Billions of credentials are currently up for sale on the dark web, according to a new report from Digital Shadows. The cybersecurity firm believes that cybercriminals are now circulating 24 billion user name and password combinations, a figure that is up 65 percent from the 15 billion credentials that were available in 2020.
The 65 percent spike is not quite as dramatic as the 300 percent jump that Digital Shadows reported between 2018 and 2020, though it still poses a significant security threat in terms of the sheer volume of compromised credentials. That 24 billion number does include some duplicates, but there are still at least 6.7 billion unique credentials on dark web marketplaces. Cybercriminals added 1.7 billion credentials to that total in the past two years, which represents an increase of 34 percent.
However, people’s poor password choices may be an even bigger problem. Forty-nine of the 50 most commonly used passwords can be hacked with freely or cheaply available hacking tools. That means that cybercriminals do not need to have valid credentials to gain access to many accounts, since they can simply guess the password and break in just as quickly. Most weaker passwords can be cracked in less than one second, and represent a severe security gap.
Thankfully, Digital Shadows does have some advice for people who want to eliminate those vulnerabilities. The weakest passwords are easy-to-remember words or strings of numbers and letters, with password, qwerty, and 1q2w3e being amongst the most popular (123456 accounts for a full 0.46 percent of all passwords). Adding a single special character (such as a # or @ sign) can boost the amount of time needed to crack a 10-character password to 90 minutes, and a second special character can lengthen that process even further to upwards of two days.
The upshot is that most people can protect themselves with only a couple of symbols. Digital Shadows also encourages people to use a password manager, and to implement multi-factor authentication whenever possible.
“We will move to a ‘passwordless’ future, but for now the issue of breached credentials is out of control,” said Digital Shadows Senior Cyber Threat Intelligence Analyst Chris Morgan. “In just the last 18 months, we have alerted our clients to 6.7 million exposed credentials. Many of these instances could have been mitigated through using stronger passwords and not sharing credentials across different accounts.”
Multiple experts have warned that passwords are one of the weakest forms of authentication. Unfortunately, many businesses have been slow to transition to more secure alternatives even when they are aware of the limitations of password-based security.