Researchers at Digital Shadows report having collected over 24 billion usernames and passwords from the dark web – an increase of 65% in just two years. Even after removing duplicates, they still found 6.7 billion unique credentials, an increase of 34% in just two years. Excerpts:
- We collated more than 24 billion compromised credentials.
- approximately 6.7 billion credentials had a unique username-and-password pairing
- The most common password, 123456, represented 0.46 percent of the total of the 6.7 billion unique credentials.
- Information-stealing malware persists as a significant threat to your credentials. Some of these tools can be bought for as little as $50, and some go for thousands, depending on functionality.
- 49 of the top 50 most commonly used passwords could be cracked in less than a second. Adding a special character to a basic ten-character password adds about 90 minutes to that time. Adding two special characters boosts the offline cracking time to around 2 days and 4 hours.
Only 30,820,000 passwords were 123456? Seems low to me. 😉
The report from Digital Shadows reveals the shocking increase of username and passwords found circulating amongst cyber criminals since 2020. The digital acceleration has exploded since the pandemic and we need to wake up to the fact that passwords are no longer a secure means of protection. Especially when so many individuals use password combinations that are easy-to-guess. Authentication needs to change, and people need to be aware of the flaws in password based authentication. Reports such as these highlight the need for other, safer means of authentication that require multiple factors and can’t be phished or brute forced. Passwords are outdated and this report makes it clear that cyber criminals are capitalising on this vulnerable authentication process.
Identities are the true hackers objective. A username/password tuple can be attempted at not just the resource that is discovered but at multiple targets: banks, credit cards, health care and business accounts. It’s these business accounts that enterprises must concern themselves with. It’s not difficult for a hacker to pivot a username/ID w/ OSINT and discover the place of work. From there it’s just a matter of logging onto the users account in some form, dropping in a RAT (Remote Access Trojan) and then begin the cyber kill chain of lateral movement and privilege escalation. It is imperative that an enterprise practice Zero Trust and strong identity governance which help identify anomalies in user privileges.