Problems with passwords in 2019

Earlier this year, The Wired published an article with a screaming title: “Hackers are passing around a megaleak of 2.2 billion records.” Cybersecurity professionals analyzed the content of the package and found it filled with random username and password combinations that were taken from numerous previous data leaks. This confidential information was stored in two packages called “Collection #1” and “Collection #2–5” and contained over 2.2 billion unique combinations. All this was put on display and available for free on various hacker forums.

It’s nearly impossible to estimate the damages (current and upcoming) caused by this leak, but in this article, I will explain broader possible outcomes and give some tips on how to maximize one’s security online.

What is password hacking?

To understand why a strong password or a good password manager is necessary, it’s worth to take a look at how passwords are generated, stored, and potentially hacked. Let’s take Facebook as an example: whenever a user signs up for their services he or she provides a username and a password to match. Let’s say a weak password “test123” is chosen and used, this password will be stored on Facebook servers and linked to the username in question, but it will not (or should not) be stored in a text format. The “test123” password will go through a process called hashing and will look like this: “cc03e747a6afbbcbf8be7668acfebee5” (MD5 hashing technique)

Hashing is a one-way cryptographic function. Unlike encryption that is primarily used to exchange information online securely, password hashes are not produced to be decrypted. That means that if a hacker obtains a hashed data unit, he or she will not be able to use any decryption key to revert the hashing process to its text form.

Furthermore, additional “salting” process can be applied to strengthen the function by applying random data string to a password before hashing it, making the reverse to its original form nearly impossible.

However, this does not mean that there’s no workaround. Hashing will always produce the same value from the same input, so brute force cracking method can be successfully applied. Instead of trying every possible password combination for a given username, hackers now acquire massive databases of leaked hashes. After that, an algorithm is launched that produces hashes for random password strings, for example: “teet” is hashed and compared to the acquired database, — no luck. Then, “test,” then “test111,” and after quite some time “test123” is hashed, and a hacker is alerted that there’s a match. It depends on what hashing and salting technique is used but one way or another this is one step closer to account takeover.

National Cyber Security Centre of the United Kingdom carried out a study, revealing that password “123456” was used more than 23 million times. Other popular passwords like “qwerty” or simply “password” were on the top list as well.

So, it takes only once to acquire the hashed form of “123456” and then dig through the database at hand to link this hash to various users that used the same password. The biggest problem is that a lot of companies consider that hashing passwords is enough, so if their security systems have been breached — a whole array of usernames (that are stored in original text form), e-mails, and other sensitive data is linked to a particular hash. So if you’re using a weak password, most likely its hashed form is already leaked somewhere and you’re at risk.

According to the study by NCSC a lot of people do use the same password for multiple logins, making hacker work much easier. For example, LinkedIn leaked 177 million user accounts and their password hashes in 2012. Knowing what e-mail was used for registration, a hacker then goes through the list looking for users who used “qwerty” or “123456” as a password and then tries the same password to get access to the e-mail in question. This is why it’s crucial not to use the same password for different services. Gmail or Twitter may be extremely hard to hack, but an online casino platform or discount pages that you’ve registered for may have much weaker security, and if they leak your credentials that have been used somewhere else, then all other platforms are automatically at risk.

Potential dangers: two popular hacking methods

Cybercrime and cybersecurity history is a history of a still developing digital world. Looking at the timetable, there’s a massive spike in cybercrime around the turn of the millennium, roughly at a time when dot-com bubble hit. The transition of sales and financial transactions to online platforms has happened so quickly that security practices got left way behind. Facebook is suffering frequent data leaks giving away millions of confidential credentials, MySpace leaked back in the day, LinkedIn with 177 million leaked passwords, Aadhaar leaked 1.1 billion confidential Indian citizens information, including addresses and photos.

All this information can and will be used for one of the most popular hacking methods — phishing. Phishing is a term used to describe a process by which a hacker tries to extort (usually) an amount of money by sending a fraudulent e-mail, remember the famous Nigerian prince case. However, internet users grew smarter over the years and these days someone would hardly believe they received an e-mail from a Nigerian prince that is willing to share his riches only for a small amount of money he needs to receive upfront.

Unfortunately, hackers are constantly developing new phishing methods, and the e-mails that they send nowadays are more than convincing. Much has to do with the rise of social networks and data leaks. Instead of aiming blindly, hackers now have enough information to construct a persuasive letter. If you have a public Facebook profile they might see the school that you went to, address and phone number, places you’ve visited and so on. But what frightens the most is trustworthy confidential information. If by means explained above a hacker obtains a hashed password and manages to link it to its text format and further link it to your e-mail address you may receive a really convincing e-mail.

Needless to say, it’s frightening to receive an extortion e-mail that has a real password that you’ve used in the past. You might not be using it anymore but such an e-mail does sound convincing, and lots of users do react on the spot by sending the required amount of money. The latest trend is sextortion e-mails shown in the image above. A hacker is using real username and password obtained from a leaked database and is personalizing it as much as possible to convince you it’s authentic. While in reality, it’s probably generated by a weak AI algorithm and sent to tens of thousands of users.

Another emerging practice is credential stuffing. The principle is simple and easy to execute and would not be possible if numerous online platforms would have invested in cybersecurity in time. Before, hackers spent endless hours brute forcing passwords that is time-consuming and rarely provides enough information to compensate for the effort. Credential stuffing is not brute force or guessing. It’s a process of obtaining a vast database of leaked credentials and then going to various online platforms trying to log in. After the massive Facebook leak last year, and with the emergence of the data packet mentioned at the beginning of this article, followed an increase of failed logins to Gmail accounts. A safe assumption is that this was caused by hackers executing credential stuffing attack, checking the validity of leaked data they had on their hands.

6 tips for healthy password management

1. Use a strong password. Netizens tend to overlook this because casual users do not know how password hashing works. By using “qwerty,” no one even needs to crack the hash, hashed forms of most popular passwords are widely available. Then users tend to think of simple passwords like first and last name and few numbers. This is as well a bad practice because once a hacker has an unrecognized hash string, they will try to recreate it by checking hashes for names and surnames, for example: “JonDoe” will be hashed, then “JonDoe00”, then “JonDoe01” and so forth. If a password is “J0nD_e1@#/eEa~” then a hacker will have to go through millions of random password combinations, which literally would take thousands of years to produce a corresponding hash value. A strong password is usually considered of 12 or more symbols length, upper/lower case letters, numbers and symbols.

2. Do not use the same password twice. If by one way or another your password is obtained and linked to your e-mail address on any platform that leaked, then you can be sure that it will be tried to access your e-mail, or used to access any other platform. For example, ArmorGames.com leaked e-mails and passwords, and it’s a safe assumption that their users use Steam or Humble Bundle as well. If you used the same e-mail and password for both platforms, then account takeover is probable, even though you haven’t used ArmorGames in ages and forgot all about it.

3. Check your e-mail address on https://haveibeenpwned.com. It’s a huge repository of known leaks, after inputting your e-mail address it will show you if it was related to any leaks. If there are — changing the leaked passwords should be a top priority.

4. Use a random password generator. I use the Strong Password Generator Chrome extension. It’s an easy to use extension that allows you to choose the length of your password, ability to use lower/upper case letters, symbols, numbers and so on.

5. Enable 2-factor authentification (2FA). This is extremely important and is advised by all cybersecurity professionals. No one is absolutely secure online, and it’s a safe assumption that your password might be leaked, especially if you’re an active online persona. 2FA is a considerable obstacle, after a long process of cracking the hash and/or stuffing credentials there’s a need to gain access to users mobile phone to obtain a second authentication code. Getting access to mobile phones is an entirely different and complicated process that usually deters most hackers.

6. Use a password manager. Obviously, you won’t be able to remember lots of complex and different passwords and storing them in a text document on your desktop defeats the whole purpose. Password managers like LastPass or Dashlane store password hashes in encrypted repositories and have proven themselves to be efficient at what they do. It adds to comfort as well, instead of remembering or writing down lots of complex passwords you do need to remember only one. There are various password managers, and the best recommendation is to do your own research, what kind of encryption is used, password hashing techniques, salting and so on. Transparency is also beneficial, for example, LastPass had a security breach and they immediately informed their customers to avoid further damages and hastened Hardware Security Modules integration into their systems. This is what you are looking for when choosing a reliable cyber security software provider.

Conclusions

Cybercrime is a phenomenon that usually “happens to somebody else.” But this is a widespread and contemporary danger that might result in various issues. At one point hackers were able to gain access to a Nest Cam installed in a child’s bedroom and play pornography through it. Access was gained due to a disabled two-factor authentication. There were numerous Instagram account takeovers and deletions, ransomware attempts, and your identity can even be used in darknet to buy illegal substances. One way or another, safe password management will be a substantial step forward to securing your privacy online, and this step begins with a user taking action.