How do you know a service is legitimate and safe? We all have to trust by proxy sometimes, but it just doesn’t feel right to encourage people to accept reassuring statements as gospel.
You can't have failed to notice that a lot of account/password combinations have been captured in recent years (especially this year) and made available on the Internet (e.g. Gawker, Rockyou, various Lulzsec dumps) for any bad actor to try to make use of. Not a good thing, but it has at least made it possible to capture some useful data on what the most common (and therefore easily-guessed) passwords are, and several security firms and researchers have used that data to advise readers on how to use better passwords.
Recently, some researchers have gone further, offering a service that allows worried computer users to enter their email address or other account name into a message box: the service then searches a number of databases for matches. For example, ShouldIChangeMyPassword.com, which was set up by the Avalanche Technology Group, appears to have the approbation of a number of knowledgeable journalists and even security mavens, makes use of this list of resources. Pwnedlist.com is a somewhat similar project that comes out of HP/Tippingpoint. We're not talking about fly-by-night opportunists or even blatant phishing sites here, so why do I feel so squeamish about this approach to reassurance?
Well, I said that we're not talking about phishers or opportunists, but I haven't checked them personally. And that's part of the problem. How do you know a service is legitimate and safe? We all have to trust by proxy sometimes, but for those of us who are supposed to be trusted/trustworthy security gurus, it's essential to top up from the scepticism tank occasionally and question basic assumptions. How easy is it to abuse a service like this? Here are some thoughts that came out of a conversation we had on an internal ESET list. (Note that these are my personal prejudices, not a consensus opinion or an official statement on ESET's behalf.)
Let's say I set up a form where you can enter your email/account address to have me check that it's not known to be compromised.
- I can do what other services do and check several known sources of email address/password pairs for a match.
- If your account ID doesn't turn up, I can't say that it hasn't been compromised, but I can say that it isn't known to be compromised.
- If turns up in one or more of them, I can do the ethical thing and let you know so that you'll change your password.
- But if I’m not legitimate, I now know the account is still live, and I know what the password is. The chances are, I tell you there's no match and your password hasn't been compromised, and as my colleague Peter Stancík puts it, you "roll one up and chill" rather than doing the sensible thing and changing your password anyway. Meanwhile, I use it to make some money.
Of course, as Peter pointed out, this attack doesn't reveal newly-compromised information. Well, certainly it isn't the only way to sort through the ever-growing heap of account ID/password pairs that are lying around on the Internet waiting for Blackhat attention. You can laboriously go through trying each one by hand, of course, but it's not that difficult to automate. However, that's still a big heap. Using an attack along these lines (there are some possible variations I won't go into at this point) to get the victim to verify that their status is (still) compromised would certainly be more efficient than a random phishing attack.
Pwndlist offers an extra layer of security as an option. Rather than submitting your cleartext account ID to them, you can submit a SHA-512 one-way hash of the ID. However, as Carole Theriault has already pointed out, most people don't know what a SHA-512 is. I can't see many potential victims going to the trouble of learning how to generate one. In fact, there are many tools lying around on the Web that will do that for you, though if you know enough to generate a hash without having to worry about trusting a third party, you've probably already changed any passwords that might be at risk. Remember, this isn't just an issue of distinguishing between good and bad actors: as Aryeh Goretsky pointed out in the same discussion, if an initially legitimate service is somehow compromised, a bad actor suddenly has access, potentially, to a whole bunch of self-verified addresses.
But my principle issue is this. It just doesn't feel right to encourage people to accept it as gospel when a service says “no passwords are stored on our database” or “we don’t keep, restore, or share data” any more than they should accept it when a message says “this is not spam”, or a file-sharing site says "this file has no Trojan or virus content." It's not actually technically difficult for a security company considered trustworthy to set up a similar front end of our own which might be seen as “trustworthy”. But that’s a heavy responsibility when the data is stored elsewhere, and could be poisoned in some way. And that's assuming there aren’t legal, data protection issues not a trivial assumption in the European Community, for instance.
The question is, how great is the risk that such an initiative is "grooming" potential victims of future scams that simply skate round the security issues with a little social engineering? How often have you seen a phishing email that actually quotes small print from the "real" bank that would, if the victim read it properly, tell him that he should on no account trust the message in which he finds it? Sometimes it almost seems as if the victim is lulled and reassured–by the presence of that text–into trusting an untrustworthy message.
I commend the efforts of serious security researchers to find a way to help end users to check on whether their accounts have been compromised in a known attack. If you need to know for sure that they have been when stating your case in a dispute with a bank or other provider, that might indeed be useful.
I just think that if you have any reason at all to think your account could have been compromised, maybe it's simpler and safer just to go and change it anyway. Even if the only reason to do so is that it's been a while since you last changed it. In other words, the answer to "ShouldIChangeMyPassword.com" is almost certainly "yes!"
If you need advice on good password practice, you might find Keeping Secrets: Good Password Practice by myself and Randy Abrams of some use.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow