Ten Million Passwords

Ten Million Passwords

Imagine finding out that a password of yours had been stolen. That would be scary enough, right? Even if you found out in time to do something about it, that would still be a terrifying dose of reality knowing that someone was able to get their hands on it. However, now imagine that not only had someone stolen this important piece of information, but they had also posted it online for all to see. That’s exactly what happened to as many as 10 million people earlier this year.

Why Post 10 Million Passwords?

The first question on your mind is probably, “Did my password get posted?” You can actually find out if your password was one of the 10 million here. However, your second question is quite possibly, “Why would somebody do this?”

Mark Burnett, a well-known security researcher, is the man responsible for the posting. He didn’t actually steal these passwords either, which should be all the more horrifying because Burnett simply found them online. While the blog he posted this list on is currently down, he had put the millions of usernames and passwords in a torrent file that could be downloaded in just minutes.

In a post he wrote to help explain his intentions (he wants to give researchers the resources to better understand username/password relationships, which in turn could make us all safer), Burnett also pointed out that he thought most of the ones he submitted were now dead anyway and thus no good for authentication purposes. However, one more terrifying tidbit that will unsettle most of us was also relayed: he gathered this information from over 1,000 sites on the Internet, where he imagines something like a billion more username/password combinations are housed.

Welcome to the Deep Web

It’s not uncommon these days to hear someone quip about how the Internet is the worst. We have the most revolutionary technology ever conceived in the palm of our hands and yet it’s leveraged for little more than cat photos and anonymously posting insults on YouTube.

If only those people knew. The World Wide Web that most people are familiar with is only about 4% of the entire thing.  That’s about the size of New England compared to the rest of the United States. Put another way, the entire Internet is roughly 500 times bigger than the portion most people know about.

The main reason you’ve probably never seen it is because Google and other search engines don’t even index it.

While the Deep Web is certainly a favored place for online criminals (anonymity is practically guaranteed), there’s nothing actually illegal about it. Still, this is where potentially 100s of millions of passwords are actively being stored.

Consequences of an Open Market of Passwords

Clearly, there’s a lot that could be done with this many passwords. While many of the ones Burnett posted may no longer be good, even if 1% of them are, that’d be worth it for many hackers.

Having a password that’s not yours is how you can end up with personal information you were never meant to see. Emails, Twitter DMs, Facebook messaging, these are just a few examples of where personal conversations are had. Someone looking to embarrass, blackmail or hurt you could find a password on the Deep Web and be on their way.

Of course, passwords are also valuable because they can give people access to another’s money. Long ago, you’d have to rob a bank to make thousands of dollars within a few minutes. Now you just have to find the right password.

Never count out those who simply want to be a nuisance either. Plenty of people have been victims of hackers seemingly for no other reason than the criminal enjoyed causing mischief.

You Can No Longer Trust a Simple Password

How all these usernames and passwords were harvested in the first place (not by people like Burnett, but by the thieves) isn’t known, not 100% anyway. Obviously, those criminals aren’t coming forward to explain their methods.

That being said, it’s probably fair to say that they used a lot of brute force attacks to get the job done. All it takes is a type of software that tries combination after combination of letters, numbers and symbols until the right password is found. If you try the above link and simply enter some random usernames, you’ll notice that a lot of passwords are about as simple as they get.

This highlights how important it is to choose a complicated password. Hackers using brute force generally won’t waste time trying to get to those. The best software can try something like 50 combinations every minute, but that could still mean weeks of time if your password is difficult enough to predict.

One thing it makes sense to do is change your password regularly. If it does get stolen and posted somewhere, you’ll be glad you did.

Also, choose passwords that are at least 15 characters long. This doesn’t have to be difficult though. Pick a favorite lyric or slogan and then just use the first letters. “You ain’t nothin but a hound dog” becomes “yanbahd.” The other advantage is that, because this isn’t a word, it’s that much harder for sophisticated brute force software to address. Then add the name of whatever the password is for. If I was signing into Hotmail, my password would become “yanbahdHotmail.” Now, just throw in your name, favorite number or something else familiar.

That will give you a hard password to crack, but one that is still plenty easy to remember.

Add Software to the Mix

Another smart way to stop these kinds of attacks is with multi-factor authentication (MFA) software. Essentially, this makes you provide two or more factors of identification to log in and thus is that much harder to hack. SSO (Single Sign-On) software is another great solution. You only have to remember one password (make it a complicated one like we discussed) in order to sign into any other system. If you have 10 passwords you have to remember, then, you can afford to make them 100 characters long, if you like, because your SSO software houses it for you. Rest assured a password that long and complicated will be difficult to hack.

It’s hard to know which part of that 10 million password post is the scariest. Fortunately, if you take the right precautions, you’ll have far less to worry about.  

Ready to Get Started?

Try AuthAnvil