Digital Shadows on Wednesday reported more than 24 billion username and password combinations in circulation in cybercriminal marketplaces, many on the dark web — a number that represents a 65% increase from a previous report in 2020.
The Digital Shadows researchers found that the top 50 most common passwords are incredibly easy-to-guess and simply use the word “password” or a combination of easily remembered numbers.
They found that some 0.46% of all passwords — nearly one in every 200 — use 123456. Keyboard combinations such as “qwerty” or “1q2w3e” are also commonly used. Of the 50 most commonly used passwords, attackers can crack 49 in under one second via easy-to-use tools commonly available on criminal forums, which are often free of charge or at minimal cost.
When it comes to cybersecurity, humans remain a high risk and top target of cyber criminals, said Joseph Carson, chief security scientist and advisory CISO at Delinea. Carson said consumers need to understand that they should never reuse passwords.
“Organizations that offer authentication and log-in to their website must also move away from having a password as the only security control,” Carson said. "Two-factor authentication must be enabled for all customers as this reduces the risks of those who reuse passwords from becoming a victim of a cybercrime. Additionally, endorse password managers to help customers make better password hygiene and choices when creating new accounts and passwords.”
Chris Clymer, director and CISO at MRK Technologies, said password reuse remains a prevalent issue across every vertical. Clymer said threat actors know very well that they can target accounts in less valuable websites, and find they work on more sensitive banking sites, or corporate logins. In many cases, Clymer said they don’t have to work hard, as these credentials are in the open in very public data breach dumps.
“That’s one of many reasons multi-factor authentication and other strengthening of authentication mechanisms has become so critical…and now required in most cases to get cyber insurance coverage,” Clymer said. “A compromised password is less valuable if there’s also an MFA method that must be targeted, as well. Hacker can compromise these as well of course, but it adds much more work for the bad guys.”
Joe Garber, CMO at Axiad, added that a password-only approach to security no longer makes logical sense given today’s realities. Garber said passwords are costly and time-consuming to manage and disruptive to end users, and hackers can easily steal or compromise them.
“Once they are stolen, an organization will be more susceptible to phishing attacks, find it harder to detect a breach because hackers have a legitimate password, and have a harder time minimizing the blast zone once a bad actor has gained access because they essentially have the keys to the kingdom,” Garber said. “It’s time for organizations to adopt an approach that focuses on credentials, not passwords. Credentials are harder to steal or compromise, are phishing resistant, and introduce less friction to administrators and end users.“