Human nature has shown that people re-use passwords, at least for non-work accounts that aren’t requiring quarterly changes. How can it affect your current security that you’ve reused an old password or passphrase from 2012?

Surprisingly, quite a lot.

Hashed passwords and the plain text equivalent from a breached site can be paired with your then-username. Hackers have compiled lists of these pairs in a dictionary. Many sites use your email address as your username, and email addresses don’t change much. So, the hacker has got your email address and some old password.

Hashing algorithms have gotten more secure over the years, and your current bank site likely is using a different hash algorithm for your password than 2016 MySpace or 2012 Dropbox. However, they have already got the dictionary of compiled usernames and previously used passwords – they don’t need to break the security to try the pair and see if it gets them in.

Add a little script, and they can programmatically try all of them on websites they think you have access to in a matter of milliseconds. Or, alternatively, just attempt all the email-used password combinations they have in their dictionary on any site and see if they get lucky.

Screenshot_2020-04-22 World’s Biggest Data Breaches Hacks — Information is Beautiful

How Do You Foil this Passphrase issue Going Forward?

One way is to never re-use a password. Some systems don’t allow you to reuse a password you’ve used before, but that only works on that individual site for old passwords from that site.

If you’ve reused that AOL password you thought was so easy to remember in 2008 and then forgot about – well, it may still be in the hacker’s dictionary. And after a long online life, do you really remember which passwords you’ve used on all the sites and systems?

NIST used to recommend (Read more...)