In your early days on the internet, when you had to create your first online account and you had to choose your first password, you most likely picked a favorite word that held meaning to you. You probably used a variation of this favorite word any time you needed to create a new password, and you probably still use this favorite word as the root of the passwords you are creating today. You may have added upper case, numbers, and punctuation to get it to comply with a complexity rule, but most people still start with this favorite word as the basis of the passwords they use today. Even on the business network.

The Big Problem

Unfortunately this root word was probably the basis for passwords created at many vendors websites. Ask yourself if you have ever had an account at any of these websites?

Target – Facebook – Microsoft – Mariott – Yahoo – Uber – LinkedIn – Equifax – Adobe – J.P. Morgan – Myspace – Fling – New Egg – Home Depot – Instagram – Experian – T-Mobile – E-Bay – Gmail – Evernote – Twitter – MGM Hotels – DoorDash – WhitePages

If the answer is yes, – and let’s be honest everyone has an account on at least one of these websites right now, – then your passwords are being openly sold on the dark web. That’s because these are the companies and organizations you’ve read about getting hacked over and over again for decades now, and each time that happens at a place where you have an account, your username and password get added to the list for sale. Some places like Facebook, LinkedIn, and Yahoo get hacked over and over, so your entire password history from multiple sites may be for sale.

Take a look here to get an ideal of what I’m talking about:

Because as we saw earlier, you probably use a familiar root word to create these passwords, then as your password history accumulates in the database of what’s for sale on the dark web, it displays a pattern of behavior when it comes to your password creation. This allows malicious actors to easily guess your future passwords, or passwords of desirable accounts like bank accounts that they might not possess yet, based on the pattern of what’s available.

P@55w0rd or password

In addition, the IT community has long said you need an eight character password with complexity on to be safe. This is still largely considered best practices today. Unfortunately an eight character password can be cracked in minutes with today’s processing power:

The other thing you need to understand is that to a password generating algorithm as represented in the last column of this graph, “P@55w0Rd” is exactly the same as “password”, because both are an 8 character string.

The attacker in this case is starting with a set of 101 characters: these are the upper and lowercase letters, the digits 0-9, and the type-able characters on the keyboard. The work is to derive an 8 character string from the 101 character starting set. To the algorithm, that work is the same whether the target string is “P@55w0Rd” or “password”, and it takes 39 minutes to work it out from scratch.

The only way to make a password harder for a brute force crack is to make it longer. We advise a minimum of 12 to 16 character passwords or longer, in addition to MFA.

MFA – Multi-Factor Authentication

Multi-factor authentication is your best friend in dealing with your password problem, because it largely defeats the remote attacker. It accomplishes this by requiring a code from something in your possession, like your smartphone, in addition to a username and password. Codes can be obtained by text messages, phone calls, email, or the best option – an authentication app like Google or Duo. While no defense is perfect, MFA or 2FA dramatically improves your security position and should be enabled every time it’s an option. Check the password settings for your profile and enable it if it’s available.

High-Value Or No-Value?

Because so many companies and agencies do such a terrible job of protecting your information, you must assume that much of this information has been harvested and is for sale. If you have ever had an account at a place that was hacked after you created your account then your usernames and passwords are almost certainly for sale. Check here:

Now that you know how your passwords are stolen and traded on the dark web, it’s important that you behave differently with regards to your passwords:

  • Accounts that secure financial or otherwise sensitive data like healthcare, must be treated differently than garbage accounts like Facebook and Twitter. Make sure your bank, hospital, and IRS accounts are secured with strong, unique, 16-character passwords that are not derivative of anything ever used online before.
  • Use multi-factor authentication every time you can, and especially on accounts protecting valuable data.
  • Monitor the dark web so you know when your credentials come up for sale. If you are a business Rocky Mountain Cybersecurity can provide you with a monthly report on all your email accounts.
    • Get a password manager to help. Rocky Mountain Cybersecurity provides our subscription clients with a password management tool to dramatically ease the burden of long complex passwords. You should check with your IT for their preferred solution, but we can recommend the following products:


For more cybersecurity expertise, engaging user education, and affordable solutions to dramatically improve your risk profile, contact us to schedule an appointment today:

(307) 288-0222 –

Elmer Robinson is an IT warrior and cybersecurity subject matter expert who has fought on the front lines of the cybersecurity wars and provided business continuity as long as they have existed.. A CISSP since 2008 and a certified network engineer since 1993, Elmer has proven success in delivering comprehensive cybersecurity strategies to every type of industry.


(C) Copyright 2022 Rocky Mountain Cybersecurity, All Rights Reserved