“Password”, “passw0rd” and “password1” remain popular choices…
According to ImmuniWeb, there are currently over 21 millions (21.040.296) of Fortune 500 users' stolen credentials available on the Dark Web - over 16 millions (16.055.871) of which were at stake in the last 12 months.
An enormous 95 percent of credentials included unencrypted, or already bruteforced and hacked from attacked, plaintext passwords, the company says.
(More than half of the most widely available data is "outdated or fake, or just derives from historical misconduct for recently compromised files" notes, however, although this may prove a bit of a comfort to security teams in these companies ).
Switzerland-based ImmuniWeb crawls through various forums on Internet, Pastebin, IRC channels, social networks, messaging etc. on the network TOR, to reveal details on the rise of the credentials market. (Stolen credentials can be used for network attacks, with initial access being used for scaling rights).
Technology, Energy, Financial Services are more exposed
Among the revelations in today's report: the "password" password (which is considered extremely strong) remains extremely popular with users, along with cunning and unexpected twists like “passw0rd” and “password1 ″.
The technology, financial services and energy sectors are the three largest sectors with the highest volume of credentials exposed, as 42% of stolen passwords' somehow relate to the victim's business name or the violator in question resource efficient. ”
Password bruteforcing tools are widely available on the internet, where they are used by both penetration researchers and black hat hackers.
(As computer power increases with users, the speed at which even encrypted passwords can be broken is rapidly increasing, as the February Hashcat revealed).
(Hackers never lock accounts, as they usually don't try to guess a password on the live accounts account login page. On the contrary, they usually buy a user ID file and password hashes: an attempted abuse in this scenario involves using such tools to find the equivalent arithmetic representation of this hash to reveal Password ).
Stolen user credentials: The most popular password
Ilia Kolochenko, Managing Director and Founder of ImmuniWeb, said: “These numbers are so frustrating and worrying. Cybercriminals are smart and realistic, focusing on the fastest, cheapest and safest way to get your credentials.
“The great wealth of stolen credentials that are accessible to Dark Web is a modern Klondike carrier for hackers who don't even need to invest in expensive APTs with 0 days or time. With some perseverance, they can easily get past security systems and grab what they want.
There were only 4,9 millions (4,957,093) of completely unique passwords within the 21 millions of files that the company identified, indicating that many users use identical or similar passwords. Recommends using an Attack Surface Management - ASM solution for risk mapping, implementing a policy passwords throughout the organization enforcing the integrity of internal systems and third party systems and always using two-factor authentication (2FA) in critical systems.