Open Forum

 View Only
  • 1.  Security BUZZ - password breaches demystified

    Posted 12-06-2024 09:05

    I stumbled upon an article about commonly used passwords and was disappointed by the hype (in this case) vendors are creating. I decided to dedicate today's blog to demystifying what we may traditionally see in the media about password use. Let's start with the numbers.

    • It's a numbers game. Today, the majority of passwords sold on the darkweb are combo lists. When passwords are stolen from a website, they are initially sold as the individual batch from a specific breach. But quickly bought and put into the recycling machine. Cybercriminals buy these password lists in bulk. Sometimes, clean and deduplicate them, but then combine them and resell them as a more extensive list. These lists are even frequently called CombolistXXX, where "XXX" is a sequential number. Why is this important? Because your LinkedIn password, which was harvested in the very first breach in 2012, has been recycled at least a few hundred times. It does not mean it has been used a few hundred times. I get skeptical when vendors or even researchers overly exaggerate the numbers.
    • The length matters, but there is something else that is even more important. If the passwords were stored in unencrypted format or had a weak (easily breakable encryption), lengths do not matter. The bad guy who has your thirty-seven character's password in the clear needs no effort and offers you zero protection. There is such a thing as password cracking; length is important for that. Here is a simplistic way of how it works, and it's all driven by the tools. No one cracks passwords one at a time anymore. The tool creates (encrypted) values of the most common or dictionary words and runs through a super-fast comparison of all hashes (encrypted) values that were stolen until it finds the match. Dictionary words are easy - the full word (i.e., apple) will have one value the hacker can compare. When you get down to a hash value of every letter, number and special character in a password, one has to run through Godzillian iterations to find a match. That is hard and takes time. Many researchers and vendors continuously update the numbers it takes to crack passwords, and they can truly span from minutes to decades. That is where the length of the password matters. But wait... we just covered cracking one password. Imagine a hacker bought 100 million passwords and needs to crack them in bulk. That task alone will take millennia (It may change with quantum computing, but time will show).

    Regretfully, a lot of research is hype or an attempt to sell products. The only product you need is you. If you bought a password manager but used it to store the "Jenny123" password for every site, you are wasting good money.

    Here is what is important and what you need to pay attention to.

    • Set your personal baseline for password length. An eight-character password is not enough. If you are not using a password manager or another methodology to remember or store passwords, your minimum should be fifteen characters. If you are using a password manager, the sky is your limit. While we are on the topic if you are signing up for a new account and the website supports eight characters as the maximum password - run. Your eight-character password will be gone with the wind. Regretfully, even some banks and financial institutions are still limited to ten or twelve characters maximum password
    • Don't reuse passwords. The uniqueness of each password is the most important. See above for information about combo lists and unencrypted passwords. You can never trust any website to safeguard your passwords. This is a good opportunity to use a password manager
    • Use passphrases in lieu of passwords. They are easier to memorize and allow the creation of a long password you can remember. Don't reuse them either
    • Sign up for password breach alerts at https://haveibeenpwned.com/ and change any compromised passwords as soon as you learn about the breach. Many password managers will check your existing passwords and accounts (URLs) against past and current security breaches
    • MFA, while not directly related to this topic, is the only thing that stays between hackers and your bank account. Have no illusions - your password will be stolen

    Password hygiene comes up all the time and is the main reason for over eighty percent of breaches, according to many reputable researchers. Bad behaviors in our personal lives spill into our business lives, causing significant disruptions. Don't be that guy or gal!!!

    #ALTACyber



    ------------------------------
    Genady Vishnevetsky
    Chief Info Security Officer
    Stewart Title Guaranty Company
    Houston TX
    ------------------------------
    ALTA Marketplace


  • 2.  RE: Security BUZZ - password breaches demystified

    Posted 12-09-2024 07:44

    This is incredibly helpful. Like you said there's a lot of advice and this helps clarify and prioritize our actions. Thank you!



    ------------------------------
    Claudia Lee
    CertifID
    Austin TX
    +1 (616) 202-6612
    ------------------------------

    ALTA Marketplace


  • 3.  RE: Security BUZZ - password breaches demystified

    Posted 12-10-2024 10:42

    Thanks for providing this Genady.  Great explanation on a key element of security that is mis-understood by many who look for  quick solution to the problem.  



    ------------------------------
    John Doyle
    Intellicheck
    Melville NY
    [email protected]
    ------------------------------

    ALTA Marketplace