Apple has come up with a way to do without passwords: with the arrival of the new operating systems iOS 16 and macOS Ventura, iPhones, iPads and Macs can act as keychains for login credentials to sites and platforms, without the need to create new ones for each. Who knows that this does not contribute to stop a phenomenon as widespread as it is dangerousthat of the same password used for connecting to multiple services.
According to a Google search (this, in pdf)about 65% of people reuse the same password on different platforms, perhaps for the profile on Facebook, for the one on LinkedIn or for accessing the online current account. More recently, an analysis conducted by Bitwarden, one of the most popular password management servicespointed out that over 80% of its users do more or less the same thing.
In general, e as we have often explained on Italian Tech, do not create new login credentials for each site to which one must register, preferring instead the Login with function (relying on the Gmail account to create a profile on TikTok, for example), is wrong from the point of view of privacy and protection of personal data: by doing so, the site you rely on will have access to much more information about us. Here, however, the problem is another, and it is a security problem.
Cybersicurezza
Smishing alert: SMS is the new, old weapon in the hands of cybercriminals
by Emanuele Capone
Why using the same password is wrong
“We tend to believe that when a hacker steals our passwords, the worst case scenario is that the information is published and used on the Dark Web, but that’s not the only risk – he told us. Marco Fanuli, security engineer team leader di Check Point Software – When the same password is used for different services, the damage of a cyber attack is potentially higher, because, even by violating a single account, criminals can access multiple platforms and apps. And this is how vulnerability to attacks increases exponentially ”.
It’s not hard to see why: if the password used for Facebook is the same as LinkedIn and home banking, the theft of the former will also allow access to other services. But the matter is more complex than that, because by now cybercriminals have understood that these behaviors of ours are an opportunity to be exploited, even creating huge databases of stolen credentials, which give life to a profitable black market: as explained by Check Point, hackers put together the so-called Combo Lists, very long lists of email addresses and passwords that can then be tried on multiple sites until you find the right combination. The largest Combo List ever, called RockYou2021 and released on the Dark Web in 2021, contained over 8 billion unique sets of accounts and passwords.
What are Brute Force Attack and Credential Stuffing
But how do cybercriminals get access to this information? We help them to some extent, but they have developed suitable tools to some extent for the purpose: “We continue to emphasize the importance of password creation, which is unfortunately still underestimated – Fanulli reminded us – There are those who make them too simple, those who use personal information to create them and precisely those who choose the same password to different accounts “. This is our (involuntary) contribution, but what are the tools? “Many have this somewhat fanciful image of the hacker with pen and paper trying all possible combinations until he finds the right one – they told us again from Check Point – It is actually used. a technique called Brute Force Attackthat is, a software is used that in a short time makes a large number of combinations, finding the simplest passwords in a few hours “.
And once they find it, what do they do with it? What do those who buy them online do with them? He uses them for practice what is called Credential Stuffinga type of cyber attack in which attackers use stolen credentials, i.e. lists of usernames and passwords, to fill the login pages of as many sites and apps as possible at the same time, until you find the right combination to access mailboxes, bank accounts, social media and company accounts.
How much is my password worth?
The point is, as soon as cybercriminals realized the great commercial potential of stolen passwords, they started concentrate efforts on hacking sites and services that may not be of great value alone, but profitable thanks to the information they contain. And so a thriving business was born around these operations: according to Check Point data, the most sought-after credential combos, those that perhaps allow full access to usually well-protected corporate sites, they can cost up to $ 120,000 on the black marketwith an average price of around 3 thousand.
There are also cases in which they are sold for free, fueling a market that knows no crisis: only in the last 6 months, in one of the main English message boards on the Dark Web, have they been More than 3500 threads related to stolen databases open and more than 1500 on the Combo Lists which include email accounts and passwords. Considering the possible combinations, each of these databases can include millions of sets of credentialsif not hundreds of millions.
We need mandatory cybersecurity courses for those in public office
by Riccardo Luna
The (possible) solution: choose a password manager
What we can do to counter all this is to choose passwords that are always different for each site we register on, choose them complex and with few links to us, to who we are, to the work we do, to the mother, the dog, the boyfriend and the date of birthand also use a password manager to manage them and not forget them.
There is also the option to rely on those randomly generated by browsers (like Chrome), which then stores them for us: it can be tempting, but if there is no synchronization between one device and another, you risk being left without access. And this is where password managers, sites and apps are useful in which to write all the various credentials, associate them to the various sites and protect them with a master password, the only keyword that will have to be kept in mind. Like the slip of paper of the past, but without the risks of the slip of paper of the past.
There are many on the market, slightly different and to choose from based on features, capacity and cost. Besides the fact that they can be used for autocompletion (write the passwords for us on the various sites) and have some form of backup nel cloudso as to have an additional parachute.
LastPass
Perhaps the most used, it is also the one that is easier to recommend because it is simple to use, it is feature-rich and offers two-factor authentication. However, it should be considered that the computer version is graphically a bit dated and that it was hacked both in 2015 and in 2022.
RememBear
If you’ve never used a password manager before, this may be the one to start with, thanks to a neat and playful interface: the options are many, even without paying, and has a relatively simple master password recovery procedure. However, interaction with other apps is limited and there is no form of encryption.
Bitwarden
This app also has a definitely complete free plan, is available for virtually all popular platforms and browsers, and supports two-factor authentication. Beware of the storage space limits imposed by the various paid plans, before subscribing to them.
1Password
Definitely one of our favorites: you can have it for Windows, macOS, Linux, Android and iOS, it works well, has two-factor authentication, backup to Dropbox, and even a service that reports weak passwords and those that may have been breached. The free plan allows you to store only a limited number of passwords, but more than enough for a common user.
Keeper
Probably the most suitable service for professional users or anyway with out-of-the-ordinary needs: multi-platform, two-factor authentication, previous password history, a family plan that includes 5 individual safes and in general works really well. However, the possibilities offered by the free version are a bit ‘few.
A good idea is to try them out and see what is right for you, another is remember that password managers are not the ultimate solution eitherbecause not even they are inviolable: as mentioned, LastPass has been hacked twice and the last time (last August) the data of 25 million users were put at risk. As always, the ultimate solution is to use caution and common sense. Which are two things that cannot be found on online stores.