In May 2016, security researchers discovered millions of user accounts from social networking sites like LinkedIn, MySpace and Tumblr for sale on the dark web. The victims’ personal data came from multiple data breaches that are believed to have taken place between 2011 and 2013.
Together, the breaches exposed over 642 million passwords. This could spell trouble for millions of online users, as pointed out by Tripwire senior security research engineer Travis Smith:
“With the increase of breaches that we’ve seen over the past few years, it’s likely at least one of your passwords has been stolen by a hacker. It’s entirely possible one of your accounts has been compromised and that the website or service has not yet discovered the breach.”
The threat is even greater for users who don’t practice strong password security.
For instance, an attacker will often use a password cracking tool to circumvent an encrypted password and to break into a user’s account. All they need is the individual’s username. If that password is simple and easy to guess, they will be able to brute force their way in.
But the damage might not end there. An attacker could gain access to additional information in the event an individual has reused their password across multiple accounts.
Craig Young, security researcher for Tripwire, explains it is these types of behaviors that undermine information security for users and enterprises alike:
“Passwords are often the weakest link in an otherwise secure system. The reuse of passwords across multiple systems and the use of simple passwords commonly found in password cracking dictionaries account for a large number of account hijackings.”
Major vendors like Microsoft are taking steps to protect users against poor password security practices. But ongoing ransom attacks stemming from data breaches, such as those recently warned against by the FBI, serve as a reminder for users to take a closer look at their passwords.
With that in mind, Tripwire’s security experts offer the following advice for consumers to improve their password hygiene:
- Change your passwords on a regular basis. Many of the passwords from the data breaches mentioned above are being sold on the dark web and are over three years old. Using stale passwords can keep you exposed to threats.
- Stop using passwords and start using passphrases. Using a series of words is far less likely to show up in an attacker’s password dictionary than a single word. A starting point for a secure passphrase could be a favorite quote or a line from a song, complete with spaces and punctuation.
- Be liberal with character substitutions. A password can be made stronger by replacing “o” with “0,” “e” with “3,” or “a” with “@.”
- Use a different password for each website or service. If an attacker manages to steal a password for one website, they can’t use the same password to access other websites.
That last point is important, and according to Young, it’s not even that difficult to do:
“Creating unique credentials for each website may seem daunting, but one option is to add something you associate with the website’s service to the passphrase. For example, if I were to create a password for an online book retailer, I might start with the quote ‘It was the best of times,’ and then change it to ‘It w$s th3 b3st 0f tim3s.’ To make an ever stronger, more unique passphrase, I could add ‘books’: ‘It w$s th3 b3st 0f tim3s b00ks.'”
For added protection, users should also consider taking advantage of two-factor authentication. Tim Erlin, director of IT security and risk strategist at Tripwire, notes this additional layer of security helps prevents an attacker from gaining access to an account simply by compromising someone’s password:
“Two-factor authentication often uses a password and a one-time code sent to a mobile device. Other factors used for authentication could be a fingerprint, retinal scan or a physical card. Many websites and online services now support two-factor authentication, and users should enable it where possible.”
To check to see if your account credentials have been compromised in a known data breach, please visit https://haveibeenpwned.com/.
For more strong password security tips, please click here.