A friend of mine who advocates against a form of health stigma has been targeted for many months by those who prefer to keep the stigma active. (Yes, there is pro-shame harassment in the world. Go figure.) The intensity of this opposition leaks way over from nasty email and social-media messages to account hacking.
While my friend has secured all their accounts as tightly as possible, using an email address that’s protected by two-factor authentication (2FA) coupled with enabled 2FA everywhere that supports it, their problem is that they receive a continuous stream of email about login attempts. Because of strong passwords and other choices, their accounts aren’t being hijacked.
But they wondered: Is there a way to remain protected by not receive a well-meaning onslaught of such emails? The short answer is no. Facebook, Google Mail, WordPress, and many other services aimed remain naively predicated on the idea that nobody will see that many attempts by someone unauthorized to try to gain access to their users’ accounts through a “forgot your password” or other links.
On one of my Unix systems, every time I log in via SSH (secure shell, an encrypted terminal session), my server tells me something like, “There were 18348 failed login attempts since the last successful login.” That’s a legitimate number it provided for about a day’s worth of attempts since my previous login.
Google and some other firms will send a more targeted email when they recognize a suspicious attempt at a login based on location or other signals. But the general notion seems to be that because a password-reset attempt will fail unless someone has access to the email address that receives such reset emails and would still require a second factor or knowledge of several pieces of information about an individual. It might even require interacting with a real, live human being and sending over documents to prove one’s identity.
Meta-harassment
This flow of emails turns into its own form of harassment, depending on how well a service tracks and locks out bad attempts to reset a password as opposed to just bad attempts at logging in. While I haven’t tested this across many sites, it’s clear that some track reset attempts and stop allowing them after a while, a form of “rate limiting.” But I don’t think many flag this as bad behavior.
Leigh Honeywell, a security expert formerly at Slack and Microsoft, and just embarked on a fellowship at the ACLU, says of sites sending these emails, “If you rate-limit things too strongly, you potentially create a denial-of-service situation whereby legitimate users get locked out. If you don’t have sufficient rate-limiting, or it’s not very smart, you end up with users getting spammed.”
Sites could develop a number of approaches to reducing this problem, which likely affects a very small subset of users, but it’s impossible it won’t grow, given the number of passwords (encrypted or otherwise) floating around out there for all of us from various large-scale database hacks and exfiltrations.
I highly recommend signing up for notifications from Troy Hunt’s Have I Been Pwned?, a site that tracks dumps of account extractions and will send you email if your address is found. At the moment, he has information relating to 3,156,688,847 leaked accounts, not all of which had passwords cracked.
Due to many people re-using the same password at multiple sites, hackers increasingly link together information from breaches. In fact, the latest list added to Hunt’s site, the Anti Public Combo List, contains nearly half a billion accounts with multiple passwords extracted from previous breaches and combined in one place.
So even if you use different passwords all over, it’s possible that an attacker would discover that you hadn’t change a password for an email account that had been breached, and would see if they could get a password-reset link sent to an email account they could compromise. Your security at the account’s site would be undermined by the breached email account elsewhere.
If you use backup email addresses at sites that allow it, you might still list a forgotten address from years before that could be compromised. Did you have an AOL, Hotmail, or other once-popular account? You might revisit all the sites that allow backup addresses to see what you have listed there.
As a result, my friend’s situation will be ever more common, and sites will need to step up. Using unique passwords for every account via 1Password or LastPass and enabled 2FA where available (which is on almost every popular service now) will definitely help you resist, but it won’t block these emails.
Honeywell also recommends a seemingly non-intuitive option: for sites that allow using a federated identity, like a Twitter, Google, or Facebook login, it might be more secure to put your eggs in those baskets. She notes, “Most sites on the internet have less-secure login systems than Facebook/Google/Twitter, so you don’t lose anything security-wise by relying on them for authentication.”
Changing the volume
You could use filters in your email program or webmail so that incoming password-reset announcements were dropped into a separate folder you could review later—and where you could find a legitimate request you made, when that happens. As Honeywell says, “That way you still see the evidence that they are happening, but they don’t clutter up your inbox.”
It should be a duty of sites to better manage this problem, although I can see that they don’t want to offer additional hoops to most users, as that might deter those visitors from using the site if they can’t easily reset a password.
With one service I use, Linode, which provides virtual servers, logging in with my username and password still requires validating my current IP address through an email round-trip. That means even were someone to obtain my account, password, and second factor, they would still be blocked without access to my email. But even Linode offers a forgotten-password link, after which you jump through hoops for access.
Sites could allow people who have sensitive jobs and need to control access better or are subject to recurring harassment to opt out of straightforward password resets through emails. They might need, for instance, to provide a second factor to initiate the reset, because if they have 2FA enabled they’ll have to use that factor even after they reset the password. Or a user could provide a limited set of IP addresses or ISPs (like AT&T and Xfinity) or even geographic regions as a way to reduce global assaults.
For now, my best advice is to stay the course and recheck accounts to make sure there’s no point of weakness. If you do set up a filtered mailbox, make sure you can see the count of messages in it, and check it regularly, even if just to mark all the messages as read.
Our current generally accepted system of accounts and passwords, even with 2FA as a way to lock down actual access, may not survive an increasing range of attempted attacks, much less actual hijacking.
Update: This article was updated with an interview with Leigh Honeywell.