4 hours ago
1
ARTICLE AD BOX
Billions of user credentials have recently been unearthed on the dark web – not that the public much cares, argues GlobalData principal analyst Steve Schuchart. (Image: Shutterstock)
16bn. That’s a number that isn’t comprehensible. It’s a number you hear on the news, usually in a science segment or in a finance segment about the ultra-wealthy. But this time, 16bn is the number of exposed login credentials researchers from Cybernews found in an exposed dataset. This dataset contains stolen login credentials, mostly gained via malware. The credentials come from everywhere – from websites around the world, including popular websites and cloud services.
What is known is that the dataset was visible for a short time before being taken down. We know that some or all of the data in the dataset is not new but comes from earlier breaches and infostealers. We do not know where the data was being held or from where it was exposed. Moreover, the data wasn’t stolen from any one site breach, but likely a compilation of earlier stolen credentials. Initial reports seem to indicate that much of the discovery is net-new, but that has since been disputed. Still, that many credentials in one spot is a worry.
What was interesting about this information was essentially the lack of reaction from the public. Sure, scepticism of the discovery happened quickly – many security experts feel that this was a bit of a case of crying wolf. But the initial reaction by the public was more of a shrug. After all, how many times can a person’s login credentials get stolen? How many times should an individual go through the cumbersome process of updating passwords? Especially when it seems like there are more breaches every day. Keeping one’s credentials up to date after breaches begins to look like a Sisyphean task.
Cybersecurity apathy writ large
Cybersecurity fatigue is real, and the public is becoming increasingly numb to cybersecurity incidents. Reminders to update passkeys, use password managers, not to reuse passwords and enable multi-factor authentication are a constant drumbeat. With every hysteria-filled announcement of another breach that spills user data and login credentials, more people tune it out entirely – after all, they have never been hit.
The ugly truth? Good cybersecurity is difficult, even when just talking about login and passwords. Passwords should be long, 20-30 characters, randomly generated, and contain upper- and lower-case letters, numbers, and symbols. Each site should have its own password. People resist that – extremely difficult to remember a password like that, and it’s much easier to simply have a single password to use everywhere. A password manager is required to generate and store these passwords, as well as enter them when it comes time to log in. That password manager needs to work across platforms – e.g., Apple (e.g., phones, tablets, macs), PC, Android, and Linux.
But a password manager is yet another thing – one that, to function, requires its very own password. To make it worse, the very public breach of LastPass, a popular password manager, makes people distrust password managers, especially those with a cloud component. There is also the learning barrier – using a password manager requires effort and changes how you log in. Password managers do tend to make logging in easier, but it’s a change that people must get used to, and people hate change to daily routines like logging in. Changing habits is hard, and not being able to just instantly enter a memorised password feels frustrating at first.
To really embrace cybersecurity, there needs to be a reckoning to correct old thinking and ideas. Password manager companies need to do a better job in reassuring the public that their products aren’t hard or scary to use, but designed with practicality in mind. What’s more, the inherent weaknesses in personal password generation must be emphasised: no matter who clever the scheme is that you’ve created, it’s vulnerable. Brute force techniques are far better than you can ever imagine (and no, before you say it, ‘password’ backwards isn’t clever.) Password re-use, too, is a vulnerability, no matter how easy it makes things, and the fact that a person has never been hacked or doesn’t know anyone who has been isn’t a reason to keep old practices.
This isn’t about having perfect security. It’s about protecting yourself and limiting damage if a breach occurs, just like locking your doors and putting your blinds down at night. Take the plunge yourself. Get a password manager, then show a friend that it isn’t that hard and, in the end, never forgetting a password is a time-saver too! Proactive action with a password manager and password hygiene is important, and we cannot let the slew of high-profile breaches numb us from upping the quality of our own cybersecurity regimen.
Steve Schuchart is a Principal Analyst (Enterprise Security and Infrastructure) at GlobalData. A version of this story appeared on Verdict, here.
