Many consumers still rely on easy-to-crack passwords, Digital Shadows warns
A staggering 24 billion usernames and passwords are available on the dark web — a 65% increase in just two years, according to a new study by Digital Shadows.
Some combinations are promoted more than once on forums, but even after removing duplicates, Digital Shadows still found that 6.7 billion unique credentials exist — an increase from about 1.7 billion, or 34%, in two years.
A to learn (PDF) by Threat Intel, released Wednesday (June 15), found that consumers continue to use easy-to-guess passwords.
For example, about 0.46% of all passwords – almost one in 200 – are “123456”. Keyboard shortcuts like “qwerty” or “1q2w3e” are also all too commonplace.
In response to questions from The daily sip, Digital Shadows said most of the credentials collected and analyzed in its report came from organizations whose databases were breached before password hashes were cracked and passwords leaked on cybercrime forums. Credentials originally stolen through phishing attacks, and often using specialized phishing kits with a different significant credential vector.
Find out about the latest password-related security news
Easy-to-use tools, available for minimal cost or free on criminal marketplaces, make it easy for even novice script kiddies to crack weak passwords.
Simply adding a “special character” (like @ # or _) to a basic 10-character password makes passwords much more difficult to crack and therefore makes it much less likely that a person will fall victim to an attack and criminals will instead target accounts, that are easier to crack.
Digital Shadows reports that the sale of stolen and cracked credentials remains a mainstay of revenue through cybercrime forums and marketplaces.
“Stolen credentials are one of the most important access tokens in a variety of operations by cybercriminals and state-sponsored groups,” Digital Shadows said The daily sip. “As such, the market for them is constantly buoyant and threat groups scramble to get their hands on these valuable assets.”
Chris Morgan, Senior Cyber Threat Intelligence Analyst at Digital Shadows, said that despite industry attempts to move beyond passwords as an authentication mechanism, the problem of compromised credentials remains pressing – and only getting worse over time.
“Criminals have an endless list of hacked credentials to try, but compounding the problem are weak passwords, which means many accounts can be guessed in mere seconds with automated tools,” Morgan said.
Morgan added: “In the last 18 months alone, we at Digital Shadows have brought 6.7 million leaked credentials to our customers’ attention. This includes the username and passwords of their employees, customers, servers and IoT devices.
YOU MAY ALSO LIKE Cyber criminals use reverse tunneling and URL shorteners to launch “virtually undetectable” phishing campaigns
“Many of these cases could have been mitigated by using stronger passwords and not sharing credentials across different accounts,” they concluded.
in one blog entryDigital Shadows summarizes the results of his research and offers advice on best practices for password security.
Top tips include advising users to switch to using a password manager and add multi-factor authentication to their online accounts so that a password alone (even if compromised) is not enough to gain access to receive.
CONTINUE READING Volatile market for stolen credit card data rocked by sanctions against Russia