Over 23 million breached accounts used ‘123456’ as password

Tomáš Foltýn

The notorious six-digit string continues to ‘reign supreme’ among the most-hacked passwords

An analysis of the 100,000 most-commonly re-occurring breached passwords confirms that ‘123456’ is the undisputed king of atrocious passwords.

Using data from Have I Been Pwned (HIBP), a website that allows users to check if their email addresses or passwords have appeared in a known data breach, the United Kingdom’s National Cyber Security Centre (NCSC) has found that 23.2 million user accounts worldwide were “secured” with ‘123456’. Its close, and similarly poor, relative, ‘123456789’, was used 7.7 million times, leaving the door just as wide open for cybercriminals. Other stalwarts among the most common passwords – ‘qwerty’, ‘password’ and ‘1111111’ – rounded out the top five.

And perhaps just as unsurprisingly, many of the most-hacked passwords were made up of names, soccer teams, musicians, and fictional characters. Some of the most popular choices each appeared in hundreds of thousands of passwords.

Source: NCSC

The NCSC made available the entire list of the 100,000 most commonly re-occurring passwords for breached user accounts. Overall, the NCSC’s findings may well bring echoes of other analyses of the most commonly re-occurring passwords. As we also reported late in 2018 and 12 months earlier, studies conducted annually by password security company SplashData produced very similar results.

At any rate, if any of your passwords appears on the NCSC’s list, you would be very well advised to change it post-haste, and perhaps use some of our guidance for picking passwords or passphrases that are both strong and unique. You can also use our how-to guide to check on HIBP if any of your online accounts may have been the victim of a known breach.

Setting up multi-factor authentication wherever possible will add an extra layer of security in exchange for very little effort.

Attitudes

Alongside the password risk list, the NCSC also published the results of its first ‘UK Cyber Survey’, which sought to find more about people’s awareness of, and attitudes towards, cybersecurity.

The survey, which gathered input from more than 2,500 people in the UK between November 2018 and January of this year, found that only 15% say they know “a great deal” about how to protect themselves from harmful cyber-activity. Most (68%) said that they know “a fair amount”.

More than two-thirds of the respondents believe that they will likely fall victim to at least one type of cybercrime over the next two years. The most prevalent concern was money being stolen, as 42% fear that this is likely to happen by 2021.

In order to learn more about the concerns of the US public about cybercrime, you may want to read our recent blog post about the ESET Cybersecurity Barometer. We have also published a parallel report for Canada.

https://www.welivesecurity.com/2019/04/25/23million-accounts-123456-password/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

ESET wordt partner van Chronicle van Alphabet

 ESET, wereldleider in cybersecurity, meldt dat het een partnership aangaat met Chronicle , een bedrijf van Alphabet, om essentiële validatie te bieden bij beveiligingsincidenten en waarschuwingen binnen Backstory, de wereldwijde clouddienst van Chronicle. Via deze dienst kunnen bedrijven hun interne telemetrie uploaden, opslaan en analyseren om zo potentiële aanvallen te detecteren en te onderzoeken. Het partnership van ESET met Backstory zal klanten een verbeterde kennis bieden voor een nog betere bescherming tegen geavanceerde persistente bedreigingen.

Met meer dan 30 jaar innovatie in cybersecurity-beveiliging, beschermt ESET meer dan 110 miljoen gebruikers in 200 landen en regio’s wereldwijd. Nagenoeg 40% van ESET’s medewerkers zijn actief in onderzoek en ontwikkeling, zodat de klanten van ESET en ook de wereld in zijn geheel beter beveiligd is tegen de nieuwste en meest geavanceerde cyberbedreigingen. De gegevens van ESET over bedreigingen blokkeren gerichte aanvallen, stoppen botnets en detecteren geavanceerde persistente bedreigingen.

“Ons partnership met Chronicle zal leiden tot eenvoudiger, sneller en meer gestroomlijnd herstel van geavanceerde persistente cyberbedreigingen,” aldus Tony Anscombe, global security evangelist en industry ambassador bij ESET. “Door onze samenwerking met Chronicle, zullen onze klanten sneller en in meer details incidenten begrijpen, de gepaste acties ondernemen en een stap voor zijn op de valse spelers. Dit zal de wereld echt veiliger maken,” besluit Anscombe.

“Het verheugt ons om ESET aan boord te hebben als Insight Partner,” verklaart Ansh Patnaik, Chief Product Officer bij Chronicle. “Als een wereldwijd platform,h ontworpen om beveiligingstelemetrie van bedrijven te analyseren, biedt Backstore de klanten meer voordelen eens het geïntegreerd is met andere sleuteltechnologieën binnen de netwerken van klanten.”

Meer informatie is te vinden op ESET.com

ESET devient partenaire de Chronicle, une entreprise de la société Alphabet

Le 25 avril 2019 - San Diego, Calif. - ESET, leader global en cybersécurité, annonce aujourd’hui avoir conclu un partenariat avec Chronicle , une entreprise de la société Alphabet, afin de fournir, lors d’incidents de sécurité et alertes, une validation essentielle dans Backstory, le service cloud global de Chronicle. Grâce à celui-ci, les entreprises peuvent télécharger, stocker et analyser, de manière privée, leur propre télémétrie de sécurité pour détecter et investiguer des attaques potentielles. Le partenariat d’ESET avec Backstory fournira aux utilisateurs un aperçu amélioré qui permettra une meilleure protection contre les menaces persistantes avancées.

Avec plus de 30 années d’innovation en matière de cybersécurité, ESET protège plus de 100 millions d’utilisateurs dans 200 pays et régions au niveau mondial. Près de 40% des collaborateurs d’ESET sont actifs dans la recherche et le développement,  protégeant  ainsi les utilisateurs d'ESET  mais aussi le monde entier contre les cybermenaces les plus nouvelles et les plus avancées. Les informations d’ESET concernant les menaces bloquent les attaques ciblées, protègent contre le phishing, arrêtent les botnets et détectent les menaces persistantes avancées. 

« Notre partenariat avec Chronicle se traduit par une remédiation plus simple, plus rapide et plus rationnelle des cybermenaces persistantes avancées», explique Tony Anscombe, « malware evangelist » et ambassadeur de la marque ESET. « Ensemble avec Chronicle, nos clients comprendront les incidents plus rapidement et plus en détail, pourront prendre les actions appropriées et avoir toujours une longueur d’avance sur les mauvais joueurs. Ainsi, le monde sera encore plus sécurisé, » conclut Anscombe.  

« Nous sommes ravis d’avoir ESET avec nous en tant que partenaire stratégique (Insight Partner) » a déclaré Ansh Patnaik, responsable produit de Chronicle. « En tant que plate-forme globale conçue pour analyser la télémétrie de sécurité des entreprises, Backstory offre plus d’avantages aux utilisateurs lorsqu’il est intégré à d’autres technologies clés dans leurs réseaux. Nous sommes convaincus que grâce à notre collaboration avec ESET, les clients disposeront d’une vue plus large et plus précise des menaces au sein de leurs réseaux.» 

Pour plus d’informations, rendez-vous sur ESET.com

WannaCryptor ‘accidental hero’ pleads guilty to malware charges

Tomáš Foltýn

Marcus Hutchins, who is best known for his inadvertent role in blunting the WannaCryptor outbreak two years ago, may now face a stretch behind bars.

British malware analyst Marcus Hutchins, who was propelled to cyber-stardom after he helped neutralize the outbreak of the WannaCryptor aka WannaCry ransomworm in May 2017, has pleaded guilty to two charges related to creating and distributing malware between 2012 and 2015.

Known online as MalwareTech, Hutchins made a name for himself in the midst of the WannaCryptor outbreak after he inadvertently turned on the ransomworm’s ‘kill switch, causing WannaCryptor’s propagation to slow to a trickle within hours. Much to the astonishment of many in the security community, however, he soon faced charges in the United States that he himself had written malware before embarking on a career in cybersecurity research.

Fast forward two years, and the plea deal filed at a court in Wisconsin reveals that Hutchins, 24, has admitted to helping author and sell two Trojans between July 2012 and September 2015. Called ‘Kronos’ and ‘UPAS Kit’, the two pieces of malware were designed to steal people’s banking login information.

Each of the two charges to which Hutchins has admitted guilt carries a maximum of five years in prison and a penalty of up to US$250,000. Meanwhile, eight other counts have been dropped by federal prosecutors.

In a statement on his personal website, Hutchins writes that he assumes full responsibility for and regrets the mistakes he made in his teenage years. “Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks,” wrote Hutchins.

Hutchins was arrested at the airport in Las Vegas in early August 2017, just as he was about to board a flight home after attending the Black Hat and DEF CON security conferences. Federal prosecutors pressed six charges against him over his then-alleged Kronos’ authorship, before four more charges related to UPAS Kit were added to the case in June 2018. Hutchins was released on bail shortly after being corralled, but was barred from leaving the United States. Until late last week, he denied any wrongdoing.

We have previously published several articles that looked into the WannaCryptor outbreak and its aftermath, so you may want to refresh your memory with any (or all) of these pieces:

WannaCryptor aka WannaCry: Key questions answered

WannaCryptor, aka WannaCry interview with Stephen Cobb and Marc Saltzman

WannaCryptor: Are governments and financial regulators to blame?

EternalBlue: Is your PC patched against the WannaCryptor worm vulnerability?

12 months on, what are the lessons learned from WannaCryptor?

One year later: EternalBlue exploit more popular now than during WannaCryptor outbreak

https://www.welivesecurity.com/2019/04/23/wannacryptor-accidental-hero-pleads-guilty-malware/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29