How attackers hijack accounts with password-guessing
This is the first article in a four-month series on how attackers hijack TMU accounts and what you can do to defend yourself.
By: Brian Lesser, Chief Information Officer
During a typical week, Computing and Communications Services (CCS) detects approximately one million attempts to login to TMU accounts by guessing passwords. These attempts come from over 3,000 computers in 103 countries, and most are from automated systems. We know these are automated attacks because the login attempts come in faster than any one person can type their username and password.
Unfortunately, despite our best efforts, password-guessing is one of the ways attackers successfully hijack TMU accounts. That’s because attackers don’t just try randomly-generated passwords.
Buying passwords
People often use similar passwords for their accounts on different websites. When user account information is stolen from other sites, it can compromise any accounts that share the same or similar passwords.
User account information has been stolen from sites like Yahoo, LinkedIn, Dropbox, Adobe, eBay and many others. The username and password information from these breaches is often for sale. Attackers will then buy passwords and try them out elsewhere.
For example, if a list of stolen passwords from a breach includes TMU usernames, why not try out those passwords at TMU?
If that doesn’t work, there are plenty of tools like John the Ripper (external link) that will help generate similar passwords for guessing purposes. Say you sign up for a service using your TMU email and use a password like like TOrontoRocks!. Attackers can then use software to generate thousands of variations like TorontORocks!, t0ronto!rocks and so on. These passwords can then be tried in automated guessing attacks. It’s crucial to make significantly different passwords for your accounts, not just variations.
Have my accounts been hacked?
Troy Hunt, a web security expert, has created a site called Have I Been Pwned, (external link) where you can check if an account you signed up for has been exposed in a security breach.
Try visiting the site and putting in your TMU email address (like blesser@torontomu.ca) to see what comes up. It turns out both my Adobe and LinkedIn accounts were exposed in breaches at those companies. I changed my Adobe account password and deleted my LinkedIn account. If the password you use at a compromised site is at all similar to your TMU password, you should change your TMU password too.
Popular passwords
If an attacker doesn’t have a password you’ve used in the past they will relentlessly work their way through lists of millions of the most popular passwords.
Despite our best efforts to slow down automated password-guessing, it cannot be eliminated. Password-guessing works.
Protecting your TMU and personal accounts
The best defence against password-guessing and other attacks against your account is to use two-factor authentication, which provides an additional level of security for your TMU account.
You should also make sure your TMU password is long and unlike anything you’ve used anywhere else.
To protect both your personal information and TMU’s, find out how to set up two-factor authentication and how to maintain a good password.
In later articles in this series I’ll describe other ways attackers try to hijack your TMU account and what they can do with your account if they succeed.
This article was originally published in the Ryerson Works employee newsletter on September 7, 2017. It has been updated to reflect the new university name.