Why Also Your Most Complex Password Will Be Cracked Soon

Over 80% of all data breaches are related to passwords. Using complex and different passwords for each account can increase security. However, customer accounts with even strong passwords can be hacked.

When we talk about logging into digital accounts, be it within apps or websites, the combination of a username and a password comes to our mind. Secret passwords have been used for thousands of years. Itsa simple concept a shared piece of information, kept secret between individuals and used to prove identity.

In times where people spend a big portion of their life online, the use of this simple concept is widespread. Surveys have found that the number of password-protected accounts per user has increased exponentially in recent years, in response to an explosion of new apps and online services. One study, commissioned by NordPass, found that between 2019 and 2020 the number of passwords per user jumped by 20%, from an average of 83 to 100.

The growing number of password-protected accounts does not pose a problem at first. However, the way how users set and manage passwords indeed does. A password is static and hence must be remembered by the user or stored be it on a sticky note or within a password manager. As an average person can only remember a combination of 7 letters or numbers, remembering 100 individual passwords can become quite a pain. Consequently, users tend to use simple passwords like names of their family members, birth dates or simply 123456 still the most used password on the internet. But why are passwords a security problem in the first place?

To manage all their accounts, 52% of users reuse passwords with severe consequences. This allows hackers to get access to several accounts by attacking the weakest link (the website with the lowest security standards). For instance, your Facebook account is secured by a complex password and strong security standards. However, there is a good chance that your credentials were involved in a previous data breach, like the one MySpace had in 2008, where 359,420,698 credentials were stolen. And this is just one example. According to Forbes, the number of stolen credentials increased by 300% since 2018. Today, more than 15 billion credentials from 100,000 breaches can be bought on the internet by everyone. With these credentials, hackers perform large-scale login requests on hundreds of platforms to gain access to your accounts (so-called credential stuffing attacks).

Despite this widely known risk, 70% of breached credentials are still in use. Generally, credential stuffing attacks can be avoided by using different, complex passwords for each account on each platform in combination with password managers. However, even complex passwords can easily be cracked within seconds. Last year, a record was set for a computer trying to generate every conceivable password. It achieved a rate faster than 100,000,000,000 guesses per second. Using such scripts to try random username/password combinations are called brute force methods.

But even if your password was not cracked by brute force, it is still not completely secure. As a customer, you have to trust the security standards of the platforms you are logging in. In case of a weak protection, any password, no matter how complex, can be stolen.

Unfortunately, credential stuffing and brute force are not the only methods to get unauthorized access to customer accounts. Another widespread technique is phishing, where a fake user interface of the original site is used to trick users to enter their credentials. Further methods are man-in-the- middle-attacks, where communication streams like public WiFi networks are intercepted or keylogging, where malware is installed on a computer to capture the credentials.

The above outlined problems are the reason why over 80% of all data breaches and hacking attacks are due to passwords and emphasize that we need a better approach than just username and password to handle authentication. Evolvements such as 2-Factor-Authentication (2FA) go into the right direction in terms of security, but user adoption is quite low. So why not omitting passwords entirely and go passwordless? Sounds interesting? Explore Corbados passwordless solutions and get a first impression of future authentication!