If you’ve attended one of my security training sessions, you know I’m always talking about the risk of re-using passwords on multiple services. That’s because passwords are frequently breached, offered for sale, and then used by hackers to take over new accounts that haven’t yet been breached. You see how this snowballs.
And it keeps on happening. An enormous breach was uncovered in January affecting 772 MILLION accounts. It turned up 21 million unique passwords, new passwords that we hadn’t seen in any previous breach.
A package of millions of passwords is sold on the dark web for $45. That’s how cheap they sell you for. Once a hacker buys the password list, how hard is it to use that data to crack a new account?
Not very. An open source tool called Hydra on Kali Linux will get you up and running in less than a minute. We use that tool ourselves during penetration tests. It’s called credential stuffing, and running this automated tool overnight almost always gets us a log-in. The tool looks like this:
Are your passwords safe?
It’s easy to find out if one of your passwords has been exposed in a breach. Just visit haveIbeenPwned.com and enter your email address. Check every email address you’ve used in the past few years.
I’ve been the victim many times of a password breach.
It’s easy to change your own passwords, but what about your employees? If you’d like me to help you create a password policy and security training for your organization, please email or call. You can reach me anytime at 505-750-3531 or firstname.lastname@example.org