When you think about your social media accounts – for example, your Facebook password – does it have anything in common with your LinkedIn or bank account credentials? Does it have the same password as your business account? If so, you are not alone. According to a Google survey, at least 65% of respondents re-use their passwords across multiple accounts and Web services.
By Antoine Korulski and Adi Goldshtein Harel from Check Point Software Technologies Research
As every service, Web site, and social media account requires a password, many people find it easier to re-using the existing ones instead of reinventing new ones, especially since it is difficult to manage and memorise multiple passwords.
This is particularly true as, due to security policies, passwords are by necessity becoming increasingly complex. Although most South African internet users understand the risk and know that one should not re-use passwords, most of us continue doing so for both our business and personal accounts.
Some people use password managers, which are considered safe, to help them store their credentials. However, these tools are not bulletproof as seen in August 2022 when LastPass was breached for a second time.
On that note, in a survey from 2022, another password manager service, Bitwarden, found that 84% of the service’s consumers use the same password across multiple business and personal platforms.
It is not surprising that cybercriminals have seen an opportunity presented by people’s generally lax behaviour regarding password re-use and created a flourishing underground market of databases obtained from breached Web sites.
Most cybercriminals do not care about the origins of the credential pair. They create ‘combo lists’- huge compilations of many stolen databases that are just lists of email addresses and passwords. Many of those are lists of corporate email accounts with passwords that were used on third-party services. The largest combo list of all time, RockYou2021, was published in 2021 and contained more than eight billion unique sets of email accounts and passwords.
Credential stuffing attacks
Credential stuffing is a type of cyberattack in which malicious users collect stolen account credentials, typically consisting of lists of usernames and/or email accounts and the corresponding passwords. They then use the credentials to gain unauthorised access to user accounts through large-scale automated login requests directed against a Web application.
Credential stuffing is one of the most common techniques to take over user accounts, including emails, banking accounts, social media, and business accounts.
The underground perspective
As soon as cybercriminals understood the big business potential of stolen passwords, they started focusing their efforts on hacking different Web sites and services that are not of great value by themselves, but are lucrative because of the user credentials they contain.
The NIST password storage guidelines require that passwords be salted with at least 32 bits of data and hashed with a one-way key derivation function. However, even in 2022, many Web sites do not comply with this policy, and some even store passwords as plain text records.
The cybercriminals who hack these Web sites are not necessarily the ones who most effectively use them. Many flourishing underground communities and markets have been created around buying and selling stolen data and credentials.
Valuable sets of credentials, that provide administrator-level access to an organisation, can cost up to R2,1-million in the underground, with an average of R55 000 for administrator sets. While many sets of credentials are sold in the underground forums, many are also given for free.
In just the last six months, in one of the prominent English-speaking underground communities, more than 3 500 threads concerning stolen databases were opened, and more than 1 500 threads about combo lists that include just email accounts and passwords were active. Each one of these databases can include millions or even hundreds of millions of credential sets.
While those databases and combo lists include a high percentage of Web mail credential sets whose exposure poses only a low risk to the company, they also include many sets of corporate email accounts with passwords that employees use to register on third-party Web sites.
This is the Holy Grail for the cybercriminals, the most valuable prize of them all. When the same password is used across personal and business accounts, the damage potential of a cyber attack increases as criminals can access multiple accounts when just one is breached, and the organisations’ vulnerability to cyber attacks increase.
These accounts and applications lie beyond the visibility and protection of business IT teams.
In many cases, cybercriminals also separate the combo lists according to country, making it more convenient to use.
What you can do to keep your passwords safe
According to Charnie-lee Adams-Kruger, country manager: SADC at Check Point Software Technologies, passwords are the organisation’s first line of cybersecurity defence and must be treated with the necessary level of importance.
“As Check Point research has shown, people are creatures of habit and tend to use the same password on multiple systems. However, as personal records get stolen regularly, once attackers obtain users’ credentials, they can use those to access other sites and networks.”
Changing passwords at regular intervals might seem more secure, but the challenge is that people now need to remember multiple passwords which could lead to password resets. Invariably, this will result in the temptation of choosing minor variations of old passwords, for example adjusting one character. If an attacker already knows the previous password, it will not be too difficult for them to crack the updated version.
“When it comes to creating a password, people should also never use their online data in any of those passwords. Hackers scan social media accounts to gather key information such as names, dates, interests, and so on, which might be used in passwords.
“So, using your pet’s name in the password is not ideal. Instead, choose a complex password that consists of characters, numbers, letters, and special characters. This password should be up to 15 characters long while people should consider adopting two-factor authentication as an additional way to strengthen their logins,” says Adams-Kruger.