Many consumers still relying on easy-to-crack passwords, warns Digital Shadows
An eye-watering 24 billion usernames and passwords are available on the dark web – an increase of 65% in just two years, according to a new study from Digital Shadows.
Some combinations are advertised more than once on forums, but even after removing duplicates, Digital Shadows still found that 6.7 billion unique credentials exist – an increase of approximately 1.7 billion or 34% in two years.
A study (PDF) from the threat intel firm, published on Wednesday (June 15), found that despite this, consumers continue to use easy to guess passwords.
For example, around 0.46% of all passwords – nearly one in every 200 – is ‘123456’. Keyboard combinations such as ‘qwerty’ or '1q2w3e’ are also all too commonplace.
In response to questions from The Daily Swig, Digital Shadows said most of the credentials collected and analyzed in its report come from organizations whose databases have been breached before password hashes are cracked and passwords leaked on cybercriminal forums. Login credential initially stolen through phishing attacks, and often using specialist phishing kits with another significant vector of credential pwnage.
Easy-to-use tools commonly available through criminal marketplaces at minimal cost or for free make it straightforward for even unskilled script kiddies to crack weak passwords.
Simply adding a ‘special character’ (such as @ # or _) to a basic 10-character password makes it far harder to crack passwords and therefore makes it much less likely that a person will fall victim to an attack, with criminals instead attacking accounts that are easier to breach.
Digital Shadows reports that the sale of stolen and cracked credentials remains a mainstay of sales through cybercrime forums and marketplaces.
"Stolen credentials are one of the most crucial access tokens for a variety of cybercriminals and state-sponsored groups’ operations," Digital Shadows told The Daily Swig. "As such, the market for them is constantly florid and threat groups scramble to put their hands on these valuable assets."
Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, said that despite industry attempts to move beyond passwords as an authentication mechanism, the issue of breached credentials remains pressing – and is becoming progressively worse over time.
“Criminals have an endless list of breached credentials they can try but adding to this problem is weak passwords which means many accounts can be guessed using automated tools in just seconds,” Morgan said.
Morgan added: “In just the last 18 months, we at Digital Shadows have alerted our clients to 6.7 million exposed credentials. This includes the username and passwords of their staff, customers, servers, and IoT devices.
“Many of these instances could have been mitigated through using stronger passwords and not sharing credentials across different accounts,” they concluded.
In a blog post, Digital Shadows summarizes the findings from its research as well as offering advice on password security best practices.
Its top tips include advising users to switch to using a password manager and adding multi-factor authentication to their online accounts so that a password alone (even if compromised) is not enough to gain access.