Information Security News Security Social Tech

How long before a hacker tries a leaked password?

Nidhi Arora June 10, 2021

Delhi, Jun 9: Let’s try to guess. Suppose someone’s password is hacked and shared on the internet. How quickly will hackers try to access that account?

Designing the Study

The researchers at a company called Agari Tech wanted to find out. So, here is what they did:

  1. They created thousands of user ids and passwords which appeared to be genuine passwords of users on some popular websites and cloud applications (cloud applications can be as simple as Onedrive or Google Drive where you store your data, or places where companies store their data and do all their transactions).
  2. But these user ids and passwords were not real. They were controlled by the researchers. This means that if someone tried to use these passwords, the researchers would get to know.
  3. Over a six-month period, they slowly released these passwords on websites and forums (forum: An online place where people interact with each other) where stolen passwords are usually leaked.
  4. They then monitored how quickly a hacker tried to use these credentials (user id and password together are called credentials). Because these ids were created by researchers, they knew that there would be no genuine users. Anyone using these ids would have to be a hacker.

Results of the study

Here is a quick summary of what they found:

  • About half of the passwords were tried within 12hours of being ‘leaked’.
  • Although there are automated programs that canbe used to login to a site using stolen user id and password, most of these attempts were made manually – by a person typing them out themselves and checking whether they work or not.Why would they do that?In this way, they can verify if a password really works.
  • The community also stopped trying out the passwords in a week or so. This could be becausethey have moved on to new passwords, realised that it is not possible to launch large attacksusing these passwords, or any other reason.
    Fun fact: The entire US Pipeline that was stopped because of a ransomware attack in May, was compromised because of ONE password. This password belonged to an inactive employee (anemployee who is no longer working with the company), but his password was still working. The hackers used this password to get into the system.

Story Inputs by Aditi Mukund