After reading the article, I think it's more that people were tricked into [reusing passwords across websites instead of having a password manager and randomized passwords].
It's not on 23andMe, or anyone (other than the user) for that matter, to ensure the passwords used by the user are not copied passwords from other credentials.
Seems to me like passwords need to be regulated on a governmental level, but that's a can of worms of an idea that I am not ready to defend.
I mostly agree with you, but 23andme could have prevented this by requiring 2FA for all accounts, or at least for accounts with an email in the HaveIBeenPwned database.
Credential stuffing is most preventable by the user (who can simply not reuse passwords), but platforms have a responsibility as well. They can at least mitigate it through rate limiting, and mostly stop it with 2FA requirements.
If an attacker is able to exfiltrate millions of records from a platform with credential stuffing, that means they tried to login to multiple millions of accounts. It shouldn't be difficult for a service to detect and stop such a sustained level of load on its login infrastructure. You can't get millions of proxies.
None of this is surprising. I was a sw engineer at 23andMe about 5y ago. Their backend consisted of some of the worst python/django spaghetti code I’ve ever worked on. There was also no engineering culture whatsoever.
> It's not on 23andMe, or anyone (other than the user) for that matter, to ensure the passwords used by the user are not copied passwords from other credentials.
In my opinion, it is, actually, on 23andMe. At my tiny startup, I implemented a simple check against Troy Hunt’s compromised password database.[1] If I can do it, 23andMe can.
If anyone reading this is in the business of making web apps and there’s literally anything of value behind your login, prioritize this mitigation. OWASP recommends it too. [2]
What I make my password should be entirely up to me, with the knowledge that if my data is stolen because I reused a password, it was entirely my fault.
I don't really think this needs to be regulated; government-standard guidelines are probably sufficient, with companies knowing that deviating will expose them more to litigation in the event of a problem.
Not trying to argue with you, I did read your last sentence, just tossing in another POV.
In this case, due to the "genetic relatives" feature, one user's choice to use poor security (e.g., "passw0rd") enabled the bad guys to get the data of other users who did use good security.
This is my personal take: People are sometimes tricked by natural human instinct into performing actions that give benefit to a simple human need ("it's just easier for me") at the detriment of higher-level outcomes (in this case, password security).
It's simply easier for me, as a human, to remember that my password for all websites is Hunter2, rather than spend the extra time, create a password manager account, store passwords, utilize best password management practices, etc. Not saying this is what I do, but for many people, this is how they remember their password(s).
Maybe I should have changed the "tricked into" to "trick themselves", but I'm just a human and this was easier for me.
It's not on 23andMe, or anyone (other than the user) for that matter, to ensure the passwords used by the user are not copied passwords from other credentials.
Seems to me like passwords need to be regulated on a governmental level, but that's a can of worms of an idea that I am not ready to defend.