JPCERT/CC Eyes

Konnichiwa, this is Kaori at Global Coordination Division.

On September 17^th, JPCERT/CC and Information-technology Promotion Agency (IPA) of Japan have jointly issued a notice to raise public awareness to refrain from using a single password for multiple online services. On the same day, JPCERT/CC, as our sole initiative, has launched a local campaign to further promote this practice by having the enterprise supporters to directly encourage their users.

This password handling practice might sound pretty much the norm for those engaged in cyber security, but let me share with you today on what is lying behind these efforts.

Increase of “password list-based attack” in Japan

Since 2013, we have been observing continuous increase of the unauthorized login to online services by so called the “password list-based attack”. This attack is conducted by criminals after they gain an access to one account – they attempt to compromise other accounts with the password they obtained in advance. Unlike “brute force attacks” which are conducted by randomly guessing passwords until you get it correct, this attack is more efficient as it lets an attacker to log in with just fewer login attempts per account.

Figure 1. Number of Japanese companies affected by “password list-based attack”

Note: Counting only those who officially announced publicly on the attack

Source: JPCERT/CC

I am not so sure whether this type of attack is detected in other economies. It is assumed that a number of IDs and passwords of Japanese online service users have fell into the hands of criminals to conduct automated login attempts to various services.

Statistics and survey result regarding the attack

Figure 2 below shows the number of unauthorized login attempts to online service accounts hosted by 7 Japanese companies and the number/percentage of “successful” logins by such attempts.

 Figure 2. “Password list-based attack” attempts

Note: The percentage of the successful unauthorized logins has been calculated by JPCERT/CC

Source: JPCERT/CC (by reference to open source news/releases)

A survey report published by IPA in August 2014 reveals that about 1/4 of the interview responders are using single password for multiple online financial services. What makes them do so? More than 60% answered “to avoid the risk of forgetting the password.”

Managing multiple passwords

Picking multiple passwords could keep us safer. But it is not easy to memorize them all. JPCERT/CC and IPA suggest as follows in order to cope with it:

(1)   Keep your passwords listed…

1. On a sheet of paper

It will be more secure if you write down your ID and password on a separate sheet of paper. On the assumption that you might lose the paper, you can get a little creative to write it down in a way that others cannot understand.

b. On a (password locked) electronic file

c. By using trustable password managing tool

(2)   Make good use of the extra security features

1. Login notification
2. Login history checker
3. 2-step verification
4. One-time password (OTP)

Are you observing this type of attack in your economy? Are there suggestions to prevent and/or mitigate it? What could be the best way to keep your passwords safe? Your comments and feedbacks are welcome!

-        Kaori Umemura