It’s long been a cybersecurity truism that the password at the heart of online account security is also its weakest link. The Blackfish tool from Shape Security, announced Tuesday, aims to galvanize the password by detecting and blocking the reuse of stolen passwords.
Attackers are buying databases of stolen passwords, usually on the Dark Web, and then using them to gain access to compromised accounts, says Sarah Squire, the founder and principal consultant of Engage Identity, and co-author of the latest password guidelines from the National Institute of Standards and Technology, published in June. Large companies in technology, finance, and other industries are buying them too, she says, to identify their most vulnerable users.
Squire says Blackfish’s technology, which she’s observed working in a Shape demonstration, could kneecap the black market for stolen passwords.
“The economy of the Internet as a whole is suffering so that we can learn which passwords have been stolen. Because Blackfish can see all automated log-ins in real time, [it] can capture compromised usernames and passwords,” she says, “instead of buying them.”
READ MORE ON CREDENTIAL STUFFING AND PASSWORD SECURITY
Apple ransom highlights danger of credential stuffing
What to do when your password gets reset
Passwords, hackable yet accessible, are poised to stay popular
How YubiKey could double-lock your online accounts
You’ve been caught in a data breach. Now what?
Stolen passwords, such as those taken during a massive breach of Yahoo accounts, are often used in credential-stuffing attacks, which are sort of a digital version of throwing everything at a wall and seeing what sticks. With credential-stuffing attacks, “everything” would be the username-password combinations, the “wall” would be the account log-in page, and “what sticks” would be a successful breach with a stolen username-password combination.
The attack technique can check hundreds of thousands, or even millions, of combinations at a time. If Blackfish works as Shape says it does, the technology would be able to detect a credential-stuffing attack, “see” the passwords being used in it, and stop it before a successful log-in.
Few companies have done research into the problem of credential stuffing, but a study by PayPal in 2011 found that 60 percent of respondents reused passwords. In 2016, a study by Keeper Security of 1,000 consumers indicated that the figure had jumped to 80 percent. And this year, the Verizon Data Breach Investigations Report said stolen passwords were responsible for 81 percent of hacking-related data breaches, up 18 percent over the previous year.
“What we see on the Dark Web are rapidly atrophying credentials… So the most valuable ones are the credentials that aren’t on the Dark Web yet.”—Shuman Ghosemajumder, CTO, Shape Security
Shuman Ghosemajumder, Shape’s chief technology officer, says that while stolen passwords and the attacks they are subsequently used in present massive problems for the security industry, they are addressable. Blackfish, he argues, stops attackers using the most valuable stolen credentials—those not yet on the Dark Web.
“Blackfish is providing a kind of protection that isn’t possible, if all you’re doing is looking at data on the Dark Web. You still can’t download the entire corpus of the Yahoo breach from the Dark Web”—3 billion username-password combinations—to check for active account matches, Ghosemajumder says.
“You’ve got companies like Experian saying that they’re going through the Dark Web, and they want consumers to be aware of it, but they think cybercriminals aren’t? What we see on the Dark Web are rapidly atrophying credentials,” he says. “So the most valuable ones are the credentials that aren’t on the Dark Web yet.”
The Blackfish technology uses bloom filters, which can rapidly see whether the elements of a username-password combination are being used in a credential-stuffing attack.
Ghosemajumder says Shape’s credit-stuffing attack defense clients include three of the top four banks, two of the top five U.S. government agencies, four of the world’s top 10 airlines, and two of the top 10 hotel chains. He declined to specifically identify any of them.
Gartner analyst Tricia Phillips, who also has seen a Blackfish demo, says the technology could have a big impact, if Shape’s biggest-name clients, which “understand organized financial crime,” sign up for it.
Because so many people reuse passwords, Phillips says, these attacks are a “risk” not just for the organization that has been breached, but also “for every site” where the consumer has reused that username-password combination.
“What [Shape] is offering is the ability to neutralize that, and do it much faster than it’s been done,” she says. “Most tools are reactive, and we have to see the bad activity before we can stop it. This could be an important tool in the tool chest.”
Blackfish wouldn’t be the first technology that has promised to improve consumer security, Phillips notes.
“Shape has big clients facing big attacks,” she says. “Blackfish’s success will depend on whether they are able to use the data from it” to stop hackers.