This month the largest recorded data dump in history, 87GB filled with passwords and user credentials, was made available. Dubbed Collection #1 consists of 1,160,253,228 unique combinations of email addresses and passwords. Though historic, there are two positive notes regarding this information: The first is that this data set was circulated on hacking forums back in December of 2018 and is considered a few years old, and the second being that none of this data is the result of a new breach. In short, this is a very large collection of already breached data from at least 340 different websites.
According to security researcher and creator of Have I Been Pwned?, Troy Hunt, 140 million of the included 772,904,991 email addresses and 10,000,000 passwords were not yet included in his searchable database. That's a lot of new details, but the information has already been floating around nefarious forums for some time.
Regardless of the newly searchable information, the biggest takeaway from Collection #1 is not about the data dump itself, but more so the details written between the lines. Of the more than 772 million unique email addresses there were only 21 million unique passwords being used. What's scary is not even three percent of the passwords in the data breach are unique. The other 97 percent contain duplicates or common terms and that is a big problem.
There are several issues for this, starting with the most obvious: humans are lazy.
The top 10 most common passwords used in 2018 are as follows:
- 123456 (Unchanged)
- password (Unchanged)
- 123456789 (Up 3)
- 12345678 (Down 1)
- 12345 (Unchanged)
- 111111 (New)
- 1234567 (Up 1)
- sunshine (New)
- qwerty (Down 5)
- iloveyou (Unchanged)
While everyone could use some sunshine, it's clearly not a term that will stop would be hackers from stealing your Twitter account let alone your identity.
The second issue is that humans are not just lazy when it comes to security, we are terrible at remembering things, let alone strong, unique passwords. People often reuse the same password across some, if not all, of their accounts. The same password that a person might login to their Target account could be the same for their bank, 401K, healthcare, and other important private details. With less than three percent of the passwords in this giant dump being unique, there is a very good possibility that password re-use attacks will occur. So how should this be curbed?
Stop counting and start creating unique passwords. It's that simple! Both consumers and companies need to be more diligent about creating unique passwords.
“Companies need to educate users against password reuse and how to pick strong passwords. By using the same password across accounts they can fall victim to password reuse attacks. Although it's not the case for Collection #1, if a data breach contains encrypted passwords but only use simple or common terms, the threat actor can use a dictionary attack to decipher it and gain entry," said PhishLabs Founder and CTO John LaCour.
Fortunately, this data dump did not contain newly breached information, but when those do occur in some cases the passwords are hashed. When hashed, that makes it significantly more challenging for a threat actor to breach an account, that is unless the account is protected by a simple term such as “sunshine" or “iloveyou".
As for managing those hard to remember unique passwords, LaCour suggests using a password manager.
“Using a password manager can produce some anxiety since all of your passwords are in one place, but there is significantly less risk of that being compromised versus a user getting hacked due to password reuse. Even better, use two-factor authentication."
Having codes sent to your mobile device and email work well, but code generators are less prone to being compromised. The more steps you can put between your private information and a threat actor, the greater the odds that it will remain protected.
Creating unique passwords and storing them in a password manager is a great first step, but organizations also have a role to play. According to LaCour, security teams should also be cognizant of newly dumped data from breaches.
“Any time there is a new dump like this, companies are able to acquire the data and see if their users are in there. If so, the company needs to take action by changing passwords or forcing passwords to be reset. It's a good hygiene approach to security vigilance."