August 5, 2022
How do passwords end up in the hands of hackers and how can you prevent it from happening?
In this blog, Alice Conibere discusses the importance of good password security practices, as well as how to check whether your password has been included in a breach.

Password security is a topic often preached by many but practiced by few, as evident within Google’s 2019 Online Security Survey. 3,000 people were surveyed regarding their online security hygiene and what basic security terms such as “password manager” mean to them. Shockingly, at least 65% of people admitted to reusing the same password across multiple accounts yet 59% of participants believe that their accounts are safer in comparison to the average person. Although people seem to understand the risks of reusing our passwords, we continue to do so regardless of the consequences that this has.  

Some of us may have previously received an email along the lines of a hacker claiming to have your password, with the email quoting an actual password that you have previously used or are currently using. These emails are typically based upon a sextortion email, which is an email claiming that the hacker has compromising images of you and relying on the scare factor that they have your password to get you to pay their ransom, typically in Bitcoin. People often fall victim to these emails and pay the ransom due to the hackers making threats that these compromising images will be sent to your friends, family, and colleagues by making use of your password. But how do these hackers get your password?

Data Breaches and Compromised Passwords

Phishing emails such as sextortion emails typically rely on your email and password being compromised within a data breach. Data breaches can occur both accidentally and deliberately, with malicious or non-malicious intent behind either of these. Generally, data breaches used for phishing emails have come from an unauthorised third party deliberately obtaining your data from an unsecured website or application. Usually, these hackers will then sell their gathered data on the Dark Web for other users of this underground economy to purchase using cryptocurrency. These purchases are difficult to trace as the transactions are completely anonymised. The underground economy is becoming more of a competitive marketplace due to the increase of data breaches occurring and more sellers beginning to sell similar goods, resulting in these sellers trying to offer the best price for your data.  

Each year Privacy Affairs analyses the price of personal data being sold upon the Dark Web and publishes the average price of this data in the Dark Web Price Index. Their 2022 report highlights the cheapest accounts being sold at $3 USD (CNBC Pro) with more popular streaming services such as Netflix and Hulu being sold between $4 to $5 USD on average. These prices highlight how little your personal data is being sold for, demonstrating the importance of why you should use a separate password for every account. Once your information is out there, often hackers will try your password across multiple websites to see if it has been reused, at which point they have effectively doubled their profit.

Hackers rarely target specific individuals due to the sheer amount of data being available for purchase upon the Dark Web. You can check if your data has been involved within a data breach by using a website such as Have I Been Pwned?, which allows for you to search your email address and phone number to see if it has been compromised within multiple data breaches. Alongside this, you can also use their website to see if your password is part of their Pwned Passwords list that indexes passwords for previous data breaches. Although your password might not be identified as a pwned password, this does not mean that it has never appeared within a data breach. Have I Been Pwned relies on people submitting data breaches and security researchers responsibly disclosing data to their website, meaning not every data breach is present within their database.  

Unfortunately, we have little control over what data breach will occur next and how much of our personal information is included within that given breach, but you can take steps to make it harder for your other accounts to be compromised. If any of your data has been identified as compromised on Have I Been Pwned, you should take steps to ensure that these accounts have been updated with a new password and the appropriate security measures. Good security practices should be followed across all accounts that you create to ensure that any security risks to you are minimised, should your data end up being involved within a data breach.

Password Security

We all know the importance of ensuring that we use a different password for every account, but it can become hard to remember each account password. Today, hackers will try different combinations of your password by adding special characters or capital letters in – something that we are likely to just add on the end to meet a given password’s security requirements. The National Cyber Security Centre (NCSC) advises users to use a password manager, helping us to cope with password overload. A password manager stores all your passwords securely, meaning that you do not need to remember every individual password for each account. They can also generate unique, strong passwords containing a wide mix of character, numbers, and symbols alongside supporting a password length of typically up to 50 characters.  

Complex passwords containing random characters, numbers and symbols should be used instead of a common word mixed with a few symbols and capital letters. Accounts generally do not store your password in plaintext for security reasons and instead store a hash of your plaintext password. Hashing is a one-way function that uses a hashing algorithm to turn your plaintext password into a sting of random letters and numbers, however the same plaintext put through the same hashing algorithm will result in the same string of data being produced every single time. When you log into your online account, the plaintext password you enter is hashed using the website’s chosen hashing algorithm and is compared against the stored hash. If these match, you will be logged into your account.  

So how do hackers get your account’s password if your password hash is stored (providing the website is following good security practices) and not your password in plaintext? There are several hashing algorithms which are commonly used, such as MD5 and SHA1. MD5 is an old hashing algorithm which should not be used to store passwords, despite the fact it is commonly used today. SHA1 is the successor to MD5, but also follows the same issues, so in fact it should not be used but still is. That is because these hashes are considered “broken”, the computational power required to calculate thousands of MD5 hashes in a few seconds can now be undertaken on a mid-entry level consumer laptop. SHA1 requires a bit more computational power resulting in much higher costs being involved to “break” these hashes, but it is still doable with a bit more time investment. Instead, websites should use hashing algorithms such as SHA256 and SHA512 to hash our passwords.

You may have previously been lectured by multiple people about the importance of regularly updating your password, however the NCSC advises against this. When we are told our password has expired and that we need to update it, more commonly than not we are just likely to either change a letter to become a capital or add a special character on the end of our chosen password (typically users will choose a nice simple explanation mark). This is ineffective because as previously discussed, hackers will try different variations of your password. Therefore, it is best to mitigate the risk of your account being compromised by making use of one strong, unique password combined with multi-factor authentication (MFA) or two-factor authentication (2FA).

Other ways to protect your accounts

MFA/2FA can come in a wide range of variations, with some of the most typical methods requiring you to enter a code the has been sent to you via email or SMS. You have likely used this method of authentication when trying to log into online banking, however some banks now require you to verify via their application installed on your mobile phone or alternatively by generating a login code with a physical device. These physical devices provide some of the strongest methods of security to your account because they require you to physically do something with the device that your account is tied to. YubiKey and Google’s Titan Security Key are amongst some of the more popular physical hardware authentication devices. Mobile phone applications are also becoming more popular as verification methods by taking advantage of the hardware that your phone now ships with. It is becoming increasingly popular to log into applications containing sensitive data by using fingerprint readers or facial recognition that your phone ships with due to how quickly and easily it unlocks your account.  

Other ways to protect your personal data include:

  • Ensure that old accounts that you no longer use are deleted. All accounts run the risk of being compromised so you can help minimise the amount of data you have shared across websites and applications by deleting your account. In the UK, you have the right of access to your own personal data if you are unsure what data an organisation holds on you, along with the right to be forgotten. The Information Commissioner's Office (ICO) provides advice about your rights with regards to your personal data.
  • Double check the sender’s email address and grammar within an email. Phishing scams are becoming more and more sophisticated, resulting in more people filling in their personal data within these forms. Do not open any attachments or click any links sent within these emails, unless you are 100% sure that they have come from a trusted source. Even if you believe it is a trusted source, they could have been comprised or hacked. Therefore, go directly to the website and see if there is anything wrong regarding your account there. Suspicious emails can be reported to the NCSC by forwarding them to report@phishing.gov.uk
  • Keep sensitive data private. Ensure that your social media profiles are set to private and try not to share too much personal information about yourself. Public social media accounts are a treasure trove of data for hackers as you’ve likely posted information about yourself relating to your password security recovery questions. It’s great to have a unique password filled with random characters, but your hard work of securing your password can easily go to waste if you are publicly posting about your first cat named Mittens. When you need to provide data for recovery password security questions, instead provide something totally different and random to ensure your accounts are kept secure online.  

If you have any questions about this article or would like to discuss your security set up, please contact our defensive team.

Sign up to our newsletter to receive the latest updates