Tech News Feed by Milkyweb Technologies

Tech News from all over the world from reliable sources.

The Wages of Password Re-use: Your Cash or Your Life


When regular pc customers fall into the nasty behavior of recycling passwords, the result’s most frequently some sort of economic loss. When cybercriminals develop the identical behavior, it might ultimately price them their freedom.

Our passwords can say loads about us, and far of what they must say is unflattering. In a world through which all databases — together with hacker boards — are ultimately compromised and leaked on-line, it may be powerful for cybercriminals to take care of their anonymity in the event that they’re within the behavior of re-using the identical uncommon passwords throughout a number of accounts related to completely different electronic mail addresses.

The long-running Breadcrumbs series here tracks how cybercriminals get caught, and it’s principally via odd connections between their on-line and offline selves scattered throughout the Web. Apparently, one of many extra widespread connections includes re-using or recycling passwords throughout a number of accounts.

And sure, hackers get their passwords compromised on the identical charge as the remainder of us. Which suggests when a cybercrime discussion board will get hacked and its person databases posted on-line, it’s typically doable to work backwards from a few of the extra distinctive passwords for every account and see the place else that password was used.

SWATTING THE FLY

Of all of the tales I’ve written right here over the past 11 years, most likely the piece I get requested most to recount is the one about Sergey “Fly” Vovnenko, a Ukrainian man who in 2013 hatched and executed a plan to buy heroin off the dark web, ship it to our home after which spoof a name to the police from considered one of our neighbors saying we have been dealing medication.

Fly was the administrator of a Russian-language id theft discussion board on the time, and as a secret lurker on his discussion board KrebsOnSecurity watched his plan unfold in actual time. As I described in a 2019 story about an interview Fly gave to a Russian publication upon his launch from a U.S. jail, his propensity for password re-use finally landed him in Italy’s worst jail for greater than a yr earlier than he was extradited to face fees in America.

Across the identical time Fly was taking bitcoin donations for a fund to buy heroin on my behalf, he was additionally engaged to be married to a younger girl. However Fly apparently didn’t absolutely belief his bride-to-be, so he had malware put in on her system that forwarded him copies of all electronic mail that she despatched and obtained.

However Fly would make not less than two massive operational safety errors on this spying effort: First, he had his fiancée’s messages forwarded to an electronic mail account he’d used for loads of cybercriminal stuff associated to his numerous “Fly” identities.

Mistake quantity two was the password for his electronic mail account was the identical as his cybercrime discussion board admin account. And unbeknownst to him on the time, that discussion board was hacked, with all electronic mail addresses and hashed passwords uncovered.

Quickly sufficient, investigators have been studying Fly’s electronic mail, together with the messages forwarded from his spouse’s account that had particulars about their upcoming nuptials, comparable to delivery addresses for his or her wedding-related gadgets and the total title of Fly’s fiancée. It didn’t take lengthy to zero in on Fly’s location in Naples.

POOR PASSWORDS AS GOOD OPSEC?

Whereas it could sound unlikely {that a} man so enmeshed within the cybercrime house may make such rookie safety errors, I’ve discovered that an important many cybercriminals even have worse operational safety than the common Web person.

Numerous occasions through the years I’ve encountered large tranches of precious, harmful knowledge — like a botnet management panel or admin credentials for cybercrime boards — that have been filled with unhealthy passwords, like password1 or 123qweasd (an extremely widespread keyboard sample password).

I think this can be as a result of the character of illicit exercise on-line requires cybercrooks to create huge numbers of single- or brief-use accounts, and as such they have an inclination to re-use credentials throughout a number of websites, or else choose very poor passwords — even for important sources.

No matter their causes or lack thereof for selecting poor passwords, it’s fascinating that when it comes to sustaining one’s operational safety it truly advantages cybercriminals to make use of poor passwords in lots of conditions.

For instance, it’s typically the denizens of the cybercrime underground who choose crappy passwords for his or her discussion board accounts who find yourself doing their future selves a favor when the discussion board ultimately will get hacked and its person database is posted on-line.

SOME ADVICE FOR EVERYONE

It actually stinks that it’s mid-2021 and we’re nonetheless so reliant on passwords. However so long as that’s the case, I hope it’s clear that the neatest alternative for all Web customers is to select distinctive passwords for each website. The most important Net browsers will now auto-suggest lengthy, complicated and distinctive passwords when customers go to arrange a brand new account someplace on-line, and that is clearly the best option to obtain that purpose.

Password managers are perfect for individuals who can’t break the behavior of re-using passwords, since you solely have to recollect one (robust) grasp password to entry your whole saved credentials.

If you happen to don’t belief password managers and have bother remembering complicated passwords, take into account relying as a substitute on password size, which is a much more vital determiner of whether or not a given password may be cracked by out there instruments in any timeframe that may be moderately helpful to an attacker.

In that vein, it’s safer and wiser to give attention to choosing passphrases as a substitute of passwords. Passphrases are collections of a number of (ideally unrelated) phrases mushed collectively. Passphrases aren’t solely typically safer, in addition they have the additional advantage of being simpler to recollect. Their predominant limitation is that numerous websites nonetheless power you so as to add particular characters and place arbitrary limits on password size prospects.

Lastly, there’s completely nothing incorrect with writing down your passwords, supplied a) you don’t retailer them in a file in your pc or taped to your laptop computer, and b) that your password pocket book is saved someplace comparatively safe, i.e. not in your purse or automobile, however one thing like a locked drawer or secure.

Additional studying: Who’s Behind the GandCrab Ransomware?



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top