Why Also Your Most Complex Password Will Be Cracked Soon

+70-page Enterprise Passkey Whitepaper:
Learn how leaders get +80% passkey adoption. Trusted by Rakuten, Klarna & Oracle

Get free Whitepaper

Over 80% of all data breaches are related to passwords. Using complex and different passwords for each account can increase security. However, customer accounts with even strong passwords can be hacked.

When we talk about logging into digital accounts, be it within apps or websites, the combination of a username and a password comes to our mind. Secret passwords have been used for thousands of years. Itsa simple concept a shared piece of information, kept secret between individuals and used to prove identity.

Recent Articles

In times where people spend a big portion of their life online, the use of this simple concept is widespread. Surveys have found that the number of password-protected accounts per user has increased exponentially in recent years, in response to an explosion of new apps and online services. One study, commissioned by NordPass, found that between 2019 and 2020 the number of passwords per user jumped by 20%, from an average of 83 to 100.

The growing number of password-protected accounts does not pose a problem at first. However, the way how users set and manage passwords indeed does. A password is static and hence must be remembered by the user or stored be it on a sticky note or within a password manager. As an average person can only remember a combination of 7 letters or numbers, remembering 100 individual passwords can become quite a pain. Consequently, users tend to use simple passwords like names of their family members, birth dates or simply 123456 still the most used password on the internet. But why are passwords a security problem in the first place?

Key Facts

Password reuse drives most breaches: 52% of users reuse passwords, letting hackers exploit the weakest platform to access multiple accounts simultaneously.
Over 15 billion credentials from 100,000 breaches are purchasable online, with stolen credential volume increasing 300% since 2018 per Forbes.
Brute force attacks exceed 100 billion guesses per second, meaning even complex passwords can be cracked within seconds by modern hardware.
Over 80% of all data breaches involve passwords, yet 70% of breached credentials remain actively in use after exposure.
A NordPass study found the average user managed 100 passwords in 2020, a 20% increase from 83 in 2019, fueling widespread reuse.

Password reuse is the #1 cause of security breaches#

To manage all their accounts, 52% of users reuse passwords with severe consequences. This allows hackers to get access to several accounts by attacking the weakest link (the website with the lowest security standards). For instance, your Facebook account is secured by a complex password and strong security standards. However, there is a good chance that your credentials were involved in a previous data breach, like the one MySpace had in 2008, where 359,420,698 credentials were stolen. And this is just one example. According to Forbes, the number of stolen credentials increased by 300% since 2018. Today, more than 15 billion credentials from 100,000 breaches can be bought on the internet by everyone. With these credentials, hackers perform large-scale login requests on hundreds of platforms to gain access to your accounts (so-called credential stuffing attacks).

Even complex passwords are not secure#

Despite this widely known risk, 70% of breached credentials are still in use. Generally, credential stuffing attacks can be avoided by using different, complex passwords for each account on each platform in combination with password managers. However, even complex passwords can easily be cracked within seconds. Last year, a record was set for a computer trying to generate every conceivable password. It achieved a rate faster than 100,000,000,000 guesses per second. Using such scripts to try random username/password combinations are called brute force methods.

But even if your password was not cracked by brute force, it is still not completely secure. As a customer, you have to trust the security standards of the platforms you are logging in. In case of a weak protection, any password, no matter how complex, can be stolen.

Hackers are creative and constantly improving their methods#

Unfortunately, credential stuffing and brute force are not the only methods to get unauthorized access to customer accounts. Another widespread technique is phishing, where a fake user interface of the original site is used to trick users to enter their credentials. Further methods are man-in-the- middle-attacks, where communication streams like public WiFi networks are intercepted or keylogging, where malware is installed on a computer to capture the credentials.

As long as there are passwords, customer accounts will be hacked#

The above outlined problems are the reason why over 80% of all data breaches and hacking attacks are due to passwords and emphasize that we need a better approach than just username and password to handle authentication. Evolvements such as 2-Factor-Authentication (2FA) go into the right direction in terms of security, but user adoption is quite low. So why not omitting passwords entirely and go passwordless? Sounds interesting? Explore Corbados passwordless solutions and get a first impression of future authentication!

Frequently Asked Questions#

Why isn't using a unique, complex password enough to keep my account secure?#

Even a complex password can be compromised if the platform storing it has weak security standards, since any password can be stolen from a vulnerable server regardless of its strength. Techniques like phishing, keylogging and man-in-the-middle attacks capture credentials before encryption even applies, making the password itself the weakest link no matter how complex it is.

What is credential stuffing and how does the scale of stolen credentials make it so dangerous?#

Credential stuffing involves taking username and password pairs stolen from one breach and automatically testing them across hundreds of other platforms. With over 15 billion credentials from 100,000 breaches available for purchase online, attackers have enormous datasets to work with, and the 2008 MySpace breach alone exposed over 359 million credentials that remain exploitable wherever victims reused those passwords.

Why do so many users still rely on weak or reused passwords despite knowing the risks?#

The average person can only reliably remember a combination of about 7 letters or numbers, making it practically impossible to memorize 100 unique complex passwords. This cognitive limit leads 52% of users to reuse passwords across accounts, which in turn enables hackers to access multiple services by targeting the single least-secure platform a user has registered on.

Are solutions like two-factor authentication enough to replace passwords entirely?#

Two-factor authentication moves in the right direction for security but the article notes that user adoption remains quite low, limiting its practical impact. The more promising direction is eliminating passwords entirely through passwordless authentication, which removes the static shared secret that underpins phishing, brute force and credential stuffing attacks at their root.