Since 2005, 11.7 billion records have been breached through phishing, malware, and other kinds of cyberattacks.
And in their 2022 Data Breach Investigations Report, Verizon notes that login credentials are the favored type of data for bad actors to steal because it is so useful for mimicking legitimate users online. In fact, they found that over 80% of basic web application attacks (attacks that directly target an organization’s most exposed infrastructure, such as web servers) can be attributed to stolen passwords.
Once passwords are stolen, they are often made available on the dark web, where would-be cybercriminals can buy databases full of them. But what exactly is the dark web, and how can you make sure your passwords don’t end up there?
Read on for more about this little-known corner of the internet and a few tips for keeping your passwords out of the dark web.
What Is the Dark Web?
The dark web is a collection of websites that aren’t indexed by or accessible through Google or other search engines. These websites can only be accessed through the use of a special browser.
This browser is called Tor (short for The Onion Router—dark web sites end with .onion instead of .com, .org, etc). It was created by the US Navy in 2002 with advanced encryption and anonymity for the purpose of anonymous online communication. Now, it is often used for illegal activity…including the selling of stolen data.
Hackers can buy databases of stolen passwords on the dark web, which they then use to try to gain access to other websites.
They do this using automated tools that allow them to run tens of thousands of attempts per minute until one works—a technique called credential stuffing. If they find a password that works on a valuable service (like a bank website), they can then sell that password on the dark web again. This is how cybercriminals make money off of stolen passwords.
4 Tips for Keeping Your Passwords Out of the Dark Web
To keep your passwords off of dark websites and safe from hackers, you need to ensure that the passwords you use are strong and secure. Here are a few tips for creating secure credentials and keeping your passwords out of the dark web.
-
Practice Good Password Hygiene
Creating strong, unique passwords is the first step toward keeping your data safe online. Practice good password hygiene by following these rules:
- Avoid common passwords like qwerty, 123456, password, 1111111, letmein, 1q2w3e, and so on. (You’d be surprised how often these are used!)
- Avoid using repeating characters, single dictionary words (football, princess, sunshine, etc), and special character substitutions (@ for a, 3 for E, $ for S, and so on).
- Change your passwords regularly…and change them completely! Don’t simply add a number, symbol, or capital letter. Create a whole new password.
- Don’t use meaningful numbers such as your house number, phone number (current or childhood), birthdates, anniversaries, graduation dates, or social security number. Don’t use these numbers even partially—it will be too easy for hackers to decipher.
- Be careful what you share on social media. Those little quizzes everyone likes to share with their favorite color, childhood pet, and so on may seem fun and innocent, but they’re a great way to give out valuable information to would-be hackers. Hackers know that people commonly use personal details like this in their passwords or security questions. So be careful what personal details you share…or better yet, just don’t use those details in your passwords.
-
Don’t Recycle Your Passwords
This tip falls under good password hygiene, but it’s so important that it needs its own section.
Recycling is fantastic for the planet…recycled passwords, on the other hand, are not so great. Re-using the same password for multiple accounts can put your cybersecurity at risk. This is true even for the strongest passwords: if you use the same strong password for every site you log into, it’s suddenly not so strong anymore.
This is because if a hacker steals your password from one site, they’ll be able to access all of the sites you use that password for. So if your password for, say, your Netflix account is stolen, you might think that it’s not that big of a deal, because you don’t store important information in your Netflix account. However, if you use that same password for your bank accounts, those accounts are now at risk.
Unfortunately, as many as 73% of online accounts are guarded by duplicated passwords. Make sure you aren’t included in that statistic by creating unique passwords for every site you log into.
-
Use a Password Manager
There’s only one problem with creating unique passwords for every account…remembering them all! The best way to ensure you have unique, strong passwords for all of your accounts without having to remember them is to use a password manager.
A password manager creates long, strong, randomized, unique passwords for all of the sites and apps you need them for, and then stores them securely. With a password manager, you only have to remember one username and password: the one for your password management account.
A note on password managers: these are different from the one your browser offers or the “keychain” feature available on iPhones. Both of those options are not as secure as a password manager, because they don’t require you to use any kind of authentication as long as you’re using that browser or that device.
A password manager, on the other hand, will require you to use at least two forms of authentication to log in. Plus, you’ll be able to access your password manager across all of the devices you use.
-
Use Multi-Factor Authentication
Many apps and websites are beginning to offer the option of multi-factor authentication. This is a great way to keep your information out of the hands of hackers. Multi-factor authentication should ideally include three elements:
- Something you know: your username and password
- Something you have: a text or push notification, an authenticator app, or a hardware token
- Something you are: a fingerprint, face scan, or another type of biometric factor
You should use multi-factor authentication for your password manager, as well as on any website or app that contains sensitive information. If an app or website that stores your important data doesn’t offer this as an option, think twice about using that site or app.
Tech Dump is your local, certified partner for secure data destruction and electronics recycling. Contact us today at 763.432.3117 to learn how we can help you recycle your devices without compromising the security of your sensitive data.