On September 30th, 2019, the IT Security team at the University of Chicago (UChicago) identified suspicious activity on over 100 user accounts. As a result, they locked those accounts and forced those users to change their password. As we explain below, it turns out that every affected UChicago account was reusing a password that had also been used on Chegg, an education technology company that provides homework help, textbook rentals, and other student services. Just a few weeks earlier, a data breach of Chegg had become public. Chegg relied on unsalted MD5—an outdated cryptographic hash function—to store the passwords of their 40 million subscribers. Furthermore, they did not have a process in place for deleting old accounts [4].
This state of affairs raises many questions for system administrators and IT leaders trying to protect their organizations. How do threats from password reuse compare to threats from users choosing common, easy-to-guess passwords? For how long do accounts remain vulnerable? Out of hundreds of data breaches, how important is it to account for them all? How often do attackers appear to have exploited reused passwords, and what factors make them more likely to have done so?
Our full study [10] appears at the USENIX Security Symposium in August 2023. In this article, we summarize our key findings, focusing on recommendations and lessons for organizations trying to defend against attacks exploiting password reuse.
Accounts at our university are single sign-on accounts that provide access to a wide range of services, including email, payslips, academic records, and systems needed for staff, faculty, and students to do their work. When a student graduates or employee leaves, their account remains active with limited access (e.g., forwarding email and accessing tax and academic records). A few years ago, the university began requiring current faculty, staff, and students to use Duo two-factor authentication (2FA).
Starting with a list of roughly 225,000 usernames of accounts held by faculty, staff, and students at our university over the past twenty years, we searched over 450 individual service breaches and 12 breach compilations for credentials potentially associated with those usernames. Specifically, we looked for passwords associated with a university email address (e.g., [email protected]), having the same standalone username (e.g., blase), or having the same username as part of an email address with a different domain (e.g., [email protected]). When we found hashes, rather than plaintext credentials, we attempted to crack them. We then used four state-of-the-art methods to tweak credentials (e.g., monkey1 → Monkey1!). These modifications account for university affiliates using passwords that were similar to, but not exactly the same as, passwords used for other accounts. To compare the risk of password reuse to the risk of common passwords, we also used the LinkedIn individual service breach to generate thousands of the most common passwords to guess for all accounts, which included translating applicable common passwords to our context (e.g., LinkedIn2012 → UChicago2012).
Given the sensitivity of passwords and account security, our team carefully designed this research protocol collaboratively with numerous stakeholders at our university, including university leadership, the director of our institutional review board (IRB), the IT team, the alumni association, and more. Properly handling user data and minimizing risk to users were primary concerns. The experimental setup ensured that the IT Security team contacts were the only people that had access to the password history database and that the academic researchers never learned the identities of the users associated with correct guesses.
We correctly guessed 14,161 passwords contained in our university’s password history database. Reused passwords were a far greater vulnerability than common passwords. While 12,247 correct guesses exploited reused passwords, only 1,979 exploited common passwords; 65 correct guesses fell into both categories. This finding underscores the far greater risk posed by attacks leveraging reused passwords even if (as we did) common passwords are customized for the attacked service.
For passwords created during approximately the first 12 years of the password history database, the number of accounts that were using a password that we eventually guessed increased every year, as seen in Figure 1. In late 2014, however, the number of accounts with passwords we could guess started to decrease. This drop coincides with a change to the password policy at the university. Instead of requiring that passwords be at least eight characters long and use three character classes (e.g., upper case letters or symbols), newly created passwords needed to be at least 12 characters long with the same character-class requirements. The university had changed its password policies before, but the effect was not as pronounced on the number of accounts with guessable passwords.
Many accounts remained vulnerable for years. Of the passwords we guessed, the median time for which they remained valid was 6.2 years, with a maximum of 19.8 years. Figure 2 shows the full distribution of how long those passwords remained valid.
Figure 3 traces the top individual service breaches and all breach compilations temporally, showing the number of accounts active at a given time whose credentials were correctly guessed from that source. For example, five years after the LinkedIn breach was made public, roughly half of the affected accounts remained vulnerable. While the peak vulnerability to an individual service breach was often around when the breach occurred (and before it was made public), breach compilations were typically made public a few years after the peak in accounts using a related password.
| Breached Service | Date Breach Occurred | Potential Matches | Total # of Guesses Correct | Total # of Guesses Currently Valid |
|---|---|---|---|---|
| May 2012 | 195,110 | 2,433 | 533 | |
| Chegg | April 2018 | 108,702 | 1,938 | 498 |
| LiveJournal | January 2017 | 58,632 | 979 | 215 |
| Dropbox | July 2012 | 41,013 | 903 | 287 |
| MySpace | July 2008 | 1,976 | 767 | 108 |
| Twitter∗ | June 2016 | 74,970 | 396 | 124 |
| Last.fm | September 2012 | 626 | 217 | 17 |
| Neopets | May 2013 | 57,665 | 129 | 45 |
| Gmail∗ | January 2014 | 4,002 | 106 | 38 |
| Zynga | September 2019 | 3,998 | 106 | 38 |
| Coupon Mom & Armor Games∗ | February 2014 | 18,533 | 99 | 33 |
| Evony | June 2016 | 34,649 | 84 | 34 |
| Zoosk∗ | January 2011 | 73,527 | 64 | 24 |
| Fling | March 2011 | 67,915 | 62 | 23 |
| Canva | May 2019 | 3,971 | 49 | 13 |
| Stratfor | December 2011 | 5,149 | 44 | 15 |
| Brazzers | April 2013 | 4,457 | 40 | 11 |
| Yahoo | July 2012 | 4,251 | 40 | 7 |
| Wattpad | June 2020 | 4,655 | 39 | 16 |
| Mate1 | February 2016 | 40,675 | 39 | 10 |
| Forbes | February 2014 | 2,137 | 28 | 9 |
| Comcast | November 2015 | 3,073 | 26 | 10 |
| VK | January 2012 | 35,072 | 25 | 8 |
| *Not confirmed by the service provider; the leak may be from phishing. | ||||
| Breach Compilation | Date Released | Potential Matches | Total # of Guesses Correct | Total # of Guesses Currently Valid |
|---|---|---|---|---|
| 1.4B Breach Compilation | November 2017 | 1,561,449 | 7,715 | 2,301 |
| Collection #2 | January 2019 | 2,358,605 | 7,591 | 2,322 |
| Big Database Combo List | January 2019 | 2,307,980 | 7,499 | 2,295 |
| XSS.is 13B Account Leak | January 2019 | 2,112,070 | 6,960 | 2,104 |
| Anti Public Combo List | December 2016 | 1,428,024 | 5,366 | 1,576 |
| Collection #4 | January 2019 | 1,397,357 | 5,164 | 1,622 |
| Collection #1 | January 2019 | 883,075 | 3,591 | 1,153 |
| Exploit.In Combo List | October 2016 | 631,361 | 2,956 | 857 |
| Collection #5 | January 2019 | 621,260 | 2,595 | 843 |
| Collection #3 | January 2019 | 466,580 | 2,468 | 827 |
| AP MYR & ZABUGOR | January 2019 | 346,423 | 1,260 | 383 |
| Onliner Spambot | August 2017 | 1,550 | 436 | 82 |
Though 54.7% of correct guesses were based on verbatim reuse (exactly matching the breached password), the rest required password tweaking using previously published methods. The most successful password-tweaking strategies involved toggling the case of the first character (e.g., monkey → Monkey) or appending either “!” or “1” to the password. While we found that a recent deep-learning-based approach [11] produced the best ordered list of transformations “out of the box,” the heuristics-based methods [3, 14, 12] we tested may have been more successful than the deep-learning-based approach had their guesses been reordered.
These apparent compromises were most likely for exact email matches (i.e., a uchicago.edu email address was found in the breach) and verbatim reuse (i.e., the UChicago password was exactly the same as the one found in the breach). Specifically, 60.7% of the apparent compromises in our dataset were an exact email match whose password was found verbatim in plaintext.
| Date | # | Associated Breaches and Compilations (#) |
|---|---|---|
| 03/26/18 | 291 | 1.4B Breach (291), Anti Public (289), Big Database (289), Collection #2 (289), 1.4B Breach (291), Anti Public (289), BXSS.is 13B (281), Collection #4 (153) |
| 12/27/19 | 206 | 1.4B Breach (206), LinkedIn (180) |
| 09/30/19 | 134 | Chegg (134) |
| 08/28/15 | 125 | Big Database (117), Collection #2 (117), XSS.is 13B (117), Anti Public (110), 1.4B Breach (107), Exploit.In (95), Collection #1 (93), Collection #4 (90) |
| 06/02/20 | 115 | LiveJournal (115) |
| 03/09/21 | 113 | 1.4B Breach (59) |
To better understand users’ experiences, our university’s IT team facilitated a survey of a sample of users whose passwords we guessed. Among the 40 respondents, most were unaware of the risks to their university account. Several were not even aware they had an account on the breached site. With users not knowing their accounts are at risk, it becomes even more important for system administrators to take steps that will mitigate these vulnerabilities.
Protecting an organization from reused passwords is complex. A vulnerable password is specific to one user based on their credentials on other sites at any past or future time. Furthermore, prospective attackers often have far more information than system administrators. Attackers may know about a successful breach that system administrators may not hear about for years, or ever. Further, attackers may pool resources to crack hashes and reveal the plaintext needed for an attack, while the system administrator may be left only with uncracked hashes [2].
Based on our findings, we recommend that defenders take the following actions to proactively defend against attacks that leverage password reuse:
- Proactively check for compromised credentials both at account creation and subsequently
- Pay particular attention to organization-adjacent breaches (e.g., the Chegg and LinkedIn breaches for an educational institution)
- Do not ignore the long tail of individual service breaches
- Check for similar email matches and username matches, not only exact email matches
- Save computational resources by using heuristic tweaking algorithms, not those based on deep learning
- Crack hashes to protect against motivated attackers
- Implement processes to expire unused accounts
- Help users understand the risks of password reuse
- Consider moving away from user-chosen passwords entirely for online authentication
In recent years, researchers and practitioners have developed compromised-credential-checking tools. For instance, the Have I Been Pwned service [8] offers a Pwned Passwords API that many organizations use to check for compromised credentials. In fact, since 2019, our own university has used this API to check for compromised credentials when a user creates a password, as is typical. However, our study demonstrated that many vulnerable passwords were created at UChicago before a corresponding data breach was made public, or even before it occurred. This finding highlights the necessity of periodically checking existing credentials for compromises, which presents particular challenges for accounts that rarely log in.
From our study, we learned that adequately protecting user accounts requires accounting for multiple ways of matching users, tweaked passwords, and credentials that are only publicly available in hashed form. While exact email matches (@*.uchicago.edu) accounted for 4,585 users’ vulnerable accounts in our study, we matched an additional 6,951 users’ vulnerable accounts via email matches from non-UChicago domains, which differs from how Have I Been Pwned is often used and how prior work has typically investigated password reuse. Checking for password reuse with only exact email matches may not be enough to protect users from motivated attackers.
We also found through our small-scale survey that many users were unaware that their UChicago accounts were at risk due to password reuse. Some users were not even aware that they had accounts on the corresponding breached sites to begin with. These shortcomings highlight the need for improving communication with users. Chrome [13], Firefox, and Safari notify users if their passwords appear in a data breach. The Have I Been Pwned service, itself integrated with password managers, enables users to check for their appearance in a data breach. Supporting these efforts, academic work has sought to improve the usability of data breach notifications [6], but more work is needed.
Currently, though, the community seems to be at an inflection point in the transition to password-less authentication. For instance, the FIDO2 standard enables users to authenticate on the web using public key cryptography combined with local authentication, such as with a PIN or fingerprint, and these schemes are becoming increasingly usable [9]. Ideally, more organizations would move away from using passwords as the primary method of authentication, or even as a fallback method. Indeed, our university is planning to make the switch to passwordless authentication in the near future.
