I wanted to write about attitudes on credential stuffing, whose responsiblity it is, human behaviour, technology ecosystem and generally rant away as usual.
Every now and then a large org will fall victim to credential stuffing attacks, the users will have their data and sometimes position abused for whatever the attackers wanted, the organisation in question will probably send out some comms and issue a mass reset or a focused reset on accounts in question, and you'll have people saying 'it's the users fault for using shit passwords' or something to that effect, ... now, I think users can do better, but it's unfair to lead with that idea that 'if it wasnt for the user using a 'static' password or an easy password then they wouldnt find themselves in this position, I know it's a little incendiary but i'll say it, it's victim blaming and a means to slow the real work that needs to be done to create a safer online experience.
Let's look at the variables
Applications that host the users data arent always hosting it on behalf of the users request, often they're hosting it so they can mine that data, sell it to third parties, get you better adverts, many applications may think it's infact thier data, but ... kinda technically it's yours yea whatever GDPR, How many sites have you signed up to because you needed to (get that garmin working, get that nvidia download, get that car firmware, whatever) we sign up to sites we need too, because we have too, and in turn, we dont always respect the sites desire to think of a strong password, the point here is I'm betting most readers have some 'good' passwords and some less-good passwords that they use depending on the sites they care for or are just required for, I'm also assuming there are some well diciplined readers who love password managers or catting a uuidgen on demand, you guys can feel safe in your practices, but best to keep in mind that many arent as diciplinned as yourself.
I think it's fair to say that users are a variable for all the wonderful reasons we're different and the same, we should keep that in mind, So, we're half way through 2022 and still having so many successful stuffing attacks ?
Application owners data controllers and processors (not users) are still proping up legacy systems, and legacy systems that arent overtly broken dont often get fixed, they get managed, most authentication flows online are subpar for privacy and inference, but many of the 'big' sites either enforce or request you enable MFA, that's not bad, but, that legacy space is growing in the name of 'it's not broke dont fix it' but actually legacy systems, legacy authentication flows will attract legacy behaviour
If you as an applicaiton owner allow weak passwords, there will be weak passwords
If you as an application owner dont default MFA, there will be very little adoption
If you as an application owner dont suppress noise with WAFs there will always be more chaos
If you as an application owner do not afford users to cross-refrence their passwords against things like hibp password check and guide them meaningfully into strong passphrases plus MFA, or better yet, introduce magic links, CAPTCHA and web application firewalls to cut out the noise ... application archtecture has many common good design patterns, and bad, while we can acknowledge that users having crap passwords is as good as it sounds, we need to be more vocal and honest about what those hosted services are bringing to the table in terms of modern defence and modern considered architecture
On that, I'm giving the ownership and responsiblity to improve A 20/80 split between users (20) and businesses (80)
Remember, Users are variable but you do have a few chances to control this space, UX is as important as the security requirement.
Here's a nice link around simple magic links
And if you're concerned about user privacy, inference and scraping of that data, I'd recommend this link too
Is your app or infrastructure supporting legacy user behaviour ?