"Compromised passwords", the iPhone and Chrome alert: that's why it's better to change them - Cyber Security 360
These days, many security alerts are arriving on iPhone and Chrome suggesting users to change their passwords as they are compromised: in fact, criminal hackers are taking over the stolen credentials collected in the RockYou 2021 archive available online. Let's be careful
06 Jul 2021Paolo TarsitanoEditor Cybersecurity360.itSecurity alerts on iPhone and Chrome are increasing these days, suggesting users to change their passwords as they appear to be compromised following recent massive data breaches.
Let's not underestimate the alarm, because the risk that someone will be able to access our accounts and steal our identity is really very high.
Topics indexPasswords compromised, because iPhone and Chrome ask us to change them
In particular, users are receiving numerous push notifications on their iPhone or in the Chrome browser generated by the password monitoring systems integrated into latest versions of iOS and Chrome.
WHITEPAPERThreats to infrastructure: how to secure yourself? A guide for IT ManagersSecurityNetwork SecurityDownload the WhitepaperIf users have this feature enabled, the password monitoring system will always look for matches between the passwords used by the users themselves and those that have been leaked online, alerting them if there is a a problem.
RockYou 2021: the largest archive of stolen passwords
The origin of the compromise of so many passwords dates back to the first days of last month of June, when on a popular underground forum was published what , quite possibly, is the largest online archive of stolen passwords: it has been renamed RockYou 2021 (to differentiate it from a previous version published in 2009) and it is a 100 gigabyte text file containing 8.4 billion passwords (for exactness: 8,459,060,239 unique entries) that are alleged to have been "collected" in connection with old online account breaches and now grouped into a single list.
According to the author of the hacker forum post, passwords in the RockYou 2021 archive are 6 to 20 characters long, with non-ASCII characters and whitespace removed.
Cybernews security experts have also verified that the 3.2 billion passwords of the Compilation of Many Breach (CoMB) are also included in the RockYou 2021 archive. And, probably, also the 32 million passwords contained in the RockYou archive and stolen from the servers of a well-known social app as they are stored unencrypted.
Why it is important to change compromised passwords immediately
In the light of the above, it is clear that we must not underestimate or, even worse, ignore the alert messages displayed by the iPhone or Chrome (even Firefox , in the latest versions, has integrated the Lockwise function which continuously checks for a possible match between user passwords and those made public online in hacking forums).
The problem of having your accounts compromised is further exacerbated if the same password is reused to access different accounts: using credential stuffing or password spraying attacks (an attack technique that attempts to access large number of accounts using a few commonly used passwords), in fact, criminal hackers could theoretically gain access to billions of online accounts.
Considering the fact that around 4.7 billion people are online worldwide, it is easy to assume that the RockYou2021 archive potentially includes the passwords of the entire global online population. For this reason, users are advised to immediately check if their passwords have been included in the leak.
Basic rules for creating secure passwords
Regardless of whether or not your password appears among the compromised ones contained in the RockYou 2021 archive, it is always good to apply the basic rules for creating a password secure and protect it from any type of attack:
- first of all, the password must always be different, at least 12 characters long chosen from uppercase, lowercase letters, numbers and special characters and, if possible, it must not contain names or common words that can be easily traced through one of the many dictionaries that criminal hackers use to carry out brute force attacks;
- furthermore, when creating your password you must avoid using repeated sequences or characters such as, for example: 12345678, 2222233333 or abcdefg;
- you should avoid using common sense words spelled backwards: even in this case, they would be easily identifiable with a common password dictionary;
- likewise, you should avoid using abbreviations of names or words common;
- also avoid passwords containing personal information or information relating to family members, such as name, birthday date or any nicknames or endearments that, perhaps, a criminal hacker could easily find in posts on social media network;
- Finally, avoid creating a password by replacing letters with symbols, such as: "a" with "@", "e" with "&" or “3”, “s” with “$”.