Incognito — May 2023: It’s Time to Rethink Your Passwords

Welcome to the May 2023 issue of Incognito, the monthly newsletter from DeleteMe that keeps you posted on all things privacy and security.

Here’s what we’re talking about this month: 

• Passwords. Most people use weak passwords. Here’s how to know if your passwords are secure, plus why it matters now more than ever (hint: AI). 
• Recommended reads, including “Android Apps Will Soon Have to Let Users Delete Data.”
• Q&A: Is it better to use fake birth dates online?

If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter.

In 2004, Bill Gates predicted the end of passwords. Twenty years later, we’re still using them. Worse, in the two decades that passed, we don’t seem to have learned anything about password security. 

It’s 2023. People’s Passwords Still Suck

Despite years of warnings about how weak credentials can lead to criminals compromising our accounts, people continue to use shockingly weak passwords. 

Managing passwords is probably one of the most despised activities. But considering that about a third of internet users were victims of a data breach as a result of a weak password, it’s one that more people need to make time for. 

5 Signs You Need to Change Your Passwords ASAP

If you’re guilty of any one of the below practices, change your credentials now. 

1. You’re using the same password as everyone else

Some of the most popular passwords of 2022 include: “123456,” “password,” “qwerty,” and “guest.” All four take less than 10 seconds to crack; most take less than 1 second. 

If your passwords are a bit more complex, don’t feel too smug just yet. Passwords influenced by current events (“tinder,” “Oscars,” “euphoria,” etc.) and passwords that are swear words or are based on sports/movies/food/cars/video games/artists (“tiffany,” “nike,” “Red Star Belgrade,” “joker,” “u2,” “arma,” “kia,” “fish,” and “poke”) are just as easy to hack. 

Check out NordPass’s list of most common passwords, and make sure none of your accounts are “secured” with them. 

2. You’re reusing the same password across multiple accounts

The average American has around 100 passwords. Unless you have a password manager (and many people do not—about 1 in 2 people use their memories to manage their passwords), remembering them all is quite literally impossible.

Is it so surprising, then, that most people reuse one or two passwords across multiple accounts? Unfortunately, this does mean that if one account is compromised, all other accounts that use the same password are at risk too. 

By the way, using a variation of a password (for example, adding a number or punctuation at the end of it) isn’t good enough, either. 

3. You use personal information for your password

You probably know this already, but given that 59% of people still use names and birthdays in their passwords (including business leaders), we have to say it again: passwords based on personal information are not safe. 

Cybercriminals can easily guess your spouse’s name or birth date from information available on social media accounts, data brokers, and other online sources.

4. You’ve shared your passwords with others

Even if it’s someone you trust, password sharing can put you at risk of account compromise, financial fraud, and identity theft. This can happen inadvertently, for example, via phishing schemes (are you sure your partner wouldn’t click on a malicious link?) and malware. 

5. Your passwords are not chaotic enough 

If your passwords don’t have a variety of characters and cases, then it’s not complex enough. More complexity increases entropy (i.e., unpredictability), which makes it less likely that your passwords will be brute-forced. In a Cybernews report, just 1% of observed passwords had enough entropy. 

6. Your passwords are too short

The shorter your passwords, the more vulnerable your accounts are.  

According to a recent survey, even an 8-character password with lowercase and uppercase letters, numbers, and symbols could be cracked in around 8 hours. Meanwhile, a password of similar complexity but made up of 18 characters or more would take up to 438 trillion years on average to hack.

One way to craft a longer password is to use a passphrase, i.e., combine several unrelated words into a password of at least 15 characters.

Oh No, AI Has Entered the Chat

Add AI into the mix, and things do not bode well for our account security at all. 

For example, in a recent experiment by a cybersecurity company, an AI-driven password cracker called PassGAN could crack more than half of the most common passwords in less than a minute and any 7-character password (even containing symbols) in under six minutes. 

What makes PassGAN so concerning is that it doesn’t rely on manual processes. Instead, it analyzes real passwords from actual leaks. 

You can see how long it would take for AI to crack your password here. 

Cybercriminals can also use AI to guess passwords based on personal information. For instance, bad actors can train ChatGPT to crack passwords and then give the algorithm information about their target, like their name and date of birth, to get a list of possible passwords based on that data. 

Password Best Practices: A Quick Summary

To keep your passwords safe, you should:

• Make your passwords 18 characters long where possible. 
• Keep them unique and embrace chaos (multiple unrelated words, lowercase and uppercase letters, symbols, and numbers).
• Do not share them with anyone else.
• Don’t base your passwords on personal information (and remove your name from data brokers). 
• Enable multi-factor authentication. 

Recommended Reads

New Privacy-Focused Browser Released 

The Tor Project and Mullvad VPN teamed up to release a privacy-focused web browser called Mullvad Browser. The browser masks users’ metadata, making it harder for websites to fingerprint them. Mullvad also blocks third-party cookies and trackers, further improving user data privacy. For more anonymity (for example, to hide their IP address), users are encouraged to use the Mullvad browser with a trustworthy VPN.

Android Apps Will Soon Have to Let Users Delete Data

From 2024 onward, Google will request all Android apps that allow account creation to also let users delete their accounts and data. Android users will be able to do this directly from the apps themselves or the web. App developers will only be able to retain data for specific compliance or security purposes and will need to start providing information about data deletion from December of this year. 

Use a Chromium-Based Browser? Beware Crypto-Stealing Malware

Security researchers identified a new malware that targets Chromium-based browsers like Google Chrome, Brave, Opera, and Microsoft Edge. The malware, dubbed Rilide, looks like a legitimate Google Drive extension and can monitor victims’ browser activity and take screenshots. It can also inject malicious scripts, which can defeat 2FA and even delete automated alerts from inboxes if they’re accessed from the same browser.

Dark Web Market Emerges, Offers Financial Fraud Services

A new dark web marketplace called STYX opened in January of this year, specializing in money laundering and financial fraud. Available services include victim reconnaissance “lookups,” stolen financial data, and forged documents. The emergence of the STYX marketplace comes at a time when threat actors are increasingly offering money laundering services that exploit cryptocurrency accounts. 

You Asked, We Answered

Here are some of the questions our readers asked us last month.

Q: Is it better to use fake birth dates online?

A: That depends on the site. 

For some accounts, you might need to share your ID; in this case, you’ll also want to use your real date of birth.

However, nine times out of ten, you can and should use a fake date of birth. The reason why is that your birth date is an important data point. Birth dates are often used to verify identities. 

If someone knows your date of birth along with your other personal information, like your name, address, and Social Security number, they could pretend to be you. 

Using a fake date of birth online also helps you maintain privacy. For example, if you have a common name and someone is searching for you on a people search site, they will get quite a few results. However, if they know additional information about you, like when you were born, they can quickly narrow the list down. 

If you’re going to use a fake birth date, write it down or store it in a password manager in case you need to confirm it later. 

Q: Now that scammers can write emails with AI, is it going to become impossible to spot them?

A: Great question. 

Artificial intelligence (AI) tools can certainly make scam and phishing emails harder to spot. This is mainly because they remove grammatical and spelling errors, as well as poor choice of words (for example, threat actors can train AI tools on emails from legitimate companies).

In the past, obvious mistakes like these were one of the biggest giveaways that an email was fraudulent. 

However, there are plenty of other red flags you can look out for when determining if an email is legitimate or not:

• Public email domains, like gmail.com. Legitimate organizations tend to have their own email domains. 
• Misspelt domain names, for example, @paypel.com instead of paypal.com
• Suspicious attachments or links, especially unexpected ones. 
• Sense of urgency, i.e., act now before it’s too late. 

Being on guard for these red flags will become even more important as threat actors start to leverage open-source intelligence alongside AI chatbots to automate the creation of personalized phishing attacks at scale. 

Back to You

We’d love to hear your thoughts about all things data privacy.

Get in touch with us. We love getting emails from our readers (or tweet us @DeleteMe).

Don’t forget to share! If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter. If you’d like to subscribe to the newsletter, use this link.

Let us know. Are there any specific data privacy topics you’d like us to explore in the upcoming issues of Incognito? 

That’s it for this issue of Incognito. Stay safe, and we’ll see you in your inbox next month.