A new report from threat intelligence startup Digital Shadows Ltd. has found that 24 billion stolen and breached usernames and passwords are available on the dark web, the shady corner of the internet where illicit goods and services are sold.

That’s a 65% increase from two years ago and is the equivalent of nearly four credentials for every person on the planet.

To the surprise of next to no one, the report found that people are still, even in 2022, using easy-to-guess passwords. The top 50 most common passwords found in the dark web data included the password of “password” and easy-to-guess numbers. About a half-percentage point of all passwords were found to be “123456.” Keyboard combinations including “qwerty” or 1q2w3e” were commonly used.

According to the Digital Shadows researchers, 49 of the top 50 passwords could be easily cracked in under one second via easy-to-use tools commonly available on criminal forums, often free or offered at a minimal cost.

The report was not all bad news, however. The researchers found that adding a “special character” such as @ # or ) to a basic 10-character password adds around 90 minutes to the amount of time an attack would take to crack a password. Adding two special characters extends the possible hacking time to two days and four hours.

“We will move to a ‘passwordless’ future, but for now the issue of breached credentials is out of control,” said Chirs Morgan, senior cyber threat intelligence analyst at Digital Shadows. “Criminals have an endless list of breached credentials they can try, but adding to this problem is weak passwords which mean many accounts can be guessed using automated tools in just seconds.”

Digital Shadows recommends that everyone should at the very least use a password manager to make passwords more complex so that users do not need to remember them. Multifactor authentication is also recommended where account providers offer it, to confirm identity.

“The front door to a web app is a valid user name and password and it is eye-opening to learn the number of credential pairs available on the dark web,” Kim DeCarlis, chief marketing officer at web application solutions security provider PerimeterX Inc., told SiliconANGLE. “Stopping the theft, validation and fraudulent use of account and identity information should be a prime focus for all online businesses.

In this case, she added, since the theft of credentials has already happened, digital businesses should look for a way to stop the next step: credential-stuffing attacks in which cybercriminals try to validate the username and password. “It would be smart for online businesses to look for solutions that flag when a known compromised credential is being used and force an action such as a simple password reset,” she said.

Joseph Carson, chief security scientist and advisory chief information security officer at privileged access management firm Delinea Inc., noted that an important lesson to be learned here is that we should never reuse passwords.

“Organizations that offer authentication and login to their website must also move away from having a password as the only security control,” Carson said. “Two-factor authentication must be enabled for all customers as this reduces the risks of those who reuse passwords from becoming a victim of a cybercrime. Additionally, endorse password managers to help customers make better password hygiene and choices when creating new accounts and passwords.”

Photo: Pikist