A cybercrime report from security firm ThreatMetrix’s reports that botnet attacks have evolved from just being large volume distributed denial of service (DDoS) or spam attacks, to low-and-slow bots, designed to evade rate and security control measures and mimic trusted customer behavior and login patterns.

For people who use the same password for multiple different sites this means this just got worse as content houses like Netflix, Spotify, and others may serve as initial targets because they harbour so many accounts and impose “modest sign up requirements”. These can be easily be breached and thanks to user password sharing across sites key credentials are laid bare.

People who have one password for multiple accounts are unwittingly fuelling a spike in current account fraud, security experts are warning. There is a new wave of personal ID fraud, which has led to twice as many bank account applications by fraudsters who have accessed a catalogue of stolen information.

 

Software architect and Microsoft MVP Troy Hunt performed an independent data analysis of the leaked passwords from the Sony hacks and compared it with another data set that was made available after Gawker’s commenting database was hacked in December 2010.

One of the most shocking things he found is that 88% people had both a Gawker and Sony account with the same email address, and 67% of them used the same password. It’s a small sample size, but an interesting figure nonetheless. Also a Security Week study last year reported that 75 percent of people use the same password for Facebook and an email account.

What’s more, when Hunt looked through the Sony files, he found that among users who had two Sony accounts (e.g., Sony Playstation and SonyPictures) with the same email address, 92 percent used the same password for both.

Change your Ways

For password the longer the better. Turn four words into a ‘pass phrase’ of 15 characters or above. These are much harder to crack than eight or nine-character long passwords, which can be cracked by ‘brute force’ methods.

If you can’t remember your password, get a password manager like One Pass or Last to generate long, random passwords for you, and back up, enabling two-factor verification where possible. Also try using apps like Authy, which couple the device to the password for the service you are trying to access, by using an additional six-digit code.

Finally check online whether your email accounts have been compromised in any data incidents using resources such as haveIbeenpwned? (https://haveibeenpwned.com).