It's just another day on the internet when the news is full of headlines about accounts being hacked. Yesterday was a perfect example of that with 2 separate noteworthy stories adorning my early morning Twitter feed. The first one was about HSBC disclosing a "security incident" which, upon closer inspection, boiled down to this:

The security incident that HSBC described in its letter seems to fit the characteristics of brute-force password-guessing attempts, also known as a credentials stuffing attack. This is when hackers try usernames and password combos leaked in data breaches at other companies, hoping that some users might have reused usernames and passwords across services.

The second story was about a number of verified Twitter accounts having been "hacked" and then leveraged in Bitcoin scams. On the face of it they're pretty similar stories with both resulting in unauthorised access to a small percentage of the respective organisations' user accounts. Like the quote in the HSBC article above, Occam's Razor (the simplest solution tends to be the correct one) would suggest that the Twitter situation has the same root cause: people choosing poor passwords which they then reuse across services and attackers then use those exposed in one location to break into accounts in another location. If that was the case, the "hack" would not constitute some sophisticated exploit of vulnerable code as the term suggests to many people, rather it's made possible due to the victim's choice of password. As such, I proposed the headlines as they stood were likely inaccurate:

Let’s stopped saying “hacked” in the news headlines and start saying “used a shit password” instead! https://t.co/3t8ILkWNrc — Troy Hunt (@troyhunt) November 6, 2018

Now, for the most part there was much support for this and clearly very many likes. But there was also a theme that popped up that needs addressing, and it boiled down to this:

You're victim blaming. Stop victim blaming.

Yes, I am and no, I won't. This issue - the one that implies there's no responsibility on behalf of the victims in these incidents - needs addressing because frankly, it's an absolute cop out. I'll come back to that but firstly, let's all agree on who has a role to play here:

The person breaking into the account The organisation responsible for the accounts The account holders themselves

Let's talk about the responsibility of each and we'll start with the attacker. Without doubt, blame lies with them. Their activity not only causes harm to the next two roles in the list, it's outright illegal and in cases like the two stories above, there's a good chance it'll end in jail time if they're caught. Their actions are selfish, malicious and should be punished.

The organisation also has a role to play and some blame must lie with them for facilitating the account takeover. In fact, the FTC in the US has been very clear about this: if customer data was put at risk by credential stuffing, then being the innocent corporate victim is no defence to an enforcement case. I'm sympathetic to the organisation because it's a hard problem to solve (stopping an attacker who fronts up with a victim's legit credentials), but this is today's reality of managing online accounts.

And then there's the account holder, the one who chose the password. The one who - assuming a credential stuffing attack - used that same password somewhere else. It's not just reused but almost certainly also weak by any reasonable definition of the term; of the 517M passwords I manage in Pwned Passwords, they overwhelming meet this definition and I'm using precisely the same sources as attackers are to break into services like HSBC and Twitter. (Incidentally, one of the reasons they're weak is that many come from successful hash cracking exercises against data breaches such as Linked in which stored them as SHA-1. Whilst that may now be a totally unsuitable means of storing passwords, strong ones not previously seen before - such as my own which is in that breach - still aren't getting cracked.)

The account holder is the victim but they must also share the blame. They made a decision of their own free volition which put them at risk and now they're suffering as a result. To suggest that somehow "victim blaming" is a bad thing is an absolute falsehood when their actions enabled the outcome. I just can't wrap my head around why anyone would think that people should be able to take whatever shortcuts they want with their personal security and somehow, magically, have absolutely no responsibility whatsoever for the outcome.

At this point, I want to make a tangential comment on this term "victim blaming" because if I don't it will inevitably be raised in the comments: in no way shape or form is the term used in the way it has been above analogous to how it's often applied to victims of sexual assault. In doing a bit of reading, apparently the coining of the phrase originally related to racism and you'll find that Wikipedia article full of references to rape, hate crimes and domestic abuse. Clearly, these are fundamentally different situations to people's choice of password and any attempts to draw parallels between them will almost certainly be a terrible IRL analogy attempting to explain a digital concept. Let's not go there, it's a much more serious and fundamentally different proposition to using your cat's name as a password.

The problem with the term "victim blaming" is the willingness for people to misappropriate it from the origins discussed in the previous paragraph and apply it to cases where victims do indeed have blame to wear. If I crash my car after driving like a lunatic, I am both a victim and worthy of blame. If I pat the poisonous things in my Aussie back yard and get bitten it's the same again. DON'T PAT THE POISONOUS THINGS! My kids understand this, why are some adults struggling with the cause and effect of poor password choices? I'm not trying to go down that poor IRL analogy path myself, but rather demonstrate that the words "victim" and "blame" are not mutually exclusive by any reasonable definition of the words.

The issue I continually came back to when reflecting on the hacking "victim blaming" comments was that they implied people were not responsible for the personal security decisions they made. That somehow, those decisions wouldn't influence the outcome of an attack because if they did - if they had the ability to make conscious decisions on their own behalf - they could make both good and bad decisions. You just can't have it both ways where on the one hand the victim blaming brigade says "you should focus on educating people so that they're able to make good decisions" but then on the other hand say "nobody should ever be accountable for making bad decisions". That's just not how life works and furthermore, it's not consistent with what the vast majority of people believe:

If someone creates a weak password and then reuses it across multiple services, do they have any responsibility if one of their accounts is then compromised via credential stuffing? — Troy Hunt (@troyhunt) November 7, 2018

Just in case you're reading this before that poll wraps up, at the time of publishing it was showing 83% of people agreeing that at least some responsibility lies with the person making the decision about their own personal security posture. Clearly, I'm with the masses here: we all have the ability to make decisions that impact our security posture and I'm going to keep doing my utmost to help educate people about how to make the best possible ones. But when they don't, I'm also going to tell them to take responsibility for their actions and even as a victim, acknowledge some fault.

Despite an overwhelming majority of respondents to that poll agreeing with my stance, there was still much "robust" discussion to the contrary. It's worth reading and even though I don't agree with much of it, I appreciate the perspectives being shared. A common theme that emerged was "but people don't understand password security so they can't be responsible". I vehemently reject the premise that not understanding something becomes a get out of jail free card. Further, I counter with the suggestion that pretty much everyone creating online accounts has at least some understanding of the basics; that passwords shouldn't be easily guessable and you shouldn't use the same one everywhere. That doesn't necessarily mean that they adhere to those principles, but let's not pretend that you can go through online life without ever seeing password rules on a website or being told that the one you just entered "isn't strong enough". Further to that, the terms and conditions we abide to when using online services agree. For example, here's Twitter's terms of service:

You are responsible for safeguarding your account, so use a strong password and limit its use to this account. We cannot and will not be liable for any loss or damage arising from your failure to comply with the above.

So Twitter isn't responsible for someone's poor password practices, the person with the poor password practices is! Here's Amazon's ToS:

You are responsible for maintaining the confidentiality of your account and password and for restricting access to your account, and you agree to accept responsibility for all activities that occur under your account or password.

Who's responsible? The person creating the password! Just like on Google as well:

To protect your Google Account, keep your password confidential. You are responsible for the activity that happens on or through your Google Account.

And just before you chime in via the comments below, remember that when you login to Disqus to do so, you're solely responsible for your choice of password:

You are solely responsible for the activity that occurs on your account, and you must keep your account password secure. We encourage you to use “strong” passwords (passwords that use a combination of upper and lowercase letters, numbers and symbols) with your account.

Now I'm not suggesting that people actually read terms of service (they almost certainly don't), but if push comes to shove and your Twitter or Amazon or Google or Disqus account is compromised by precisely the means presented in that earlier poll, you are responsible and like it or not, you agreed to be. None of these terms say "you are responsible but if you don't understand passwords very well then that's cool, you're not responsible any more"! That's just not how any of this works.

Finally, I want to touch briefly on our responsibility to help lead people creating accounts down the path of success. We need to get better at designing systems that are more resilient to credential stuffing attacks (companies like Shape Security are focused on this), better at helping people make good password choices at signup (for example GitHub's use of Pwned Passwords) and better at educating individuals about tools like password managers (1Password has a heap of great consumer-facing content). We should drive the adoption of multi factor auth but also recognise its limitations (particularly for the less technically adept), and we should provide those who have a harder time with technology viable alternative such as password books. Let's work more towards equipping everyone with the knowledge to make good security decisions and recognise that everyone is empowered to do so.

So by all means, call it victim blaming if you must, but when applied to making poor security decisions of the kind discussed above, the responsibility is a shared one.

Edit: I expanded on this further verbally in my weekly update the following day. It's worth a watch, particularly if you've made it here and disagree with my position on this as the video does a much better job of conveying sentiment IMHO.