4iQ Finds A File Containing 1.4 Billion Credentials on the Dark Web
Last week, 4iQ discovered 1.4 billion cleartext credentials (e.g., usernames, e-mails, and passwords) in a single 41GB file on the Dark Web. To be exact, there are 1,400,553,869 usernames/clear text password pairs. Several of these credentials were tested and verified to work. The file is searchable and in alphabetical order, making it easy for experienced hackers and script-kiddies to find your information and use it to login. I also imagine these new passwords will be used to update existing password files for dictionary and brute force attacks. This accumulation of login credentials were compiled from 252 previous breaches, which now adds on to the list of other credential files also found on the Dark Web.
Want to know if your password was found in this database? You can find out here. If your password was pwned, I highly recommend you change your password.
One of the things noticed about this file are that people tend to use the same password over and over again for all of their different accounts. This is poor password security. As you can see below, the following person uses the same password (“1369888369”) for all of his/her E-mail accounts.
But, that’s not all. Researchers at 4iQ also noticed emerging password patterns of those found in this new credential file:
Perhaps, the most disappointing thing to learn about this online database of cleartext credentials was that the most common password was “123456.” This password was used 9,218,720 different times! The password “123456789” comes in at second place. Some other very common passwords were “password,” “iloveyou,” “1q2w3e4r,” “dragon,” and “monkey.” You can see additional common passwords below.
Creating a Strong Password
So, with your password likely in this database, how can you protect yourself? The first thing you need to do is change your passwords, but of course, it has to be strong.
Using A Strong Password
A good password is 8 characters or more (preferably 10). Many administrator accounts use at least 14 characters. To have a strong password, one must use all 4 character types (e.g., uppercase, lowercase, numbers, and special characters). With that being said, “I@mgr8@StuDyinG” is a strong password. It’s also complex and personally applies to me. Using a password like “SfG539Nb*!” is not a good password because it is too complex. You probably aren’t going to remember a password like that, and that forces you to write it down somewhere.
Use a Minimum Password Length
As I just said, 8 characters or more is a good minimum length. Hackers can easily crack passwords 6 characters or less using several different cracking software. I’ve used cracking software several times and all it takes is one click to discover your password.
Change Your Password Regularly
If you’ve been hacked, you probably aren’t going to know about it until some time in the relative future. So, it helps to change your password every now and then. Security professionals recommend changing passwords every 45 to 90 days.
Do Not Reuse the Same Password
As we see above, many people reuse the same password over and over again for their accounts. It would be wise not to do this. If a hacker discovers the password for your e-mail account, then they also likely have access to your YouTube account, Facebook account, Instagram account, bank account, and all the other accounts you use the same password for.
Change Default Passwords
Some devices you own have default passwords. The gateway or router you are using to connect to the Internet right now, for example, has a default password (probably “admin” or “password”). If any of the systems you own have a default password, you need to change it to your own, strong password.
Never Write Your Passwords Down
If you are going to write your passwords down, make sure they are stored in a safe or locked area. Otherwise, don’t write them down. Many people write their passwords down and store them on their desk or under their keyboard. This is precisely one of the reasons why many organizations and businesses enforce a Clean Desk policy.
Never Share Your Passwords
The only person that should know your password is you. Even when a help desk assistant asks for your password, you should never reveal it, even if the person on the other end sounds like a trustworthy person. These days, there is no need to for IT help desk callers to ask for your password. If you forgot your password, they can simply just provide you with a temporary password that will expire after first use. This will allow you to login and then change your password. Or, they can provide you with a reset link that will guide you through their password recovery system.
Gibson, D. (2017). CompTIA SECURITY+ Get Certified Get Ahead SY0401 Study Guide. Virginia Beach, VA: YCDA, LLC