Weak password security continues to be a huge issue despite the hundreds of misfortunate cases of leaked password databases, hacks and other incidents of the sort. The bad habit of using the same password over and over again across multiple devices and platforms makes it extremely easy for hackers to grab and exploit login credentials. These credentials may be leveraged in various malicious scenarios.
Worst credentials breach exposes 1.4 billion usernames and passwords
The most recent case involving breached user passwords was reported by security researchers at 4iQ who discovered a new collective database on the Dark Web. The database was also released on Torrent and contains the mind-blowing 1.4 billion credentials (usernames and passwords) in clear text. This makes the incident the largest credential exposure made public. The database was found on December 5th in an underground forum, and as just mentioned, it has been identified as the largest aggregation of various credentials discovered in the Dark Web. This announcement was made in a blog post on Medium by the founder of 4iQ security firm, Julio Casal.
“While scanning the deep and dark web for stolen, leaked or lost data, 4iQ discovered a single file with a database of 1.4 billion clear text credentials — the largest aggregate database found in the dark web to date,” Casal wrote. What makes the breach rather scary is that none of the leaked passwords are encrypted, and on top of that, researchers were able to test and verify most of them as true.
This breach is so big that it excels the previous largest credential leak that exposed 797 million records. This database is in fact an aggregate of 252 previous breaches which contains known credential lists like Anti Public and Exploit.in. It also includes decrypted passwords of known breaches like LinkedIn, Bitcoin and Pastebin.
As Casal explains, “this is not just a list. It is an aggregated, interactive database that allows for fast (one second response) searches and new breach imports.” Since most users reuse the same passwords across social media, e-commerce, email and even banking accounts, the outcome of this extreme leak will most likely be multiple account takeovers or hijacking cases.
Where are the credentials taken from?
The aggregate database contains plain text credentials from Bitcoin, Linkedin, Pastebin, MySpace, YouPorn, Netflix, Last.FM,Badoo, Minecraft, Runescape, and credential lists such as AntiPublic and Exploit.in.
To top all of everything said so far, the new breach has added 385 million new credential pairs, 318 million unique users, and 147 million passwords related to previous dumps. This new database is also perfectly organized and is indexed alphabetically making it easier for unprofessional or inexperienced cyber criminals to quickly search for passwords.
Just to illustrate the severity of the situation and how bad it is to reuse the same simple password – a simple search for “admin”, “administrator” and “root” would show 226,631 passwords that were actually used by admins.
The usual “worst passwords ever created” are also in place. Passwords like “123455”, “password” and “111111” are still used quite broadly.
The author of the database still remains anonymous, but whoever this person may be, he (or she) has included Bitcoin and Dogecoin wallets for donations.
Considering all the enormous data breaches that happened in 2017 alone, it is highly advisable to use versatile and different passwords for each and every account of yours. However, if you find it challenging to work with so many different passwords, you should definitely consider employing a password manager.
Using a password manager may be a great idea after all
If you still haven’t made up your mind whether you should use a password manager or not, here’s some useful information to help you decide.
The average password manager would install itself as a browser plug-in and take care of password capture. When you log in to a secure website (HTTPS), the password manager would offer to save your logins. When you come back to that page, the manager will automatically fill in your credentials, and sometimes web forms. Most password managers offer a browser-toolbar menu of all saved logins to make it easier to log in to saved sites.
As to whether password managers are completely secure – it depends. The ideal password situation would be if your human memory is very powerful, and you have applied unique passwords for each of your accounts. However, in reality things are not even close to perfection. That is why it can be easily assumed that using a password manager is a better idea than not needing to use it at all (a.k.a. using one single simple password for all accounts).
Nonetheless, using a password manager would guarantee:
- The strength, complexity and randomness of passwords;
- The passwords being remembered and kept safe at one place.
Also, keep in mind that many modern password managers rely on improved features such as:
- Synchronizing information across devices in a safe manner;
- Automatically filling in both passwords and common web forms;
- Storing arbitrary notes.
However, a password manager may fail to protect your credentials if:
1. Your computer is not protected efficiently;
2. Your computer falls victim to malware or spyware and your master password is obtained by cybercriminals.
That is why, in addition to using a good password manager, it is highly recommended to also use a strong anti-malware program. Shortly said, the safest password would be a smartly crafted one, used on a protected computer.
SpyHunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter