Secure Informer cartoon

Quote of the month

I attribute my success to this - I never gave or took any excuse.
- Florence Nightingale -

Thank you for reading the JW Secure Informer

The JWSecure Informer is a bimonthly newsletter that can be sent directly to your inbox. Please add to your safe sender list. To subscribe, or contact Customer Care, use the links below.
Update Your Preferences | Subscribe | Contact Us | Privacy Policy
This information has been organized and published by:
JW Secure, Inc.
1752 NW Market St. • Suite 227 • Seattle, WA 98107
© 2015 JW Secure, Inc. All Rights Reserved.