Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

#Infosec19: Passwords Are Here to Stay, Warns Troy Hunt

Five years from today there will be more passwords in use than at present – despite their inherent security failings – according to HaveBeenPwned founder Troy Hunt. 

Presenting the Infosecurity Hall of Fame Annual Lecture on the last day of Infosecurity Europe today, Hunt sought to dispel some common misconceptions about cybersecurity.

HaveIBeenPwned started as a “fun project” back in 2013 and the free site now has over 7.8bn compromised accounts listed, which users can check to see if they have been breached.

Unfortunately, passwords are here to stay despite the emergence of solutions like multi-factor authentication which are far more secure, Hunt warned.

“They may be good technical solutions … but every single person in this room knows how to use a password, as bad as it is security wise,” he argued.

This usability will always trump security concerns, but organizations can and should make log-ins more robust by enhancing passwords with password managers and U2F keys, he added.

The dark web is often blamed for providing a platform for cyber-criminals to trade such credentials online, but the surface web is also a major offender, Hunt claimed.

He showed a screenshot of a single Twitter account which posted MEGA links to the notorious “Collection” combo lists, publicly exposing billions of unique emails and passwords, for example.

That’s not all: YouTube is awash with “hundreds” of how-to videos, detailing the simple steps budding cyber-criminals can take to launch SQLi attacks, credential stuffing and more, Hunt claimed.

Some of those he played on stage appeared to be voiced by teens, highlighting another misconception about cybercrime: that it tends to be the work of hardened, organized gangs.

One former law enforcer was quoted following the TalkTalk attack as suggesting it was the work of “Russian Islamic cyber jihadis,” for example. In reality, the breach, which cost the telco £77m, was mainly down to a 17-year-old boy.

“The damage [kids] can do is massive. So many children have access to this [hacking] information that anyone can use it without knowing the problems it can cause,” he argued. “We’ve got to do more to set kids back on the right path.”

The National Crime Agency’s Cyber Choices campaign highlights the scale of the problem, and the need to raise awareness among parents of what their kids may be up to.

What’s Hot on Infosecurity Magazine?