According to recent research, the number of stolen password and username combos for sale on the Internet is around 360 million. That number is likely to grow substantially, as hackers are targeting companies and are stealing login credentials. If you don’t tighten password security, hackers may be able to break through your security defenses. It could be your customers’ credentials for sale on the Internet if you make it too easy for hackers.
Usernames and passwords being openly sold online
Adobe was targeted by hackers, and in October they succeeded in obtaining approximately 153 million usernames and passwords. They were subsequently listed for sale online. Cupid Media was hacked, and the dating website had approximately 42 million passwords stolen in the attack. Then there was the Target data breach. 110 million passwords (and other other highly sensitive data) were stolen.
What do hackers do with stolen passwords?
What is happening with all of these passwords? Do criminals buy passwords just to gain access to credit card numbers used on these companies’ websites? In many cases that is the reason why criminals want passwords and usernames.
For around $2, it is possible to purchase usernames and passwords for accounts on Amazon or Walmart. Criminals can use the accounts to purchase high value goods. However, an address must be provided to deliver the goods, and that is best avoided when using stolen data.
What many online criminals use these login names and passwords for is to gain access to other personal information: Information that can be used for much more lucrative crimes, such as tax fraud, identity theft, medical & insurance fraud. If criminals can use personal passwords to gain access to employers’ computer systems, malware could be installed and huge quantities of data stolen. If access to corporate bank accounts can be gained, transfers can be made and millions obtained.
Amazon passwords are being bought, but Twitter login credentials carry a higher price. Criminals believe, often rightly so, that the information can be used to gain access to Facebook and LinkedIn accounts. They are much more valuable than Amazon or Walmart accounts. The platforms are a mine of information and data can be gained that will allow spear phishing campaigns to be developed. Not only against the individual whose account has been compromised, but also those of their entire network of friends and work colleagues.
Password sharing practiced by 50% of Internet users
A single password can be extremely valuable, as passwords are often shared across multiple platforms and Internet accounts. If a password can be used to gain access to a banking website, funds can be transferred to hackers’ accounts. However, hackers often try to obtain Social Security numbers. They can be used for identity theft, the proceeds of which can be far greater than the individual’s bank balance.
Stolen passwords are used to maintain a database of passwords called the Rainbow Tables. These tables are used to crack passwords. If one encrypted password can be cracked, hackers may be able to use it to crack other passwords used by the same business.
One password can also be tried on other online accounts, and all too often access to social media accounts and even online banking and work accounts can be gained. Recent surveys suggest that over half of all Internet users share passwords across multiple websites. If your Twitter account is hacked, and the same password has been used for your work email account, bank account, and Facebook account, your identity could be stolen, your employer hacked, and your bank account emptied.
Do you need to tighten password security?
Internet users also make it far too easy for passwords to simply be guessed. Did you know…
- Fewer than 4% of Internet users incorporate special characters in their passwords
- 60% create passwords using a limited number of alpha-numeric characters
- Almost a third of people use passwords of 6 characters or less
- Over half use easy to guess passwords (Many still use “password”)
These figures strongly suggest that many companies must tighten password security. They are allowing employees to use passwords that are very weak.
How to tighten password security
If you want to make passwords more secure, the best place to start is by preventing the use of unsecure passwords. What do hackers try first when attempting to guess passwords?
- Names: pets, children, street names
- Any personal information that can be found on a Facebook or Twitter accounts (favorite bands, model of car owned, favorite book or film)
- Dates: Own birthdate, that of your partner or children, date you got married etc.
- Dictionary words
- Sequential letters on a keyboard – ‘qwerty’, ‘dfghjkl’, or ‘zxcvbnm’ for example
Tighten password security by enforcing password controls
Telling employees to create secure passwords will help, but there will always be some members of staff who ignore the rules. To ensure strong passwords are chosen, you will need to enforce rules. Prevent weak passwords from being created and make sure passwords have:
- More than 6 characters
- Contain at least one number
- Contain at least one capital letter
- Contain at least one lower case letter
- Contain at least one special character