Over a billion credentials stolen were stolen in malware attacks in 2024
- Billions of passwords are breached each year, SpecOps report claims
- Millions of users are guilty of poor password hygiene
- Strong passwords are the first line of defense against data breaches
Passwords are being breached at an alarming rate, and threat actors are gaining access to victims accounts through weak and easily compromised credentials, experts have warned.
New research from SpecOps has revealed over a billion passwords were stolen in malware attacks in a 12 month period, highlighting just how widespread the issue is.
Most of us are guilty of using lazy passwords, or reusing credentials at some point, but new research from shows just how much harm that’s doing to users.
Strength in numbers
Stolen credentials are involved in nearly half of all data breaches (44%), and with breaches often costing companies millions for each incident, the cost of lazy passwords could be seriously detrimental to your business.
The most commonly compromised password was “123456”, being found in over 1.4 million breached credentials. Worryingly, of the 1.8 million breached administrator credentials, 40,000 admin portal accounts had the password ‘admin’, which means even IT workers aren’t taking the threat seriously.
However, an equally concerning discovery is that 230 million of the breached passwords actually met the standard complexity requirements – so were over eight letters, had at least one capital letter, one number, and one special character.
Length doesn’t necessarily protect a password, as over 31 million of the breached passwords were over 16 characters in length. Long passwords hashed with bcrypt can take ‘millions of years to crack’, but no matter how long your password is, if you reuse a breached password, it’s compromised immediately.
This just illustrates that when it comes to passwords, more is more, and you can’t be too careful with how you choose to protect your accounts. Hackers can exploit weak passwords through brute force attacks, mask attacks, and dictionary attacks – so common words and phrases aren’t recommended.
“The amount of passwords being stolen by malware should be a concern for organizations,” said Darren James, Specops Software Senior Product Manager.
“Even if your organization’s password policy is strong and meets compliance standards, this won’t protect passwords from being stolen by malware.”
Staying safe
Secure passwords are a vital protection against a number of different threats, including identity theft, and social engineering attacks, which can leave victims in real financial or legal difficulty.
To avoid being a victim of stolen credentials, there are some tips to bolster your passwords to make you as secure as possible.
Your password should ideally be at least 14 characters, with a mix of lowercase, capitals, symbols, and numbers.
The worst, most easily cracked passwords are any variation of ‘Password123’, ‘123456’, or ‘admin’, so steer clear of anything generic.
Don’t use the names or birthdays of family or friends, or well known characters, and try to make it as obscure as possible.
Frustratingly, best practice is to choose a new password for each site, since reused passwords make even the ultra-secure credentials useless if one site is compromised.
Make sure to never share your password with anyone, including friends and family – and never send yourself (or anyone else) your password via email, message, or any other form of comprisable communication. If you need help remembering your passwords, we suggest physically writing them down somewhere secure, where no one else has access to.
Don’t give away your password to anyone calling or emailing you claiming to be your bank, a friend, or any unfamiliar source. Always call your bank back through their official number (which you can find online) before giving away any details.
If you want to use a third-party to make sure your credentials are as secure as possible, we’ve put together a list of the best password managers around. These can be used to keep all of your passwords in one place, and remove the hassle of having to remember each one.
Alongside this, you could use the best password generators on the market. These simply generate passwords that are secure and pretty much impossible to guess, since they’re typically generated randomly using a set of criteria which make them a super secure option.
You might also like
Billions of passwords are breached each year, SpecOps report claims Millions of users are guilty of poor password hygiene Strong passwords are the first line of defense against data breaches Passwords are being breached at an alarming rate, and threat actors are gaining access to victims accounts through weak and…
