It's World Password Day on Thursday, May 7, which is a 24-hour warning to take care of your passwords because they're vital to your digital protection.

However, judging by some of the passwords in use it's fair to say the message isn't getting through to lots of people. The easiest passwords to crack, and alarmingly still in common use, are:
 
  • 123456
  • password
  • welcome
  • ninja
  • abc123
  • 123456789
  • 12345678
  • sunshine
  • princess
  • qwerty

Cybercriminals love you so much when you use passwords like these and similar. You've given them the keys to the front door. 

To give you a sense of scale something like 10,000 of the most common passwords allow access to 98% of all accounts. In other words, most people are using the same passwords and many for years at a time.

Come and get your passwords at a knockdown price
 
  • Only last year a single seller offered 617 million online account details stolen from 16 hacked websites including passwords.
  • Only a few weeks ago more than 500,000 Zoom accounts and passwords were discovered for sale on the dark web and in hacker forums.
  • Industry analysts reckon that in total there is something close to 9.5 billion passwords and 10.5 billion email accounts for sale on the dark web.

The dark web is a part of the internet hidden to most users and search engines. Criminals and identity thieves buy and sell stolen passwords and personal information on the dark web and if your passwords and personal information have ever been lifted in a data heist you need look no further than this submerged repository of stolen stuff. 

A million passwords, a million opportunities

So what does a hacker do with millions of passwords from users? A minority (but still a significant number) will be used for deep identify fraud in which the scammer impersonates someone to carry out loan and mortgage frauds and the passwords are one element in a wider scam. 

The majority are used in credential stuffing attacks which is still a form of identity theft. The attackers are hoping to break into an account either to access payment card details or to make fraudulent purchases.
 
  • In a credential stuffing attack, a hacker loads up a database with as many usernames passwords as he or she can get their hands on.
  • These login credentials are fed into an automated hacking tool that blitzes a website.
  • Because people rarely use completely random passwords they can often and easily access accounts. It's a bit like a key ring, the more keys there are the more likely it is that an attacker will find one that unlocks your account.

These attacks are much more common than you might think. According to industry estimates, 90% of all login attempts on retail websites aren't shoppers logging in with their own accounts. They're the result of a credential stuffing attack.

Airline sites are popular too, credential stuffing accounts for about 60% of logins while online banking sites account for 58% and hotels 44%.

Ouch… that hurts

Credential stuffing attacks only need a small margin of success to make them lucrative. If only 3% of one million attacks are successful that's 30,000 wins.

Imagine someone gaining access to your online shopping accounts; the consequences could be painful to say the least.

This is why you should use complex passwords and never, ever use the same password on multiple sites. But do you? Most don't.

And of course, career cybercriminals know this.

Take the high password road

The organizers of World Password Day not only want you to use long, complex passwords, they also push two-factor authentication (2FA).
 
  • You're probably already familiar with 2FA; the idea is to use two forms of security to increase the chances that it is you trying to access your account, and not somebody else.
  • 2FA can take a variety of forms. Most commonly, it involves using a regular password and then sending an alert to your phone to confirm whether it is really you logging in. If it isn't, then you can reject the request to sign in and change your password.
 
Celebrating World Password Day

Ironically World Password Day is less of celebration and more of blue lights, sirens wailing kind of day. It's more about protecting your family and yourself from the dangers and possibly awful consequences of identity theft than blowing trumpets and hanging out the bunting.
 
  • Go through your passwords and make them stronger, coming up with nonsense phrases you can remember, adding spaces, changing letters to numbers and the like to create something no hacker will ever be able to guess.
  • Avoid things like names, dates, anniversaries, pet names, and all of those things that seem obvious. These simple passwords aren't just easy to guess they're a cardinal sin.
 
If this is a problem, and let's face it, it can be fiendishly difficult to remember long and complex passwords, get yourself a password manager. It will do the job for you.

A helping hand

You've also got BullGuard on your side. Reading through this blog you've probably got a hint of just how deep and dark and disturbing the dark web is, and excuse the pun, we've barely skimmed the surface.

It's a stolen data repository, market place, and go-to destination for cybercriminals and scammers the world over, who want malware, to hire hackers and buy up all sorts of stolen identity details. 

Thankfully BullGuard Premium Protection has got you covered. 

It uses an advanced algorithm to scan the internet and thousands of dark websites for your personal information including passwords. If any of your sensitive data is stolen in a data breach, including passwords, and is put for sale BullGuard Premium Protection will find it and let you know immediately.

Find out more here.