Passwords are still underestimated, and it's problematic

Support an independent media ❤️

To continue to inform you, investigate, identify new solutions, and contribute to making digital more responsible...

Aurore GailletAurore Gaillet

3 min

Passwords are still underestimated, and it's problematic

It's no coincidence that they are widely used online to protect our accounts. However, despite numerous warnings and recommendations, passwords are still often taken too lightly. Here's everything you need to know on the subject to secure your digital activities.

On average, according to France Numérique (a government initiative to support the digital transformation of small businesses and SMEs), we have about a hundred online accounts and just as many passwords.

81%

of data breach reports worldwide are related to a password issue.

Verizon Business - 2021 Data Breach Investigations Report

Too Simple Passwords

According to data from CNIL (National Commission on Informatics and Liberty), in 2021, 60% of the complaints received were related to password hacking.

In 2023, according to a study by NordPass (password manager), despite recommendations, the most commonly used passwords were still 123456, azerty, loulou, 00000… all "protections" that hackers can recover in less than a minute.

Source: HiveSystems

Be Careful with Password Recovery…

GDPR (General Data Protection Regulation) is clear: if you forget your password and request it from the site, the company must send you a password reset link… and certainly not the entered password!

For data controllers, any significant security issue found by CNIL can lead to a substantial fine: up to 4% of global turnover or 20 million euros (depending on the size of the company).

Severe Consequences in Case of Hacking

How Are Your Passwords Recovered?

There are several types of hacking:

  • Phishing: involves pretending to be a trusted third party to extract information from a person (passwords, payment data…)
Phishing Example: UPS INTERNATIONAL SHIPPING AND LOGISTICS SERVICEIUPS FRANCE You have (1) parcel awaiting delivery. Use your code to track and receive it. Dear Customer, Schedule your delivery and subscribe to our notification calendar to prevent this from happening again!
Example of a phishing email
  • Interceptor Attack: a hacker infiltrates between two uncompromised systems, analyzes exchanges, encryption, and retrieves information. The technical term for this type of attack is "Man-in-the-middle."
Source: NordVPN
  • Brute Force Attack: this type of hacking involves using software to try many possible combinations of passwords.
Available Dictionaries • 8-more-passwords.txt: Contains passwords with more than 8 characters. Excludes numeric-only passwords, consecutive characters (3 or more), all-lowercase passwords, and passwords without at least one capital letter and one number. Total: 61,682 passwords. • 7-more-passwords.txt: Includes passwords with 7 characters or more. Numeric passwords are removed. Total: 528,136 passwords. • 1000000_password_seclists.txt: A collection of 1,000,000 passwords from SecLists.
Source: bruteforce-database

Some examples from these dictionaries:

123456 password 12345678 qwerty 123456789 12345 1234 111111 1234567 dragon 123123 baseball abc123 football monkey letmein 696969 shadow master 666666 qwertyuiop 123321 mustang 1234567890 michael 654321 pussy superman 1qaz2wsx 7777777
  • Credential Stuffing: following a hack, hackers reuse recovered passwords to test different combinations.
  • Keystroke Logging: spyware (KeyLoggers) record all data typed on keyboards. Some open-source programs analyze mouse clicks, entered characters… and send them by email to the attacker, without being detected by antivirus software.
Demonstration of key logging recovery via email: ben (no subject) - Key.ctrl a Key.ctrl Key.shift Key.ctrl youtube.com
Source: KeyLogger

Assuming that each key produces a slightly different sound depending on the manufacturing process, there are even projects for recognizing typed keys using the computer’s microphone - and machine learning.

Why Are Hackers Interested in Our Passwords?

Hackers seek to obtain personal passwords to impersonate individuals, steal banking details, perform transactions in their name without their knowledge, or blackmail them.

For companies, industrial espionage to recover trade secrets or operational methods is among the most frequent motivations. The resulting data breach leads to severe consequences for affected firms: diminished reputation, loss of customer trust, revenue loss, increased insurance costs…

Tips for a Strong Password

  • Never share your personal passwords and avoid saving them automatically.
    • If you must share a password: send your account identifier via one communication tool and your password through another, so that two tools are required to retrieve your access. Afterwards, change your password: there is no guarantee that your contact adheres to password protection rules.
  • Long and complex passwords are harder to crack: an effective password should contain at least 14 characters, including a mix of uppercase, lowercase, numbers, and special characters (e.g., ! & / ).
  • CNIL also encourages online tool providers to implement two-factor authentication. This method remains one of the best ways to enhance user data security. It requires identification by two different means: an access code and facial recognition, or a one-time numeric code sent via SMS...
  • As a user, set up two-factor authentication on the online services that offer it.

Some Useful Tools

Password managers are effective in preventing hacking. These digital solutions offer several features:

  • Password generation.
  • Storage of credentials and passwords.
  • Automatic login.

France Num recommends using Keepass, a French software available on computer or mobile. This tool allows you to manage your passwords yourself, without relying on third-party company servers.

Example with KeepassXC

You can use a manager on your desktop, cloud, or browser. However, the latter option is not recommended: a hacker could recover your passwords using the “auto-fill” function. For example, passwords stored on Chrome have attracted hackers' attention: some extensions allow them to achieve their goals.

Otherwise, CNIL provides a tool to create a secure password, built from a chosen phrase.

What to Do If Your Password is Stolen?

In case of a hack, several actions are recommended by the Ministry of the Interior:

  • Report to the social network or website in question so they can check if the password recovery is related to a flaw in their security system.
  • Reset your password.
  • Contact CNIL via an online form .
  • Change your passwords on all sites requiring the stolen password: hackers often test the email/password combination across multiple sites to try to access other accounts.

It is essential to secure your data by using strong passwords to prevent data theft and ensure the security of your sensitive information. Password creation and management tools are now available to help you. While they are secure, they remain, like any IT system, vulnerable.

References:

[Cover photo: Anne Nygard]

Support us by sharing the article:

On the same theme