1.2 Billion User Names and Passwords For Sale

Is it time to change your password?  Now that security researcher Alex Holden, of Hold Security in Milwaukee has uncovered a huge trove of stolen user credentials on the Dark Net, you might as well assume that yours are in this mammoth collection.

Alex Holden was born in the Ukraine, and his current surname is not the one he was given at birth.  But he discovered that Russian cyber-criminals had gathered 542 million email addresses and 1.2 billion unique email and password combinations.  Most of these records were already decrypted and up for sale on the Internet underground.

Holden’s story is fascinating.  His parents were refugees from the disaster at Chernobyl, and his family bounced around from Moldova, to Italy, finally landing in Wisconsin. Since starting his cybersecurity business, he has amassed dossiers on over 6500 cyber-criminals, and tracked down all sorts of pilfered data for his clients.  If you are interested in reading more about him, their is a great article on Popular Mechanics.

Back to the issue at hand.  It is a reasonable assumption that your passwords have been revealed in this treasure trove, so you ought to do yourself a favor and replace your passwords before they get used against you by the bad guys.  Here is what I recommend; create passwords that are at least 10 characters long.  15 characters is even better.  The reason for going longer is that password cracking is done by powerful high speed computers or large botnets of PCs using massively parallel processing to try thousands of possible combinations in a second.  Once you get over 12 characters, the length of time necessary to crack the password using brute force methods becomes very long, decades, or even centuries.  Under ten characters the time is trivial; days, weeks, or maybe a month.

A password that would be very resistant to cracking would be 12-15 characters long, comprised of upper and lower case letters, numbers, and symbols.  Once you think you have a good one, go to Passfault and test it out.  Then update your accounts.  Resist the urge to use the same password on multiple sites.  Use especially long and difficult passwords on financial accounts and shopping sites.

More Information:

Popular Mechanics


About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment