Are Your Financial Passwords Leaked On The Dark Web?

Advice From A Cyber Security Expert

Andrew Rathbun is a cyber security professional with seven years of experience between local/federal Law Enforcement and the Private Sector. Andrew has spent the last 2.5 years responding to ransomware incidents for businesses at every scale. Andrew is heavily involved in the Digital Forensics and Incident Response (DFIR) community. He enjoys writing blog posts, sharing research, contributing to open source projects, publishing books, and learning from and collaborating with other professionals in the field. Below are Andrew’s answers to a few questions I had for him regarding online financial accounts.


1. What are the biggest threats to keeping online financial accounts secure?

The biggest threat is when people use the same passwords that have long since been compromised in numerous hacks. You should make sure your current passwords aren’t in the infamous “RockYou” password leak, which can be found here. This is a commonly used password list by hackers when they want to attempt brute forcing (trying many passwords to see if one will work) accounts to gain access and carry out their goal of stealing all your money!

Additionally, some financial institutions do not have multi-factor authentication (MFA). My credit union doesn’t currently, which is crazy to me! Email/Password combinations used for some of the most important accounts people own are floating about on the dark web. You should use multi-factor authentication for every financial account if possible.

2. What is the best way to create a secure online password?

Using a random password generator is the best thing you can do. This can make it difficult to remember all of the random passwords though. So once the random password is generated, you then have to decide the best way to store/remember it. For examples of strong passwords, use a site like this one to create a password that is difficult to crack.

3. What is the safest way to save/store these secure passwords?

It is vital to use a password manager. I use 1Password as my password manager. I like it because I can use my email and an easy-to-remember password to access my password vault, which contains ALL of my passwords for every login I have. What makes it secure is that not only do you need the typical email/password combination to log in, but you also need a secret key that is unique to your account. If you use a password that has long since been leaked as associated with your email, a hacker will need to know your secret key, which is a random string of numbers and letters, before they can log in to your password vault.

Within my 1Password vault, I don’t know any of my passwords by heart. They are often 20+ characters and include lowercase characters, uppercase characters, symbols, numbers, and other special characters. There’s no way I could remember one let alone hundreds of different passwords. On some of my most valuable accounts, I have 50+ character passwords! I use 1Password on my phone and computer to log in to my accounts, so I don’t have to remember those passwords because they are simply too secure to remember. If ever they get leaked and therefore associated with my email account, I’ll just regenerate a new 20+ character password and replace it in my vault with the one that was compromised.

4. Any password managers that you would recommend that are free?

I’ve personally not used any free password managers, but one free password manager I would not recommend is your web browser. Obtaining your saved passwords from a browser like Firefox or Chrome is trivial for a motivated bad actor, and frankly, I could download a free tool right now and obtain the passwords stored in my web browser without much effort. 

If I had to choose a free password manager, the first I would consider looking into would be BitWarden on account of the program being open-source. What does this mean? That means the source code that makes it work is completely transparent to the public. If there are vulnerabilities, those who have the knowledge can identify them and suggest changes to the program to make it more secure so everyone benefits. For those not in the cyber security industry, this is a very common occurrence where a tool is free and open-source where improvements, bug fixes, and any other feature requests are encouraged. 

5. What is a VPN, how does it work, and should the everyday person use one?

A virtual private network (VPN) is something that people can use to make their internet traffic secure from people who are trying to steal their data. VPNs are secure but they can be very slow. Without a VPN, if you go to a website, data travels from your computer directly to the website’s servers. With a VPN, the data travels from your computer, to Israel, to Switzerland, to Brazil, and then to the website you’re trying to go to. Therefore, the website will load much slower than without a VPN.

The everyday person should strongly consider using a VPN when connecting to public Wi-Fi, such as the airport or a local diner. Unsecured Wi-Fi networks allow bad actors to easily sniff for packets of your data going to and from your computer, including but not limited to your email/password combinations when you’re logging into your bank account on said public Wi-Fi network.

6. Any good VPN services that you would recommend?

If you care about privacy, then you want to use a VPN that’s based out of a country with favorable privacy laws. Switzerland is widely considered to have the most robust laws on privacy when it comes to consumer data. ProtonMail, a privacy-focused email provider based out of Switzerland, has a VPN service called ProtonVPN. I use it and I very much recommend it. The philosophy of Proton is admirable and the fact it’s based out of Switzerland is a huge plus for privacy. Proton also embraces the open-source mindset that I admire about BitWarden and many other projects within my field of work.

7. Any other best practice recommendations?

Use a password manager, enable multi-factor authentication (MFA) on every account that provides that as an option, and change any passwords that you’ve been using since high school! 

Remember if something is free and you are not paying for it, then you are the product. Your data, your interests, your everything is being sold by advertisers like Google for profit. It’s not that any of us have anything to hide, but there’s a reason why we all don’t have 24/7 freely accessible streaming cameras in our bedrooms for all the world to see. 

Also, if you try to sell something on Facebook like I did tonight for the first time in a few years, and multiple accounts message you asking if the item is available within a minute of the posting, they are very likely bots. Sure enough, the first 4 accounts that asked me if the item was available ALL asked if they could call me with their second message. In the next message after I said “no, I don’t give out my phone number” they asked if I could post my phone number so they could call me. I immediately blocked them at that point. You have to take a moment, slow down, and not be in such a hurry to make the sale and ensure your data’s privacy is maintained as much as possible. Why would this person want my phone so badly? I thought they were interested in the mattress I’m trying to sell. Truthfully, my phone number is more valuable to them than the mattress, and they know I want to sell the item badly enough because otherwise why would I be posting about it on Facebook where there are tens of thousands of people on each of these 10+ groups I posted the item in? Much like the term innocent until proven guilty, nowadays I see things as scams until proven otherwise.

Fiduciary Financial Advisors, LLC is a registered investment adviser and does not give legal or tax advice. Information presented is for educational purposes only and does not intend to make an offer or solicitation for the sale or purchase of any securities. The information contained herein has been obtained from a third party source which is believed to be reliable but is subject to correction for error. Investments involve risk and are not guaranteed. Past performance is not a guarantee or representation of future results.