ARI SHAPIRO, HOST:
Most of us have a long list of usernames and passwords to sign into accounts online - eBay, Amazon, Expedia. Those credentials are valuable to hackers, and they're for sale online. Stacey Vanek Smith from our Planet Money team got a look into the market place for stolen passwords.
STACEY VANEK SMITH, BYLINE: I have in front of me a list. It is four and a half pages long, and there are a bunch of company names on it all in alphabetical order. It has banks and airlines and clothing stores. And next to each company name is a price. This list comes from a site on the dark web where people buy and sell stolen usernames and passwords. It is a price list. I got a copy of this list from an investigative journalist named Brian Krebs.
BRIAN KREBS: Author of the website krebsonsecurity.com.
VANEK SMITH: And you spend a lot of time on the dark web.
KREBS: Yeah. It's kind of an occupational hazard.
VANEK SMITH: Krebs got this particular list from a site called Seller's Paradise.
KREBS: It looks like a pretty nicely indexed e-commerce site where you might go and buy, you know, blenders or whatever it is you want to buy.
VANEK SMITH: But in this case, instead of blenders, people are buying stolen usernames and passwords. Some account information like bank account passwords are obviously valuable. But for others, it can be kind of hard to know why anyone would be interested. There's Costco for 15, David's Bridal for 10. And what are you doing with these passwords if you buy them? So if you - if I buy someone's David's Bridal password for ten bucks, like, what am I doing with it?
KREBS: (Laughter) One of the longest-running scams is the points. They go to use their points, and they're like, I don't have any points; I don't really know what's going on.
VANEK SMITH: So, like, if you buy someone's, like - I'm looking at Best Buy - costs $13.
KREBS: Right. I could in theory sign into your Best Buy account, change your address, and you would be none the wiser when they send me, you know, a set of $400 Bose headphones (laughter), you know? Cyber thieves think of really ingenious ways to cash these things out, and cash them out they do.
VANEK SMITH: I mean, how scared should I be about this - about my passwords being out there?
KREBS: Well, that depends. Are you the type of person who reuses the same password all over the place? Then you should...
VANEK SMITH: Let's say that I were that kind of person (laughter). How scared should I be?
KREBS: OK, yeah, I think you should be pretty concerned. I mean...
VANEK SMITH: Really?
KREBS: One of the biggest pieces of feedback I get from, you know, mere mortals who - you know, they take pride in the fact that they don't really understand computers or understand why anybody would want to hack their computer. And I just say, look; you have probably 20, 30 sets of credentials stored in your browser or on your computer that have value. You may not think that they do, but they absolutely do. And this service kind of, you know, puts a pretty fine point on that.
VANEK SMITH: What does this mean - the existence of this marketplace - like, for most of us mere mortals?
KREBS: It means that it's 2018, and we're all still stuck with the stupid passwords.
VANEK SMITH: Krebs thinks we will eventually get to a post-password world. In that world, your phone could essentially become your password. After all, it has tons of data on you, your location, maybe even your fingerprints or your face. And that data can be used to verify your identity. So we'd essentially be carrying our passwords around in our pockets.
But for now, we are stuck with these same old passwords and the same old advice we've been hearing for years. If you want to protect yourself from hackers, be sure to turn on two-factor authentication, and do not reuse the same passwords again and again and again like I do. Stacey Vanek Smith, NPR News. Transcript provided by NPR, Copyright NPR.