back to article Credential-stuffing defence tech aims to defuse password leaks

A system that aims to identify stolen passwords before breaches are reported or even detected was launched on Tuesday. Shape Security's Blackfish credential defence system is designed to detect the use of stolen usernames and passwords by criminals and in real time. The technology is a mechanism for organisations to identify …

  1. Anonymous Coward
    Anonymous Coward

    Is it me ?

    Or is there a simple solution of allowing 3 - maybe 4 wrong guesses per hour per account ? Or per connection ?

    1. Anonymous Coward
      Anonymous Coward

      Re: Is it me ?

      Rate limiting per account - the intent is to try each compromised user/password pair once per service / website to see if it sticks, so this wouldn't work. If it sticks (i.e. works) the account can then be sold as valid or of course plundered by the crims themselves.

      Rate limiting per client - they use botnets to distribute the validation process. Also more common now where an authentication API exists that is designed for machine to machine communication this can be legitimately used in a programmatic manner, so again hard to stop.

    2. Ken Moorhouse Silver badge

      Re: Is it me ?

      Problem with a per connection block is that each login attempt tends to be from a totally different IP due to the number of zombie's harnessed to do this work. Setting up a freeze on an account basis tends to lockout the legitimate user.

      Plugging passwords into a site to determine how secure they are is not a good idea either IMHO. The IP address of the query can be associated with the request and reverse look-ups can enable a hacker to work out who the user is.

  2. Anonymous Coward
    Anonymous Coward

    Sounds like a few outfits already do this. Hacked-db and infoarmor are two that come to mind, both have real-time alerting for domain and/or individual credentials theft... can't exactly see how it differs from their offerings...

  3. Anonymous Coward

    Seems very counter-productive to me...

    The main problem is that the whole thing works after the facts. Not only that it also introduces a whole new heap of possible security risks. After all: for this to work a company would have to send them their collected data. Here's hoping that they don't hire a secretary using a Windows 95 machine who gets charged with "sending the zip file over". Yah, just too bad that the machine suffered from a DNS spoof.

    But as said: this works after the facts. So someone registered, their password matched, then what? Asking the user to change their password next time they logon? It's most likely already too late by that time (depending on the kind of service of course). Or what if this service got it wrong? Then you're basically scaring your potential customers over nothing.

    Yet most of all I can't help think that this only provides a security ruse. After all: more sensitive data gets transmitted which opens more room for abuse, and the end result is practically neglectable.

    The only thing which helps is to get users to stop re-using their passwords. But good luck with that!

  4. Doctor Syntax Silver badge

    "The only thing which helps is to get users to stop re-using their passwords."

    There is one thing that businesses could do to help themselves. Stop specifying the customer's email address as the user ID. As most people only have one email address the hacker doesn't have to guess both ID and password.

  5. EnviableOne Silver badge

    Troy would be a little standoffish, he has a datables of over 330 million passwords that were in the breaches on hibp and an API to check against them too

  6. Anonymous Coward
    Anonymous Coward


    with sites like Virgin Media (password 8-12 letters no characters or spaces)

    how do you keep it safe when you are limited as to what you can use?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020