Rabitə və İnformasiya Texnologiyaları Nazirliyinin elektron xəbər xidməti

Hackers google people: Millions still using sports team, hometown, band, or child names as passwords


A report from Kevin Lancaster, founder of cybersecurity company ID Agent, scoured two billion passwords on the Dark Web and collected the most common passwords traded there.

Lancaster found that millions of people are still using their favorite song, sports team, or superhero as their password, all of which are easily discoverable by cybercriminals doing routine searches of a person's social media profiles.

"Even with all this noise about all the breaches that happen every day that make the news and how damaging cyberattacks are, we're still seeing people do really stupid things with passwords, day in and day out," Lancaster said in an interview.

"At times it makes you want to hit your head against a wall. On one hand it drives you nuts that we're still talking about this 10 years later but on the other hand it's easy to understand that it's really hard to solve. We're still seeing people use things that are familiar to them because it's easy to remember."

Lancaster said the explosion of digital platforms that billions of people have to use for work, education and pleasure have forced people into an untenable situation where they feel they have no choice but to reuse passwords for dozens of accounts.

While people know they need sophisticated, unique passwords for every account, they also don't have the time or mental bandwidth to create different ones for every account they own.

In his research of passwords leaked to the Dark Web, he found that many people are still using very basic passwords and variations of information related to things they love. Passwords like "rolltide," "yankees," "redsox," "mickey," "superman," and "batman" are wildly popular despite their simplicity. 

Some even put the name of their favorite sport, like "football" or "baseball" as their password while others use band and song names like "blink182," "beatles," and "8675309."

Lancaster noted that in our hyper-sharing environment with dozens of social media sites, all of this information about a person's interests can be found fairly easily, making it simple for cybercriminals to guess passwords and variations.

In addition to sharing on social media sites, there are also websites dedicated to aggregating information on random people, making it even easier for hackers to find what they need to get into your accounts.
"To exploit someone, to start guessing passwords and putting them in automated scripting machines and trying to find holes, is very easy, especially if you have an address or known associates. If you know that they are diehard Yankees fans and what their kids' names or pets' names or who their relatives are, it's relatively easy to do," Lancaster said.

For his research, Lancaster sorted through billions of passwords he found on TOR or the Dark Web, which he said included everything from small credential dumps that might be specific to a small dental practice and their CRM system or major platforms like Zoom, LinkedIn, and Dropbox.

After normalizing and cleaning up the data to remove data that may have been dumped twice, he looked through to find patterns. He took out all of the default passwords and accounts using "password" or "123" as the password in an effort to focus on the most commonly used trends in password creation.

But even that may be giving the public too much credit. Just last month, there was widespread outrage after a group posted more than 25,000 email addresses and passwords reportedly belonging to the World Health Organization, the National Institutes of Health, the Gates Foundation and other groups working to battle the coronavirus pandemic.

Even though many of these people are vital to efforts to combat the virus' spread, Australian cybersecurity expert Robert Potter told the Washington Post that after digging through the trove of data, he discovered 48 people had "password" as their password while dozens of people used their first name or "changeme" as passwords.

Putting that aside, Lancaster looked at what kinds of passwords people typically turn to and found that first names, sports associations, and animated characters are increasingly common. This trend is not just in the United States. All across the world and in almost every language, people fall into similar traps of using extraordinarily easy-to-guess passwords.

Lancaster said that while there was troubling data about password use, there was some indication that people were only using poor passwords for sites they did not consider to be important.

"You do see evidence that people understand that for some sites, there might be more risk. So for their bank, they may be a bit less inclined to use a person's first name and a one and an exclamation point. But in sites that might be throwaways, they still use first names, last names, combos," he said.

"It's all about educating people about what the exploits are and why it should be cautious. A lot of this stuff can be eliminated through making sure that you enable two-factor authentication on the applications or create a layered approach using password managers."






08/05/20    Çap et