As a cybersecurity consultant, I am often asked if some of the threats we industry practitioners talk about are overstated. Hyped up fear as a sales tactic. The simple answer is no. The fear is not overstated, and the risks all too real – which helps to explain why cyber remains a top priority for financial firms. The risk really hits home when senior management realizes just how much exposure they have when their own data is sitting out there for the taking.
I am referring, of course, to our passwords – those sequences of text that give us access to our online lives. Everything from our corporate email to our social media accounts to our bank accounts and our Netflix accounts are accessible by usernames and passwords. If we’re lucky, we have multi-factor authentication enabled, although even that can be exploited and is not foolproof. But if our passwords are compromised, that second factor of authentication effectively becomes only one factor of authentication.
The fact is, as humans, we are inherently lazy. I don’t mean you, the specific reader of this post, but rather the collective “we” seem to prefer to create simple passwords and to reuse those same (or mostly similar) passwords across multiple sites. After all, we have so many passwords to remember right now, who can possible keep track of them all? Wouldn’t it be easier to have one password, say your favorite sports team followed by a number, and just use that same password for your company email, your personal email, your social media accounts, your bank accounts, and your Netflix accounts? Why stop there? It would be even easier for us to use those same or similar passwords for every website where we have to create an account to access information, do online shopping, book travel, and go about our daily lives.
The problem is that many folks do just that. And data breaches of companies such as Target, Neiman Marcus, Adobe, LinkedIn, Marriott, and Yahoo, just to name a few, have left many passwords in the hands of hackers. Following a data breach of an entire company or even successful phishing attacks against individuals, hackers routinely post the credentials they have garnered in a seedy corner of the Internet called the dark web. There, hackers offer the credentials for sale in an online marketplace much like Amazon.
As part of CSS’s dark web monitoring cybersecurity service, we regularly find plaintext, unencrypted passwords of our clients out there on the dark web and we provide prompt notification to our clients that their credentials have been compromised and a recommendation to quickly change their passwords. In addition to the unencrypted passwords we have been able to find for firms on the dark web, we have also been able to find many hashed passwords. Sometimes when a company’s database is hacked, the actual passwords aren’t compromised but the hashed version of the passwords that were stored in the database are. It may look like gibberish, something like acbf7004dfa45def9397bbc00234dffab654. “Hashing” is the one-way process of taking a sequence of text (usually a password) and scrambling the characters in a way to produce a unique message text (like the gibberish sequence of characters in the prior sentence). If hashing algorithms are designed well, they should produce a unique sequence for a particular password. Encryption is a different process, a two-way process, where anyone with the right key can decrypt the message and vice versa.
A compromise of scrambled, “hashed” passwords of employees is still a cybersecurity risk for firms. Why? Because hashed passwords can sometimes be decoded. Depending on the hashing algorithm used (in other words, depending on how the message is scrambled), it may be possible for hackers to easily determine what the underlying passwords are. Our team has been able to crack hashed passwords we found posted on the dark web, so we know the hackers can do it too. One password recently took less than 60 seconds to crack from that sequence of gibberish text into a six character password. Other passwords sometimes take about 24 hours to crack. And hackers have all the time in the world.
In both examples above, the passwords were less than eight characters long. A short password, and particularly one that is just letters or numbers, can be cracked that easily.
Why can passwords be cracked?
The reason we are able to crack passwords so easily is that users rarely create passwords that are truly random when creating them on their own. So hackers can take a list of the most common few thousand or few million passwords, run them through the common hashing algorithms, and see what hash values are output. They put these in a table. Then, if I find a hashed password value in a hacker chat room on the dark web, I can simply look it up in that table to try to find the matching password. Maybe I can decipher a few characters at a time by matching known hashes to known text. But eventually, and with sufficient time and sample sizing, the password can likely be deciphered. The closer your password is to a commonly used password, the greater than chances that the password, or at least a portion of it, can be uncovered. A quick search of the Internet shows numerous lists of common passwords.
What we can do about it?
So back to the hype and fearmongering. Unless you have been living under a rock, I hate to be the bearer of bad news, but your passwords are out there on the dark web. They may be your old passwords. Some of them may be current. But with enough samples of your passwords, hackers can put together a fairly comprehensive profile of how you tend to create passwords. Dark web monitoring helps us all be a little more proactive, informing us right away when our passwords have been compromised and posted to the dark web hacker channels. With dark web monitoring we perform for our clients, the value is about identifying not only compromised credentials for our clients so that they can change their passwords before the hackers use those logins against them, but also in being able to tell CCOs, CTOs, and CISOs that some of their employees are using company email accounts to register for personal websites, or are creating very poor passwords which put the firm at risk.
Contact CSS at firstname.lastname@example.org for a dark web monitoring assessment to put you back in the driver’s seat about keeping your passwords safe.
Subscribe to CSS Blog
CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.