Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> The vast majority of password leaks we've seen over the past decade have been due not to malware but rather server compromises.

Something to consider is that malware-based compromises of personal systems don't raise as much brouhaha as corporate-level compromises.



My statement is based not on frequency of news, but rather on my understanding of the provenance of passwords in password lists. The vast majority of passwords in password lists are sourced from service hacks; not from user malware. And that makes sense. Malware events net maybe thousands of user passwords? On a good day maybe 100k. But hacks of major services like LinkedIn ... those yielded hundreds of millions of passwords. The two just don't compare in magnitude. Remember that HIBP's list is sitting at something like half a billion password combos right now.


One thing to note is that a remotely-compromised computer gets you access to the actual browser session and not solely to the password. In fact, most of the time the user has already logged in, and so the session is accessible but the password isn't (users without password managers have no persistent store, and password managers try to keep the secrets encrypted except when the master password has been recently typed).

So it's not often useful to take a password from an individual user and put it in a password list, but it is often useful to maintain persistence on their machine. Tools for doing that (RATs) are definitely common, both from random internet attackers and from e.g. angry exes with physical access to your device. But those aren't the attacks that e.g. HIBP is interested in, so if you're looking at data from people interested in password compromises, the effect is that you'll undercount client-side compromises.


At the height of gold farming when hacking WoW accounts was very profitable 1/2 our guild was individually hacked over a six month period. Normally it's much harder to detect password being leaked but it was really noticeable and hardware/cellphone tokens made a huge difference.

So, I suspect the reverse is true with standalone PC's being more likely to be compromised, what makes this less noticeable is it's harder to automated extracting value from those hacked accounts beyond sending gmail spam etc.

PS: This is also why cryptocoin software on users machines is basically a non starter.


> Malware events net maybe thousands of user passwords? On a good day maybe 100k.

You are underestimating how much malware there is out there, both on desktop and mobile. There are probably botnets that consist of >100k compromised machines.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: