There Are 24.6 Billion Pairs of Credentials For Sale On Dark Web

An anonymous reader quotes a report from The Register: More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found. Data recorded from last year reflected a 64 percent increase over 2020's total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said. Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.

With all those credentials available for sale online, account takeover attacks have proliferated as well, the report said. Seventy-five percent of the passwords for sale online were not unique, noted Digital Shadows, which said everyone needs to be wary. Proactive account protection, consistent application of good authentication habits, and awareness of one's organizational digital footprint are necessary to protect against account takeover attacks, the study found. Individuals, the report said, should "use multi-factor authentication, password managers, and complex, unique passwords."

6.7B unique?

[jddj]

Then if so, how can there be 24B total? If there are dupes, you don't have ~17.3B remaining, but some smaller number.

If the 17.3B have been de-duped, then you have 24B uniques.

Re:

[Tablizer]

sshhh, don't mention the D word around Slashdot.

Re:

[Mr0bvious]

Slashot

Re:

[bloodhawk]

I imagine they mean unique as in the username/password pair is unique (i.e. you didn't reuse the same password).

Re: 6.7bn unique?

[shitzu]

They are testing them daily. Against my ssh server where password login is disabled.

Re:

[micheas]

They are testing them daily. Against my ssh server where password login is disabled.

I've been thinking that a fake ssh server would be a good way of collecting password pairs.

Re:

[phantomfive]

I was thinking something similar. While I am prepared to accept that there really are 24Billion credentials, I'm more inclined to believe that there is something wrong with their methodology. The odds favor the latter.

Re:

[arglebargle_xiv]

I'm a bit dubious about the magnitude of that as well, but for a different reason: I've been warned by haveibeenpwned about being pwned on web sites I've never heard of before, which means either there's lots of false positives or there's problems recording true figures due to things like credential stuffing attacks.

Current security procedures

[RitchCraft]

Current security procedures are obviously not working and never will. Something radically new needs to come along. What that is I don't know, but current methods are failing miserably.

Re:Current security procedures

[ctilsie242]

You can get some decent security with FIDO tokens (YubiKeys). With even just 2FA from a phone or other device, it requires an attacker to compromise the phone, and the desktop endpoint to get the password, assuming both are stored in separate PW managers. Of course, if the Oauth token is snarfed, game over, but endpoint compromise is a nasty thing anyway, and no amount of authentication will protect against a compromised desktop or device.

Nothing is 100%, but FIDO tokens can help deter account compromise, just because someone has to be physically present and tap a button (perhaps enter a PIN) before authentication can finish.

Re:

[phantomfive]

If 24Billion credentials have been stolen, it's because websites have been compromised. They didn't capture the credentials from 24 billion people individually.

Re:

[Junta]

This is a running sum of credentials including compromised sites, phishing, and everything else.

You'd still have *plenty* even if no server ever got compromised.

You'd also still have plenty if server compromised and they even did proper salting and hashing with adequate complexity (the user passwords tend to be easily guessed).

If a site forbids user-selected passwords in favor of registering their authenticator devices (with a PITA but accessable recovery mechanism for lost/stolen), then that site is in goo

Re:

[phantomfive]

You'd still have *plenty* even if no server ever got compromised.

Not 24 billion. Think how long it would take to get that many credentials by phishing, and how many repeat "customers" you'd need.

Re:

[Junta]

The specific scale is not as important, if it's millions or billions the realities are still there.

Re:

[phantomfive]

The scale doesn't matter? So if I said there were 28 trillion credentials on the dark web, that wouldn't seem strange to you?

Re:

[Junta]

It may be strange and impractical, but it wouldn't be any more problematic from a practical standpoint. Once you get to hundreds of thousands, you should take it as a security problem to worry about seriously already, you don't need to think about billions or millions. The billions represent a sum of phishing attacks (which can intercept credentials trivially) sites that store password as plain text, passwords stored unhashed that were subject to rainbox attacks, correctly salted and crypted but easily gu

Re:

[phantomfive]

I'm not trying to say that phishing shouldn't be taken seriously. Or that passwords are the greatest ever. I agree with you, it should. My point is:

1) 24 billion credentials are so many that it would be hard to collect in any way other than hacking websites.
2) Their numbers are suspect, because they are so high.

Re:

[AmiMoJo]

The way FIDO2 works it doesn't matter if they compromise your credentials on the server, because they can't be used to log in without the secret stored on your security key.

Re:

[bloodhawk]

current good security practises work just fine, the fact these credentials have been harvested is just a demonstration of how many sites still completely ignore basic good security practices with lack of encryption/hashing for creds and no MFA. It isn't rocket science, but it is not preschool playing with plasticene either which is about the competence level for most admins and developers.

Re:

[gweihir]

Indeed. The problem is far too many big-ego-small-skill people that then mess it up. We need to stop half-assing it with incompetent people. Personal liability of the CEO when something as abysmally stupid as stored plain-text passwords happens is a good idea.

Use Argon 2, require some minimal password complexity and comparison against known compromised passwords and make sure people understand why re-using passwords is a bad idea. Use 2FA where higher security levels are needed. And, for fuck's sake, stop t

Re:Current security procedures

[La Gris]

As is often the case, reality is much more complex than "the competence level for most admins and developers".

Websites are run with increasingly complex software with many 3rd-party plugins for this or that, from payment to layout and cosmetics or specific use case. Merchants have limited budget to invest into software. So companies developing and maintaining all these website engines, plugins and making it work together are on limited budget as well.

Pressure to deliver seemingly working stuffs ASAP to fit on budget and timelines always override the security consideration in all consciousness and awareness. And even there exists fixes and patches for vulnerabilities, then the multiplicity of 3rd-party actors in development makes it a nightmare to upgrade. Some security related fixes are practically impossible to install, because it requires version changes with API changes and it breaks some important 3rd-party plugins. Upgrading a shop website often means a full overall that is much less costly than evaluation and testing of all the upgrade path; and fixing the stuffs that inevitably broke in the process. Redoing a website with a all new version with all the latest security improvement and all the new to be discovered pitfalls also has a cost.

All of this makes a bottom-up approach to software security really impracticable.

All you can do on budget and time-frame, is apply top-down security workarounds. Wrapping stuffs in virtual hosts, proxy stuffs as much as possible. Use filters to catch the most obvious weaknesses of the underlying software mess.

Re:

[bug_hunter]

I think the biggest win here is the increase in password managers.
Most browsers do it as standard, MacOS has one built in and I'm unsure about other OSs but pretty sure they do.

So at least now the more sites get hacked, hopefully the username/password combo only exists for that single site.

Granted I'm talking about how end-users can reduce their own pain, and not how sites can stop being hacked all the damn time.

Re:

[bug_hunter]

Password managers mean you use different passwords for different sites, so when you login of joe@joe.com p@sswrd gets hacked for comicsfuntimes.com then the damage to you is only that site.

Re:

[gweihir]

Actually, currently known security procedures work well. The problem is that there are too many incompetent coders, system administrators and "managers" in the IT space. For example, if you implement passwords right, they cannot even be stolen that easily. These credential lists are not from people that invested several CPU hours to crack each password. They are mainly from systems so abysmally badly secured that passwords were stored in clear.

No. What we need is not new procedures. What we need is to get r

Re:

[La Gris]

No. What we need is not new procedures. What we need is to get rid of all those incompetents not knowing or using the state-of-the-art.

Those "incompetents not knowing or using the state-of-the-art" are just rhetorical.

As you said:

security procedures work well

they work well in an ideal and theoretical perfect world.

Nobody is willing to pay the price of "perfect" security built-in from the ground-up.

Lets take as an example banking and credit cards.
Banks are known to have the stricter and most conservative rules about security.
But payment cards gets compromised anyway.

MasterCard, Visa all offload the cost of fraud to merchants, and merchants offload it to You an Me if we

Re:

[gweihir]

I am not talking about "perfect" security at all, nor is any of what I talk about "theoretical". And no, those incompetents are in no way theoretical either. I run into them all the time. The argument that we do not want or need "perfect" security is often heard from people without a clue though. What I am talking about is reasonable security that actually uses currently known approaches that work in practice.

Well, I guess passwords stored in clear need to explicitly be made gross negligence by default and

Re:

[Junta]

In theory passwords can be managed securely.

In practice, a lot mess up and there's not a good way to know/enforce proper procedures in practice.

So to the extent passwords will continue to matter, users have to mitigate with things like KeepassXC stored/generated passwords.

Web interface owners need to be pushed to things like webauthn, to enable passwordless authentication using multiple keys.

Re:

[gweihir]

In practice, passwords can be managed securely. It is not hard. There are libraries for all major languages. All it takes is some knowledge on how to do it and some minimal will to do it right. In a number of student projects (web application) I was involved with, where students were required to implement the state-of-the-art for password handling, they said it took them 1-2 hours to do it.

All alternatives are much _harder_ to implement. Not doing the easy thing right first would be extremely stupid.

Re:

[Junta]

When the users can be phished, there's relatively little the server side can do to handle it. As a user, there's no way to tell if the site you are dealing with avails themselves of the right tools.

Alternatives are not that hard to implement. Webauthn is pretty easy, and you simply cannot mess up the storage of the public keys that are registered. Phishing attacks are defeated. Man in the middle through phishing is squashed by the domain mismatch in webauthn that the human would miss. You can support m

Re:

[gweihir]

We are stuck with passwords for the time being. Anything else is fantasy.

correcthorsebatterystaple

[thesjaakspoiler]

it still works for me.
https://xkcd.com/936/ [xkcd.com]

Re:correcthorsebatterystaple

[ZiggyZiggyZig]

You would never guess my password because it is actually converted to **** when I type it on my computer: hunter2

See?

Re:

[Opportunist]

The entropy isn't higher as soon as people realize you're using words rather than a random string of characters. Actually, considering that most people don't use a large enough vocabulary, it's usually way lower.

Just like there are "common" passwords that are being used over and over by a bunch of people (like the proverbial "12345" and various sports club or celebrity names), certain words are more commonly used in these 4-word-passwords.

Re:

[Anonymouse Cowtard]

Even if you were to take the 1,000 most commonly used words and treat each one as a character and brute away - you're using 1,000 characters, not 26+26+10+special characters which is many, many, many orders of magnitude more combinations.

The horsebattery is the best approach for memorizing passwords. The only thing better is a password generator/manager.

Re:

[Opportunist]

That's the thing: You can't really use the 1000 most commonly used English words. At least if you plan to create a good password. Taking a look at such a list [1000mostcommonwords.com], let's take a brief glance at the first 20 entries:

as, I, his, that, he, was, for, on, are, with, they, be, at, one, have, this, from, by, hot, word

Notice the problem? If not, here's a hint:

Shortest word: 1 letter.
Longest word: 4 letters.
Average word: ~3 letters.

It doesn't improve much from there onwards.

So, essentially, what you get is a 12 lower cas

Re:

[Voyager529]

Average word: ~3 letters.

It doesn't improve much from there onwards.

So, essentially, what you get is a 12 lower case character password. On average.

Number + Verb + Adjective + Noun, excl. articles, with a separator.

747;Fly;Green;Fences

21 characters, all relatively common words. Is it perfect? no....but it's a damn sight better than most passwords users would end up picking.

Re:

[Opportunist]

And we're back at remembering it and pondering "what part of the word did I capitalize, and where do the numbers go?"

Re:

[Whibla]

The entropy isn't higher as soon as people realize you're using words rather than a random string of characters.

Hmm...

Mathematically it almost certainly is, although you're quite correct when you say that common 'tendencies' reduce the effectiveness of the system. Unfortunately these tendencies probably reduce the effectiveness of any system for generating passwords, so I'd still question the correctness of the statement above.

[Assumptions: 8 character password, using 75 symbols = ~1 x 10^15 combinations; 4 word password using vocabulary of 40,000 words = ~2 x 10^18 combinations.]

Actually, considering that most people don't use a large enough vocabulary, it's usually way lower.

Yeah, I agree, most people don't have

Re:

[Opportunist]

The key problem is that it isn't 40,000 words they use. The much worse problem is that people tend to choose these words themselves so they can memorize them easily. It's like when people make up their "random" passwords instead of having a password generator create them. You will get a lot of passwords that either have the number as the first or last character (and yes, the number, as in singular, because the password requirement is "one of each character group"), you get celebrity names, maybe with a few

Re:

[micheas]

Go to have I been pwned [haveibeenpwned.com] and enter correcthorsebatterystaple and be prepare to be disappointed in peoples understanding that one should not use a password published in public in reasonably widely read comic.

Credential generator script

[flyingfsck]

It sounds like someone figured it is easier to generate and sell fake credentials.

24.6 billion pairs of /dev/random

[Mozai]

I signed up for one of those "notify when your creds appear in the black markets," and I stopped paying attention because they'd report literally hundreds of breaches... with wrong information. One of my email addresses, 800+ passwords that I've never used, and this goes on for dozens of email addresses. The spam I get that attempts to prove they can blackmail me use passwords I recognize from these lists, so I know people are paying money for these lies. Is it any wonder the thieves are selling each oth

Yeah but...

[slashdot_commentator]

...how many of those data items are still valid?