Are you confident that your companys password security strategy is fit for purpose? Do you have a password security strategy in place? 360 million stolen passwords are for sale online. In October, 153 million names and passwords stolen in an Adobe breach were on the open market. In November, it was 42 million passwords stolen from the dating service Cupid Media. This, of course, was around the time credit card information was stolen in the Target breach (110 million) and the Neiman Marcus breach (1.1 million).
What happens with all these stolen passwords? Sometimes they’re simply put up for sale. There are websites selling user/password combinations for lots of popular businesses—Amazon, Walmart, Dell—for just $2 each.
Our stolen passwords can be put to work stealing more passwords or other personal information. According to The Telegraph, the glut of passwords on the market means prices for credit card details are falling. Twitter passwords are worth far more right now. Hackers hope that Twitter passwords will give them access to other social media accounts, and the passwords are also an excellent spear phishing vehicle—hackers can use a compromised Twitter account to gain information about the victim’s friends, family, and co-workers.
Over half of all Internet users admit to using the same password for every account.
Hackers sometimes use stolen passwords to access retirement accounts or other financial sites that contain social security numbers. Once the hackers have a social security number identity theft is relatively easy.
Stolen passwords are also used to update the Rainbow Tables, huge databases that are used to crack encrypted data. Secure websites often employ “salting,” an extra layer of encryption. If a less secure website is hacked, and some of the passwords are the same as passwords in the Rainbow Tables, this can provide a key for hacking the more secure website.
One of the first things hackers do is to try to use the stolen user name/password combination on other sites. It’s been said a million times, but avoid using the same password more than once. It would certainly be very disconcerting to have your information stolen from Cupid Media, but much more disconcerting if your Cupid password was the same one that you used to access your bank and credit card accounts.
Did you know that over half of all Internet users admit to using the same password for every account? Studies of major password breaches over the past 10 years show:
- Nearly 50 percent choose names, slang or trivial passwords.
- About 30 percent choose passwords with six or fewer characters.
- Almost 60 percent choose their password from a limited set of alpha-numeric characters.
- Less than 4 percent incorporate special characters.
Do employees fully grasp the risks associated with compromised accounts?
IT managers are more password security aware than most, not least because when company and financial systems are at risk there are serious consequences for them. A data breach can often take time to be noticed but it eventually is through identity theft, lawsuits or substantial corporate expenses. Many high profile companies have suffered serious data breaches including Linkedin, Yahoo and, Sony. The compromised security at Sony, the global games company, allowed criminals 20 million accounts which including email addresses, phone numbers, passwords, and in some cases credit card numbers. It has been reported that some of this information is for sale in several cybercrime forums.
Another high profile attack and possibly the biggest data breach in US history was the Epsilon attack earlier this year. Epsilon a global provider of marketing services had their IT system hacked and the criminals gained access to the names and email addresses on their customer database which included some of the worlds largest companies across a variety of sectors. This successful attack gave criminals access to large amounts of information about individuals in these companies, details which will allow them to more effectively target each company more specifically.
Guidelines for Stronger Password Security
The key to creating a stronger password is knowing what not to use. For example, never create a password derived from anything you would share with co-workers or post on Facebook, it’s too easy for someone who knows how to do some digging to guess. Never use the same password for multiple accounts.
Also, stay away from:
- Usernames, real names or any name
- “Dictionary” words in any language, slang, or common abbreviations
- Dates, or other number combinations such as addresses, drivers’ license number, or phone numbers
- Specific personally identifying info, such as your birth place or favourite film
- Keyboard patterns, such as qwerty or Asdfgh
Did that list just eliminate your existing passwords? That’s OK! You’re about to better secure your accounts!
Your new strong passwords should use all of the following:
- More than seven characters
- Upper and lower case letters
- Special characters
One more word of caution. Hackers know that any large data compromise, like the Target attack, will make people nervous, so it’s their favorite time to send out phishing emails with the end of goal of getting people to change their passwords on fake websites. Passwords should always be updated by going directly to the site, never by clicking on a link on an email. Remember network security is all about layers, always keep anti spam, antivirus and other network security solutions updated.