Account rewrite: less than a third of Russians use unique passwords

Less than a third of Russians (28%) use unique passwords for different sites, it follows from the results of a survey of the National Payment Card System that Izvestia has… Due to the same or similar credentials, citizens risk losing access to all accounts at once: after hijacking the page, scammers can steal personal and billing information or send spam on behalf of the user… Representatives of the largest e-mail services, social networks and banks told Izvestia that they have high requirements for password security, but cannot find out if it has been used before on other resources.

Difficult and not so

The majority of Russians (76%) store passwords from their Internet accounts in the most reliable way – remember them… This is stated in the study “Plat.form World” (IT-brand of the National Payment Card System – NSPK), which is at the disposal of “Izvestia”. The survey was conducted for Cryptography Day, which is celebrated on May 5th. In the question about how to store credentials, there are several answers to choose from: almost 40% of Russians said they use autosave in their phone or browser, 29% write data on paper, and 18% record it in text format on a phone, tablet or computer…

In the same time only 28% of respondents reported that they create unique passwords for each resource. The same number of respondents use a set of several combinations of symbols, 17% – put the same combination for all resources, and another 27% – change their approach depending on the task… The majority of Russians (49%) set difficult or very difficult combinations of symbols, 44% choose medium difficulty, and the remaining 7% come up with simple or very simple configurations, the study notes.

By using unique passwords for different accounts, Russians can protect themselves from the compromise of one of the character sets, said Artyom Gutnik, head of the NSPK information security department. He noted that the safest method of storing data is memorizing a sequence of numbers. In order not to forget the credentials, you can use special programs to fix them, but it is important to choose reliable solutions.

– Storing passwords on paper is the most insecure option, since it is easiest to get access to the information recorded on it by third parties. It is not uncommon for people to put a piece of paper with written down PIN codes in their wallet with bank cards, which in no case should be done, – said Artyom Gutnik.

Using the same credentials on different services is bad practice: most account hacks are the result of password reuse, confirmed the expert on information security in Odnoklassniki Alexandra Svatikova. Even a complex combination of symbols that a person uses on several sites is considered unreliable, Yandex is convinced. The company emphasized: if an attacker finds out such a combination, then he will try to go with him to social networks, mail services, and online banks…

Yandex added that they track the appearance of various databases of stolen passwords on the Internet and, if they suspect that a person may use the same combinations of characters, they send him in advance to a mandatory change of login data…

Open sources

When changing the VKontakte credentials, the system will not allow the use of a combination of letters, numbers and signs that has already been used before, the press service of the service told Izvestia. They noted that they give recommendations to users when installing protection. Among them are the use of a large number of symbols, non-standard combinations of words, numbers, numbers and formulas, as well as the refusal to use dates of birth, surnames, car numbers and nicknames of pets, since fraudsters can find this information in open sources.

Representatives of other postal services and social networks did not promptly respond to Izvestia’s questions about secure passwords.

In addition to Internet resources, credit institutions also place high demands on the complexity of credentials. Izvestia was told about this at VTB, GPB, Otkritie, PSB, Raiffeisen, RSHB, OTP Bank, Crimean RNKB, Rosbank and Zenit. The last two emphasized that check the history of setting access codes and do not allow the use of previously used combinations… In addition, financial institutions set up two-factor authentication to log into mobile and Internet banking – using a code from an SMS.

The bank does not store passwords of clients in clear text, does not have access to them and, accordingly, does not have the ability to control the use of the same credentials by the client in other services, emphasized Ilya Suloev, director of the information security department of Otkritie. He warned that compromising information on less secure sites risks leading to unauthorized access to the client’s finances. The GPB knows about the risks of storing the PIN-code from the card together with the “plastic” itself: sometimes Russians also write a four-digit code on the card itself, or it is wrapped in a wallet in a sticker from a previously received PIN envelope, says the deputy head of the bank’s information protection department Alexei Pleshakov …

If an attacker received a password from a social network or mail, he can steal the victim’s confidential and payment information, as well as send phishing emails on behalf of the victim. or by deceit to extort money from friends of the victim, said Vladimir Rotanov, consultant of the information security center of Jet Infosystems. He estimated that cracking credentials could take one to two days.

Now there are entire hacker groups that specialize in verifying passwords contained in fresh leaks from popular services: in the future they sell access to hacked accounts, said the founder of the DLBI data leak intelligence service Ashot Hovhannisyan, adding that decrypting the leaked credentials will require several hours to weeks.

The Ministry of Telecom and Mass Communications did not promptly respond to the request of Izvestia about the requirements for Internet resources regarding the security of passwords.