Old Passwords for Sale: May Still Work

Last week, Troy Hunt, a security researcher who runs Have I Been Pwned, reported finding an 87GB file of 773M email addresses and passwords up for sale on a hacking forum.  News sources quickly cited it as the largest public data breach to date.  We later found out that this megabreach wasn’t a new breach at all, but, rather, a database of credentials from multiple breaches that were 2 to 3 years old.

You can exhale a little bit.

Despite the credentials being “old,” as opposed to “fresh,” it’s likely that some of those passwords are still valid. How so? The average user tends to reuse the same password across multiple accounts. Regardless if they’d changed their password for a breached site, they may still be using that password elsewhere, making the email-password combination just as, if not more, valuable.

If the average email address is linked to 130 accounts, does that mean that you need to remember 130 different passwords? Ideally, yes, but that’s a near impossible feat for most of us. Password managers, such as Dashlane and LastPass, are probably your best bet for keeping track of unique passwords for each of your accounts. (It is worth noting that some security experts say that it’s okay to reuse passwords on websites that don’t contain sensitive information – such as a news or blog sites. It’s not recommended … but we need to be realistic.)

Whatever you do to create passwords that you can remember, here are a few tips for what to avoid:

  • Do not, under any circumstance, reuse the passwords you use for email address and bank account.
  • Do not use a single word as your password (e.g. “password” or “football”).
  • Do not “password walk.” Password walking is essentially a glissando on your keyboard. You’re just walking from one key to the next adjacent one. (Fun Fact: “Qwerty” and “123456” have held the top 2 spots on the list of worst passwords every year since 2011.)

As for what to do when creating passwords, longer passwords are more difficult to crack than short complex passwords. If you had a safe that required 6 numbers to open, rather than 3, it, theoretically, could possibly take someone twice as long to break into it. Complexity and randomness can also help in creating secure, unique passwords. For instance, let’s create a password using the words: cane, marker, and water. You could have canemarkerwater, or c@n3m@rk3rw@t3r – in which you replace the A’s with @ and the E’s with 3.

Regardless of what you opt to do, remember that passwords aren’t foolproof, but they are protecting YOUR information.