Research carried out by Google in association with the University of California, Berkeley has established that there are 1.9 billion usernames and passwords being traded on the black market. What’s more, as many of 25 percent of these stolen credentials could actually be used to access a legitimate Google account.
The report used Google’s proprietary data to investigate whether or not the pilfered passwords would unlock the door to working accounts, according to Business Insider. Unfortunately, it confirmed that this is definitely the case, reaffirming the importance of proper online security.
“Through a combination of password re-use across thousands of online services and targeted collection,” reads the study. “We estimated seven to 25 percent of stolen passwords in our dataset would enable an attacker to log in to a victim’s Google account and thus take over their online identity due to transitive trust.”
This is the danger of using the same password across multiple sites and services — if it’s exposed in one data breach, attackers might be able to combine it with known usernames or email accounts to access various different accounts.
We’ve seen plenty of breaches that left user passwords out in the open in recent years. In 2012, millions of encrypted LinkedIn passwords were leaked to the web, while we’re only just starting to understand the scope of an attack on Yahoo that took place in 2013 — in October, reports circulated that some 3 billion accounts were affected.
The researchers offer up a few different methods that people can use to protect their accounts from unauthorized access. For example, they might use a password manager that creates bespoke entry key for each individual site or service they visit, without them having to remember each one for themselves.
It’s also considered a best practice to employ two-factor authentication, especially for important accounts. This means that anyone gaining access from a new device also needs to provide a code that is typically sent to a smartphone, or an approved email account.
Of course, choosing a secure password is a good start. The top three passwords from plaintext leaks analyzed in this study were ‘123456,’ ‘password,’ and ‘123456789,’ none of which are particularly strong.
