What is your password worth?


COMMENT:Almost half of employees would happily sell their corporate passwords for, wait for it, less than a fiver, according to recent research by One Poll on behalf of Ping Identity.

People actually put a much greater value on their personal data than they do enterprise data.

If you thought that was pretty cheap, and pretty shocking, you might want to be sitting down for this next bit. Some 30 per cent said they would sell their company password for just 1.

Even if you factor in the notion that some people will say anything when completing a survey, the fact that only 29 per cent said they would stand up and do the right thing by not being prepared to sell at any price is rather sad.

Not quite as sad as another snippet of information which came out of that same survey, and which suggests that people actually put a much greater value on their personal information than they do enterprise data.

When it comes to selling social media logins rather than company network passwords, more than a third said they wanted at least 50 or 10x as much as they thought their workplace data security credentials were worth. This corporate and personal data disconnect becomes even clearer when you consider that while 80 per cent insisted they would not share their social media passwords with anyone else, 34 per cent not only would share but admitted they had shared their business passwords.

Not that staff selling passwords should be too much of a worry. In fact, chances are that they are insecure enough to be easily compromised anyway - in 70 per cent of cases if research by web security company Smoothwall is anything to go by.

With more than half of these also using the same passwords for all the services they use online, no wonder the login dark market is enjoying something of a boom time right now. If the passwords in question are 'password' 'passw0rd' or '12345678' then nobody is going to be getting rich on the user stupidity on display. These are, surprisingly consistently, right up there as the three most popular passwords if users are left to choose their own. Any password that is comprised of dictionary words (even in reverse), popular acronyms, all lower case and under 10 characters is, frankly, worthless*.

Worthless as a method of protecting whatever it authorises access to, and worthless on the black market as cracking software will easily guess the thing so why buy it?

Here comes the * bit. If that stupidly insecure password comes bundled in with specific login details for sites and services, networks and users, then the value equation ramps up once more. The password is just one part of the equation, and the easier the life of the bad guy can be made by providing the rest of it, so the more they will be willing to pay and the higher the perceived value becomes.

And that's the thing that all too often seems to get forgotten; the criminal underground economy is just as driven by the forces of supply and demand as any other. Those items, which are most in demand, carry the highest premiums, and that includes the logins that allow access to your network. Spear phishers will target specific enterprises that have data they can either exploit themselves, or more likely they know can be sold with ease on the dark market. If you deal with commerce that means they want your customer databases, and associated transactional information for example. Both of which carry a relatively high price* online.

Aha, another * bit: relatively does not, however, mean as much as you may imagine. If you thought that users place a low value on passwords, wait until you see what the underground market thinks they are worth. The harsh truth is that as data breaches have gone through the roof so login values have dropped through the floor.

Password construction, management, storage and security are all so utter crap (generally speaking) that the market has become flooded with them. Although credit card data remains the most common spoil of war to be touted for sale on the numerous cyber crime underground sites, logins for compromised but active (which means the poor customer hasn't realised it has been compromised yet as nobody has started siphoning cash out) bank accounts with a balance over 10,000 regularly appear for anywhere between one and two hundred pounds.

Password lists, where data breaches have been successful and the canny crim has extracted the passwords used and compiled them into a handily sorted by order of most stupid/popular, sell for no more than 10 for a 10,000-strong item.

Interestingly, it appears that most of the password and login related data that gets sold via the dark market is seen as almost being in the same light as factory second goods. The data gets picked up by the same malware used to scrape banking details from unwitting users, and these logins for social networking accounts, online services and in some cases network logins for enterprises large and small simply get sold off as unwanted lots.

Although no prices have been mentioned in the advertisements that I have seen, it does appear to be very much a 'factory outlet' style of sale, and one gets the impression that no unreasonable offer would be refused. Ultimately, then, the lesson to be learned from all of this is that if you value the security of your data then you have to understand that there is a value to the insecurity that surrounds it.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.