Most passwords are cracked in less than an hour, and many in just one minute

“Humans are very vulnerable.” That’s according to Yuliya Novikova, head of Fingerprint Intelligence at the cybersecurity company Kaspersky. She made the comment after an exhaustive study of 193 million passwords found that only two out of 10 are secure. Most are cracked in an hour, and many of them in just a minute. And cracking them costs very little. Dark web and Telegram channels — where cybercrime weapons are sold — offer “all-inclusive” packages for just €80 ($85) a week. These packages include programs, cloud servers and the data of potential victims.

“Our data is like our home. Would you leave it open for anyone to enter?” asks Lilian Balatsou, an expert in artificial intelligence linguistics and a doctor in Cognitive Neuroscience from Bangor University, during a meeting of the cybersecurity firm in Athens. After the Kaspersky’s study, it would appear that we do: according to the research, we leave the door open half of the time.

Novikova explains that 40% of cyberattacks (a third of which are followed by kidnapping and extortion) begin with a compromised account. In this way, these holders of house keys misuse them and leave the locks unlocked or allow them to be copied, more than once in 21% of cases. “Human error is the main cause of incidents,” warns Novikova, who points out that 10 million systems were infected last year, 32% more than at the beginning of the decade.

According to Kaspersky data, 45% of passwords are compromised in less than a minute, 14% in less than an hour and another 14% after more than a day or less than a month. In other words, only a little more than two out of every 10 access keys to critical systems are secure.

The rest use names, common words or dictionary terms that, even if altered by numbers or signs that replace letters, are easily vulnerable. What’s more, hackers aren’t wasting their time trying to decrypt passwords. “Cybercriminals are very creative, but also lazy,” says Novikova, pointing out that the cyberattack weapons sales channels offer — for €80 ($85) a week — subscription packages that include not only the databases of vulnerable victims, but also the programs and servers to run them without the hacker’s own infrastructure. These systems are capable of violating even multifactor authentication protocols, which only allow user access, when they provide two or more different proofs of identity.

Solutions

Marco Preuss, deputy director of the Global Research and Analysis Team (GReAT) and head of the Kaspersky Europe Research Center, is even wary of biometric identification systems, which he believes also involve the use of personal information.

The experts who participated in the meeting in Athens support instead the use of password managers, programs that can safely store unique users and access codes and even generate strong ones for each use.

Other effective tactics include: using a different password for each service so that, in the event of theft, only one account is compromised, using unusual words or mixing them up, checking the strength of your password using online services, avoiding passwords that contain personal data that hackers may have access to (such as personal names and dates that are accessible through social media) and enabling two-factor authentication (2FA).

Rafael Conde del Pozo, director of innovation at Softtek, point to one other risk factor: cell phones. As he explains, “mobile devices have become extensions of ourselves and require comprehensive protection against emerging vulnerabilities.”

For this reason, he suggests activating advanced biometric authentication systems, popularly used in cell phone payments; behavioral biometrics, which analyze patterns that do not match the user; and artificial intelligence authentication systems, which identify anomalies, encrypt data and restrict access.

Regarding cell phone vulnerabilities, Check Point’s Threat Intelligence division has identified multiple campaigns that take advantage of Rafel RAT, an open source tool for Android devices that was developed for phishing campaigns via messages and conversations that trick users into installing malicious applications hidden under a false name and icon. These apps request extensive permissions, display legitimate web pages or imitate them, and then secretly crawl the device to leak data.

Security measures involve all types of programs, including social media applications. Check Point, after detecting illegal access through direct messages on TikTok, recommends setting strong passwords, setting up two-factor authentication through the network’s security page to enable the “sign in with verification” feature, and reporting any unusual activity. A TikTok vulnerability recently affected media and celebrity accounts.

Sign up for our weekly newsletter to get more English-language news coverage from EL PAÍS USA Edition