As security researchers uncovered a stash of more than 2 million hacked passwords on a hacker's server in the Netherlands last week, from users of Facebook, Google, LinkedIn and Twitter, most of the focus was on just how many people are still using awful, and awfully weak passwords. But did all the commentators miss an even bigger story connected to the hack?
Researchers from security firm Trustwave revealed how they discovered the kidnapped passwords on a hacker server in the Netherlands, and how a study of the stash revealed what we already know about passwords; that many users think weak predictable passwords are perfectly OK. Some of the most common passwords discovered in the server and apparently favored by many users included 123456, 11111, and, worst of all, password. Yes, the word password for a password. Maybe we're not explaining the whole concept of passwords properly.
But the other lesson that came from the discovery is how effective a little known tool called a keylogger can be in fleecing passwords and other information from millions of computers. The initial suspect in this case was a keylogger, a small piece of malware that once installed on a computer will capture whatever the user types. And maybe even more. And there's a good chance that your antivirus software won't catch it. While the better antivirus brands are generally good at catching the most common malware, a study by the University of Alabama found that those same products only catch around 25% of the more advanced malware. And that's the stuff that can do the most harm.
But there was more relevant news. On the very day that media oulets around the world were railing at how bad the passwords were, a security firm in San Francisco called OPSWAT quietly revealed even worse news. When they planted a basic keylogger on one of their test computers, and ran scans with more than 40 of the most popular antivirus products over two weeks, only one product caught the keylogger. Which probably means most consumers won't.