Coming up with a strong password is way too hard. And it's so hard to remember all of them. So the easier they are, the easier they are for me to remember. And with all the web sites I visit, I try to make them all the same so that they're easier to remember. Who wants my information anyway?
Unfortunately, there's this thing on the internet that most internet users aren't aware of. It's called the "dark web". It's a shadowy corner of the Internet that requires specialized software to access, but once connected it provides anyone with a treasure trove of illegal programs and information. This encryption technology allows users to illegally buy and sell and communicate confidentially while concealing their identities. Criminals and hackers exploit this anonymity to buy and sell thousands of stolen credentials every day. Scary, huh?
A couple of years ago, hackers stole the data and passwords of more than one billion Yahoo users. Last year, hackers began selling that personal information on the "dark web" -- dubbed "the hacker's playground." Experts estimate hundreds of millions of Internet passwords are compromised each year worldwide.
The stolen data is sold cheap. In 2015, the average price of login credentials for video streaming services like Netflix was as little as 55 cents. Online bank login usernames and passwords were going for a few hundred dollars in 2015; but the amount of money a hacker could then steal would make that a worthwhile investment.
Even with strong password, you’re probably guilty of another password crime: recycling. 81% of Americans admit to using the same password for multiple online accounts. Once a criminal gets their hands on your credentials for one account, they’ll certainly try it on any of your other accounts they can find.
This is a big danger for businesses. Imagine if an employee’s personal credentials get hacked, but they’re using the same password for their work email. Suddenly, the hacker has a back door into your business. Once inside, they can sneak malware onto your network or try to penetrate deeper to get at your financial or employee records.
You're in the Dark
One big problem with stolen credentials is that many businesses don’t know when they’re stolen. According to the Verizon study, 93% of attacks took only minutes, but the organization took weeks or more to discover the breach. In that time, your stolen data can travel extremely far on the dark web.
In an experiment by cloud security company Bitglass, researchers tested how stolen data spreads on the dark web. They created a fake Google Drive account with fake financial data and other personal data. Then they leaked the Google Drive credentials and watched how hackers reacted. The data immediately generated over 1,400 hits and 94% of the hackers also found the victim’s other accounts, including the fake bank account. It’s a powerful reminder of how fast information can spread online and of the danger of reusing passwords.
What Can You Do?
Well to start with, follow the rules of basic password security: don’t write them down, use a password manager, use two-factor authentication whenever possible, and don’t use anything that’s easily guessable.
Also, you can enroll in a personal identity and credit monitoring service - something like Lifelock - so that you know when there’s activity on your personal credentials that requires attention.
Unfortunately, most businesses don’t know if and when their credentials have been stolen and that they're available on the dark web. But you don’t have to be in the dark any more (pun intended). Part of FPA's Managed Security Services offering includes monitoring of the dark web. If you'd like to discuss this specifically or our overall approach to cyber security services in general, please feel free to contact us.
We'd love to hear from you. Please share your thoughts and experiences in the Comment field below or shoot me an email if you'd like to chat about this in more detail.