Profile picture
PasswordResearch.com
@PwdRsch
, 9 tweets, 2 min read Read on Twitter
Presentation: Leveraging Users' Engagement to Improve Account Security, by Amine Kamel (@dontlivetwice), Head of Security at Pinterest.
Pinterest pulls in leaked password data from providers or pastes and finds email addresses that match their users. Then the leaked plaintext passwords are hashed and compared to their user hashes. Any matches and they tag the account as a high risk user (HRU).
They assess action needed with new login to HRUs, in hopes of only logging out users who may be actively targeted by attackers. Pinterest looks at factors like source device and IP to further gauge whether it has known history with the valid user or not.
If login comes from untrusted source they then invalidate all active sessions, email user explaining the risk, provide an account recovery link, and prompt them to turn on 2FA. Users who are notified are actually more likely to engage in 2FA enrollment than the average user.
Pinterest invalidates sessions and forces password resets to protect high risk users an average of 5,500 times per day, or 170,000 times a month, with activity spikes correlated with credential stuffing attacks.
Users who don’t generate new logins are still prompted that their password was stolen in a third-party breach. Pinterest ‘nags’ them with an on-screen banner to change their password to something more secure, or to move to using a social login (e.g. Google/Facebook) instead.
They report a 20% engagement rate with users who see the 'password stolen' nag. Many of these users just choose to change their password, with an average of 1,200 per day. Around 1,000 per day migrate to using a Google login and 900 to a Facebook login instead.
So it looks like Pinterest automatically protects more users against active attacks per day, but around 36% of the at-risk users are able to protect their own accounts without being logged off and put through an account recovery process.
Also @PasswordStorage it is mentioned in this presentation that Pinterest uses Bcrypt. Unfortunately I didn’t find evidence that they publish this elsewhere on their site.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to PasswordResearch.com
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @PwdRsch see all

Profile picture
PasswordResearch.com
@PwdRsch
Researchers asked 43 freelance developers to code the user registration for a web app and assessed how they implemented password storage. 26 devs initially chose to leave passwords as plaintext. [PDF] net.cs.uni-bonn.de/fileadmin/user…
Those devs were then asked to rewrite their code to 'store passwords securely.' Overall here are the methods of password storage chosen by the developers:
8 - Base64
3 - AES
3 - 3DES
10 - MD5
1 - SHA-1
5 - SHA-256
5 - PBKDF2
7 - Bcrypt
1 - HMAC/SHA1
Base64 is not a 'secure' solution, but some devs seemed to think so, with one saying "it is very tough to decrypt." Only 3 devs implemented salting along with MD5, SHA-1, SHA256, HMAC-SHA1.
Read 5 tweets

Related threads

Profile picture
Malavika Jayaram
@MalJayaram
For those who asked, here's a quick recap of my comments from the plenary on 'A #Data Driven World – Can we Ensure #Privacy?' at @OECD #GoingDigital. 1. Innovation is not in opposition to privacy: innovation *in* privacy is a huge opportunity, and a competitive advantage. 1/n
2. Framing and narratives matter. Seeing #data only as an asset (oil, gold, currency, etc) ignores implicit risks. Also seeing it as radioactive (with a half-life), an externality, a ticking time bomb, a liability, etc helps to locate it in a larger ecosystem. 2/n #GoingDigital
3. To a tech hammer, every socioeconomic problem looks like a tech nail. Informational asymmetries and power imbalances require attention to complex structural issues, not just on deployment of one size fits all tech solutions in a box. 3/n #GoingDigital
Read 9 tweets
Profile picture
Chad Loder ❇️
@chadloder
This is the best thing on Twitter this morning. I see too many security products trying to *replace* human-to-human interaction - there’s a good chunk of security and privacy that’s about *people*.

Let’s make more products which help people STOP, collaborate, and listen 😝
Forgetting about the “people” part of security is why we’ve heard “GRC is dead” for the last 10 years. We’re on “GRC 4.0” now and it *still* sucks.

GRC tools like Archer are designed for Process and Technology but forget about the poor People who have to use that dumpster fire.
We still have new vendors trying to design single-pane-of-glass “CISO dashboards”, meanwhile *very* few security companies are truly focused on people (not just security people) inside of organizations.

@duosec is one of the few companies who has focused on people. @habitu8 too
Read 10 tweets
Profile picture
Chad Loder
@chadloder
We have a huge credibility problem in information security and it's time we addressed it. We #infosec experts spend too much time asking "How do we get users to care more about security?" - and not enough time asking "How do we get security to care more about users?"
We give security advice without considering the impact to users in terms of cost, time, complexity, and risk of harm. A perfect example is "Turn on #2FA everywhere". It's #2factortuesday, right? I'm a fan. We spend endless hours debating whether SMS-based 2FA should ever be used.
Meanwhile we've spent ZERO time educating users on the risks of harm with #2FA. Namely, the risk that they could lose access to their account. The recovery procedures for 2FA-protected accounts are nearly impossible for average users. How honest are we about this with users?
Read 8 tweets
Profile picture
UCCat20
@UCC_Official
UCC had opportunity to comment on the #Data.Protection & Privacy Bill. The enactment of this law is long overdue. A comprehensive law on the collection & processing personal information gives effect to the right to Privacy envisaged under Article 27(2) of the Constitution
UCC welcome the protections offered by the Bill in terms of export of data, breach notification requirements, data subjects access rights, automated decision making, compensation and the right to be forgotten and provision for financial and penal sanctions for breach of the law.
Distinction between Data collectors & data controllers.
The Bill should however clarify & distinguish Data Collectors, from Data Processors & Data Controllers. Clause 2 is inconsistent with international good practice which provides for two broad categories of Data Controllers
Read 17 tweets
Profile picture
Pwn All The Things
@pwnallthethings
This is a bad take.
It's been long known that SMS based 2FA is weak and actively targeted by criminals. zdnet.com/article/two-fa…
We also know 2FA based on codes (eg SMS based 2FA) aren't strong against phishing attacks that trick you into revealing your passcode, because the phisher can also trick you into revealing your 2FA code.

E.g. see this graphic here describing APT28 (Russian Intel) doing that:
Read 6 tweets
Profile picture
Sizhao Yang
@zaoyang
1/ How will computation be affected by crypto?
2/ First, we have to see what is the underlying mechanics behind centralized and decentralized computing.
3/ The history of computers come from the inventor Alan Turing, who formalized a Turing machine, which means that theoretically this machine can calculate anything from a "program" which will execute its instructions from a "stored program"
Read 32 tweets

Trending hashtags

#songsstuckinmyhead #PMBAtWork #S3 #EBS #PokemonGo #migration #mentaltoughness #playstore #WeGoOneWeGoAll #data #ODSCWest #VisionZero #FeBuhari #A2J #MondayMotivation #talent #change #PMBPYO2019 #Gambia #Software2point0 #blockchain #datascience #infrastructure #Phishing #PatriotsFight
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!