Many people are in the habit of repeating the same password across some of their accounts, or worse, setting the same password for all of their accounts. This is obviously not safe at all. But according to Checkpoint, a cybersecurity solutions provider, this lax behaviour is helping cybercriminals create an underground market of databases obtained from breached websites.
“Reusing passwords across personal and corporate accounts is especially dangerous, as it can arm hackers with admin-level access to an organisation if they’re able to obtain credentials to personal accounts,” warns Harish Kumar, Head of Enterprise at Checkpoint in a blog post.
Despite being well aware of these risks, people continue to recycle passwords because it’s difficult to manage and memorise multiple passwords, the report adds.
Read More: PM Kisan Yojana: Farmers To Get Rs 15 Lakh To Set Up Agri-Business Under The Scheme
The state of passwords in India
According to a previous report by Nordpass, Indians don’t fare particularly well when it comes to passwords, with “password” being the most used password in the country, followed by “123456,” “12345678,” and “bigbasket.” All of these need less than a second to crack. Perhaps it is due to this that, as of 2017, India ranked fourth on the list of nations facing consumer loss through cybercrime.
Further, India continues to see an increase in data theft cases. A jump like this can mainly be attributed to the rise in digital adoption, fueled by the pandemic and its resultant push to work and study online. Newly online individuals and organisations appear to lack cybersecurity awareness, leading to a rise in cybercrime, notes the cyber-security company.
Checkpoint also points out that Ironically, tougher security policies calling for stronger passwords are counterproductive. Such passwords are harder to memorise and may end up encouraging more recycling.
How cybercriminals are benefiting from lax cybersecurity
The Checkpoint report highlights that attackers quickly spotted these negligences and realised that their resources can be better used on smaller websites with weaker security. The National Institute of Standards and Technology – a US govt agency – requires that “passwords be salted with at least 32 bits of data and hashed with a one-way key derivation function.” However, many websites don’t comply, with some even storing passwords in plain text, according to the report. Credentials stolen from such sites can then be used to log into more valuable sites and services.
Read More: Banking services across India to get affected on November 19 amidst nationwide Bank strike
Checkpoint also notes that cybercriminals who hack websites and steal passwords may not necessarily be the ones who use them the most effectively. Instead, they may choose to sell stolen credentials. Some of these can fetch up to $120,000 each if they can unlock admin-level access to an organization.
Stolen passwords are bundled into “combo lists,” which are huge compilations of many databases of stolen email addresses and passwords. The largest combo of all time contained over 8 billion unique sets of usernames and passwords and was called RockYou2021, according to the report.
According to Checkpoint, these stolen credentials are utilized in credential stuffing attacks, which is a type of cyberattack where credentials collected from a data breach on one site are used to log in to another. This is done through large-scale automated login requests. The attack is one of the most common methods to gain access to user, banking, social media, and corporate accounts.
What you can do to stay safe
The most obvious way to stay safe is to not reuse passwords under any circumstance. Because if one account is compromised, attackers can easily gain access to the other, and so on.
Try to also come up with unique word combinations, as special characters alone don’t make a strong password if the keyword is a common one. For example, “pass@123” is a password that contains letters, numbers, and a symbol, yet is the 6th most common password in India. Using two-factor authenticators (2FA) wherever possible helps too.
