12 July, 2016

Are You Still Using "password" as Your Password?

Not to alarm anyone, but to date, over a billion owned accounts with credentials have been sold online, including :
  •            359,420,698 MySpace accounts        
  •            164,611,595 LinkedIn accounts
  •            152,445,165 Adobe accounts
  •             65,469,298 tumblr accounts
Think of your password as a safe deposit box key.  Would you leave it lying around for anyone to pick up? Of course not.  Yet passwords, in many cases, unlock equally valuable assets.  And we're making it even easier for thieves because unlike having multiple keys for multiple doors, we often reuse the same password on multiple sites.

Password reuse is so prevalent that officials can no longer tell if a new batch of stolen passwords offered for sale results from a new security breach or reuse of previously stolen passwords on a new website.

Many of us have had our Facebook accounts hacked.  So we change that one password and move on. Hackers are not as lazy as us. They leverage automated "password automation" software, such as SentryMBA, to test stolen/exposed username, email and password data against a whole range of top websites. Additional tools allow them to bypass CAPTCHA and other controls designed to safeguard your login.

I use individual passwords for every site. Even so, at least one of my email addresses has been "pwned"--a new term meaning to appropriate to gain ownership--and a hacker could take over my account.  And if you reuse your logins and passwords. . .Oops.  Count how many accounts are at risk!

Why would they bother? It's automated, it's cheap, and the rewards may well outweigh the minimal effort. Stolen credentials go for about $50 per million. Attackers pay 1 cent for each password they confirm as viable with their test software, nothing for the others.  One cent to access someone's accounts?

Some websites are switching to Two-factor authentication (also known as 2FA) where you need two components (i.e. login and limited-time password sent to phone) to gain access. This is not fool proof, but it helps.

In the meantime, go on faith that you've been hacked somewhere, sometime, and change your password——on every website——with a new, unique, tough-to-decipher, password. Do not recycle your passwords.

Check out this website: https://haveibeenpwned.com/.