Password-based hacks have increased 74% over the last year

midian182

Posts: 8,493   +105
Staff member
In brief: Today's cybercriminals use a slew of methods to compromise systems, but the most tried-and-tested way is still a favorite: stealing someone's password. According to a new report, there are almost 1,000 password-based attacks every second, marking a 74% increase compared to last year.

The data comes from Microsoft's Digital Defense Report 2022 (via ZDNet), which analyzed trillions of signals from the Redmond company's global ecosystem of products and services to reveal the scale of cyberthreats worldwide.

The number of hacking incidents has jumped enormously over the last year, thanks primarily to Russia's invasion of Ukraine in February and the resulting cyberwarfare between nations. But hackers still favor password-based attacks; Microsoft estimates that 921 of these take place every minute.

Brute forcing a password remains a common method of accessing a system. The arrival of Nvidia's RTX 4090 cards has made these sorts of attacks more efficient (in specific scenarios). Researchers recently showed how the Lovelace flagship could cycle through all 200 billion iterations of an eight-character password in just 48 minutes.

Passwords leaked online following massive data breaches are a prime harvesting ground for hackers, thanks to many people recycling account credentials across multiple sites and services. The massive LinkedIn breach from 2012 is believed to have enabled hackers to access Mark Zuckerberg's Twitter and Pinterest accounts in 2016.

Phishing attacks looking to steal passwords are still rife. Recently, criminals have been trying to take advantage of Twitter's verification revamp by phishing for verified accounts' passwords, and even Steam users are being targeted. This increase is partly why Microsoft included enhanced phishing protection in the Windows 11 22H2 update.

Microsoft writes that 90% of hacked accounts aren't protected by "strong authentication," which refers to a single layer of protection being used and doesn't include multi-factor authentication (MFA). The Windows maker warns that the number of accounts using MFA is low, even among administrator accounts, though these extra layers of protection don't guarantee an account will be 100% secure.

In addition to using MFA wherever it is available, the usual recommendations apply if you want to make life hard for hackers: avoid reusing passwords (consider a good password manager), keep your software up to date with the latest patches, and avoid the terrible passwords that remain inexplicably popular.

Permalink to story.

 

wiyosaya

Posts: 8,430   +7,877
Well there's another thing that one can do. Get yourself an e-mail service, of some sort, that allows you to generate an anonymized e-mail address for every site that asks you to set up an account, like, for instance, https://sneakemail.com/ Now, you have a different, and highly random, e-mail address for each site which is easily as good as the combination of using a different password for each site with the same e-mail address.

Also, the easiest way to remember a password is to use a phrase that is memorable. In fact, CERT, in the US at least, recommends this approach. The problem with that is that many sites have limits to the length that a password can be, so you cannot use a phrase that is longer than the maximum length for the password for any specific site.

I can see where there are less informed people who use bad practices, but there are sites out there that also use bad practices, too, and those sites are as much, if not more so, IMO, part of the problem.
 

Plutoisaplanet

Posts: 896   +1,426
Well there's another thing that one can do. Get yourself an e-mail service, of some sort, that allows you to generate an anonymized e-mail address for every site that asks you to set up an account, like, for instance, https://sneakemail.com/ Now, you have a different, and highly random, e-mail address for each site which is easily as good as the combination of using a different password for each site with the same e-mail address.
You can effectively do this with Gmail and almost any email address provider without using an anonymizing service. Just add in a + before the @ and any characters between the two. For instance if your email was watyousay@gmail.com, then you could sign up with watyousay+techspot@gmail.com or some unique identifier to make it hard for someone to guess your email. Since websites typically do not try to parse/simplify your email address, then someone providing watyousay@gmail.com when logging in will not be able to authenticate even with the right password.

An anonymizer service does create another threat vector though since even an anonymizer service is liable to experience security issues and it receives all your emails. It is designed to hide your real email address, so it would only help with spam/phishing if your email was revealed (since you could turn it off). However using the + trick would likely help with this because presumably spammers wouldn't bother to remove the unnecessary characters after the plus, and you could block all incoming emails to that specific address. Using a unique email for every service definitely helps with credential stuffing, but if all email addresses were leaked for a site then that's the only thing it'll help with.
 

Karlos95

Posts: 303   +204
I work in a high school as IT. Should see how many students change their password to 1234. Kids that should know better with digital security as they were born into it (not made to use it like the boomers who also have no idea about security) yet they are happy and think that is significant enough of a password.

Gonna hurt when this Digital ID crap comes out.
 

human7

Posts: 152   +131
I like MFA, but the only problem I have is how insistent they all are that they go or link to your smartphone via a mobile app or a text. If I'm logging in from my phone, the 2 auth doesn't add any security, and that's where security is typically weakest.

On the email front, so many people don't change their email at all that it's becoming a more stable identifier than even physical address. It's to the point that advertisers are using email as one of the key components of their identity graphs, in some places it can be used entirely on its own. There are certainly emails that have a lot of turnover, but email that is tied to say, a mobile phone login, is pretty stable.
 

wiyosaya

Posts: 8,430   +7,877
You can effectively do this with Gmail and almost any email address provider without using an anonymizing service. Just add in a + before the @ and any characters between the two. For instance if your email was watyousay@gmail.com, then you could sign up with watyousay+techspot@gmail.com or some unique identifier to make it hard for someone to guess your email. Since websites typically do not try to parse/simplify your email address, then someone providing watyousay@gmail.com when logging in will not be able to authenticate even with the right password.

An anonymizer service does create another threat vector though since even an anonymizer service is liable to experience security issues and it receives all your emails. It is designed to hide your real email address, so it would only help with spam/phishing if your email was revealed (since you could turn it off). However using the + trick would likely help with this because presumably spammers wouldn't bother to remove the unnecessary characters after the plus, and you could block all incoming emails to that specific address. Using a unique email for every service definitely helps with credential stuffing, but if all email addresses were leaked for a site then that's the only thing it'll help with.
I'm not so sure I like your suggestion over that of an anonymous e-mail service/addresses. Certainly, almost any avenue of security still has risks.

However, armed with the knowledge of your trick and assuming a security breach at any of the sites where it was used, it would be trivial for someone knowlegeable to write a REGX or other program to scan the harvested addresses and find real e-mail addresses using that trick as it would be a consistent and easily recognized pattern. Granted, then, that for the address to be used to try to hack the account at the e-mail provider is another level of security that would have to be overcome. However, the "base" e-mail address could be added to a spam list which would be potentially very annoying in the least and make that e-mail address unusable at the worst.

In my case, given a breach at a site where myself, and/or others were using the anonymous e-mail service, the hacker would have to figure out the service provider (not necessarily that difficult), and then hack the service provider. Whether or not the following is true, I tend to think that such service providers are constantly under attack and are on the lookout for such attacks as well as have strategies in place to minimize the risk of the site and its contents being unexpectedly exposed. After all, its their business venture and if their security fails, they will lose business.

Also, if someone adds one of those anonymized addresses to a spam list, which I have had happen, its easy enough to delete that address from my account, and register a different address with the site where I used the now compromised address - the result of deleting the compromised address is that e-mail sent to it bounces.

So far, it works well enough for me, and no one has, to this day, gotten the e-mail address to which all of my anonymized addresses are forwarded.

Anyway, IMO, there are always security vectors to be exploited. Some are more difficult to exploit than others.
 

Hodor

Posts: 436   +320
Most people are plain stupid, don't use easy passwords fools!

Yeah. People use passwords like "123456" or "Admin" or "God" which is easily breakable. You have to use something that nobody would guess. I use "AdminGod123456" and no problems so far.
 

BadThad

Posts: 1,282   +1,561
Yeah. People use passwords like "123456" or "Admin" or "God" which is easily breakable. You have to use something that nobody would guess. I use "AdminGod123456" and no problems so far.

Why not AdminGod123456password?
LOLOLOLOL