Protecting personal data is the lifeblood of our business lives and is of paramount importance to corporations everywhere.
Yet, we have recently seen another set of personal information dumped onto the Dark Web.
This time, it was 500 million Yahoo account profiles, which comes quickly on the heels of both the LinkedIn’s 2012 dataset and MySpace credentials that were also recently made publicly available by hackers.
An internet criminal calling himself “peace_of_mind” is selling the Yahoo data for up to 3 bitcoins, which is just over $1,800.
>See also: Personal data of over 93.4 million Mexican citizens leaked online
There is an enormous market for stolen information. The reality is that data delivers dollars and the same is true for illegally obtained user details.
To combat this problem, we need to make stolen credentials worthless to cybercriminals.
Unencrypted credentials
So, what happens when the bad guys acquire your credentials? You might think the password is hashed or encrypted and are therefore protected.
In the case of LinkedIn 2012 dataset, the SHA1 algorithm was used, which is now considered a broken hash and should not be used.
To make things worse, the passwords were hashed without first being “salted” (i.e. adding more data to the password to hide its true meaning).
A password recovery service organisation took this opportunity to test their offering and were able to crack more than 80% of the passwords.
>See also: Leaked info of 50 million Turkish citizens could be largest breach of personal data ever
The fact is that more than 1.1 million people chose the password “123456” and nearly 190,000 people chose “password”.
If people are using such configurations for then there is a good chance they are adopting the same password on more sensitive sites, such as bank accounts, which might be more interesting to cybercriminals.
Protecting passwords
Most sites today require a combination of capital letters, numbers and occasionally a special character.
However, there are common patterns that most of us tend to use, like starting with a capital letter and ending with a couple of numbers.
If a special character is required, we typically place it on the end. The bad guys know this.
With machines equipped with today’s off-the-shelf processing power, even these seemingly complicated passwords are cracked in relatively short time. So, what is the answer?
Organisations need to do much more than just bolster their security with a firewall.
A survey conducted by F5 Networks showed that as many as 61% of UK consumers believe that businesses are not doing enough to protect themselves and their customers against cyber-criminals, with better investment perceived by respondents as the best way for this to be remedied.
However, users must take some of the responsibility themselves. Worryingly, the research also showed that 8% of UK consumers haven’t changed their passwords after an account they have an account with was hacked.
Cybercrime rings hire armies of people whose sole job is to try and hack into the sites that are essential to our daily lives.
>See also: Data protection and Brexit: Where UK businesses will stand with GDPR
As users, we need to be more innovative with our password selections.
A management tool – password manager – can automatically generate passwords and allows you to select the level of complexity, pattern type and length.
The advantage is that the password to the management tool is the only one you need to remember.
Taking responsibility
In summary, your personal data is valuable.
Cybercriminals spend enormous effort trying to access your information for unscrupulous commercial gain.
By adopting best practice and investing in personal security, your vital credentials will remain encrypted, which means that should a hack take place, then you automatically devalue the stolen data for the cybercriminal.
Don’t ignore the dangers of the Dark Web – cybersecurity is all of our responsibility. Stay safe.
Sourced by Michael Brown, Systems Engineering Manager, F5 Networks
