1.2 Billion User Names and Passwords For Sale

Is it time to change your password?  Now that security researcher Alex Holden, of Hold Security in Milwaukee has uncovered a huge trove of stolen user credentials on the Dark Net, you might as well assume that yours are in this mammoth collection.

Alex Holden was born in the Ukraine, and his current surname is not the one he was given at birth.  But he discovered that Russian cyber-criminals had gathered 542 million email addresses and 1.2 billion unique email and password combinations.  Most of these records were already decrypted and up for sale on the Internet underground.

Holden’s story is fascinating.  His parents were refugees from the disaster at Chernobyl, and his family bounced around from Moldova, to Italy, finally landing in Wisconsin. Since starting his cybersecurity business, he has amassed dossiers on over 6500 cyber-criminals, and tracked down all sorts of pilfered data for his clients.  If you are interested in reading more about him, their is a great article on Popular Mechanics.

Back to the issue at hand.  It is a reasonable assumption that your passwords have been revealed in this treasure trove, so you ought to do yourself a favor and replace your passwords before they get used against you by the bad guys.  Here is what I recommend; create passwords that are at least 10 characters long.  15 characters is even better.  The reason for going longer is that password cracking is done by powerful high speed computers or large botnets of PCs using massively parallel processing to try thousands of possible combinations in a second.  Once you get over 12 characters, the length of time necessary to crack the password using brute force methods becomes very long, decades, or even centuries.  Under ten characters the time is trivial; days, weeks, or maybe a month.

A password that would be very resistant to cracking would be 12-15 characters long, comprised of upper and lower case letters, numbers, and symbols.  Once you think you have a good one, go to Passfault and test it out.  Then update your accounts.  Resist the urge to use the same password on multiple sites.  Use especially long and difficult passwords on financial accounts and shopping sites.

More Information:

Popular Mechanics


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.