In May 2016, security researchers discovered that millions of user accounts from popular sites like LinkedIn, MySpace and Tumblr were for sale in underground marketplaces. The victims’ personal data came from multiple widespread data breaches, many of which took place between 2011 and 2013. Overall, the breaches revealed over 642 million passwords, and the FBI has issued a warning that cyber criminals have already started using information stemming from the breaches in blackmail and ransomware schemes.
According to the FBI, “The recipients are told that personal information, such as their name, phone number, address, credit card information, and other personal details, will be released to the recipient’s social media contacts, family, and friends if a ransom is not paid. The recipient is instructed to pay in Bitcoin, a virtual currency that provides a high degree of anonymity to the transactions.”
“With the increase of breaches that we’ve seen over the past few years, it’s likely at least one of your passwords has been stolen by a hacker,” said Travis Smith, senior security research engineer for Tripwire. “It’s entirely possible one of your accounts has been compromised and that the website or service has not yet discovered the breach.”
“Passwords are often the weakest link in an otherwise secure system,” said Craig Young, security researcher for Tripwire. “The reuse of passwords across multiple systems and the use of simple passwords commonly found in password cracking dictionaries account for a large number of account hijackings.”
Major vendors like Microsoft are taking direct steps to ban common passwords, but the attacks stemming from recent data breaches serve as serious reminders for users to take a closer look at their passwords. Tripwire security experts offer the following advice for consumers to improve their password hygiene:
- Change your passwords on a regular basis. Many of the passwords from these recent data breaches are being sold on the dark web and are over three years old. Using stale passwords can keep you exposed to threats.
- Stop using passwords and start using passphrases. Using a series of words is far less likely to show up in an attacker’s password dictionary than a single word. A starting point for a secure passphrase could be a favorite quote or a line from a song, complete with spaces and punctuation.
- Be liberal with character substitutions. A password can be made stronger by replacing “o” with “0,” “e” with “3,” or “a” with “@.”
- Use a different password for each website or service. If an attacker manages to steal a password for one website, they cannot use the same password to access other websites.
“Creating unique credentials for each website may seem daunting, but one option is to add something you associate with the website’s service to the passphrase,” Young added. “For example, if I were to create a password for an online book retailer, I might start with the quote ‘It was the best of times,’ and then change it to ‘It w$s th3 b3st 0f tim3s.’ To make an ever stronger, more unique passphrase, I could add ‘books’: ‘It w$s th3 b3st 0f tim3s b00ks.’”
An additional way to utilize unique credentials is to take advantage of two-factor authentication. “Employing multiple authentication factors prevents an attacker from gaining access by simply compromising your password,” said Tim Erlin, director of IT security and risk strategist at Tripwire. “Two-factor authentication often uses a password and a one-time code sent to a mobile device. Other factors used for authentication could be a fingerprint, retinal scan or a physical card. Many websites and online services now support two-factor authentication, and users should enable it where possible.”