90% of passwords can be violated in less than a second  


According to S21sec, a Spanish cybersecurity company, most internet users continue to use insecure passwords for different services which causes massive attacks. The latest spambot showed that 90% of such passwords can be violated in less than a second.

At the end of August a new spam was published that was very strong in the world of cybersecurity. Headlines such as “Spambot attacks more than 711 million emails”, “711 million emails and passwords leaked by a spammer” or “Massive spambot captures 711 million email addresses.” Showed it had the largest impact on data breach published up to date.

S21sec analyzed the accounts to find patterns of vulnerability. Of the 711 million credentials, approximately 10% contained both the email and their respective password. The complete analysis of these credentials gave the following data:

  • The servers of Chinese origin qq.com and 163.com represent 43% of the violated accounts, while the American servers gmail, yahoo, hotmail and myspace together reached 29%.
  • The most insecure passwords found in the credentials were simple, consecutive combinations, single digit repetitions, or the word “password”.
  • Most people choose to use weak passwords, Either so it is easier for them to remember or by not knowing how easy it can be to get weak passwords by brute force.
  • This percentage would be much higher if it wasn’t for the security policies applied by many free mail providers at the time for the user to choose the password.

Recommendations for users and companies

 Services like https://haveibeenpwned.com/ compile a large number of data leaks and can help verify if some of your email addresses have been exposed in any of these attacks. If this have been the case, we recommend changing the password of that account as soon as possible.

In addition, there are other measures that users can use to strengthen their passwords: Create a solid password, which alternates between uppercase and lowercase letters, also using numbers and characters that are not related to personal dates that are easy to obtain by third a party.

Finally, it is essential to remember that the weakest link in the cybersecurity chain is the user who does not take enough precautions to protect himself.