Step-by-step guidance on building passwords that resist brute-force attacks, dictionary attacks, and credential stuffing. Posts cover length requirements, character diversity, passphrase techniques, and common mistakes that weaken password strength.
posts
In 2023, a single reused password gave a threat actor access to 23andMe's credential-stuffing attack that exposed the data of nearly 7 million users. The attacker didn't exploit a zero-day vulnerability or deploy sophisticated malware. They just tried stolen passwords from other breaches — and millions of
The 23-Character Password That Still Got Cracked In 2024, a security researcher at Hive Systems demonstrated that a 12-character password using only lowercase letters could be brute-forced in about three weeks with modern GPU hardware. Bump that up to a complex 12-character mix of upper, lower, numbers, and symbols? Still
In September 2023, a credential stuffing attack against 23andMe exposed the personal data of nearly 7 million users. The root cause wasn't some exotic zero-day exploit. It was reused, weak passwords. Attackers took credentials leaked from other breaches, tried them on 23andMe accounts, and walked right in. That&
The 123456 Problem Is Worse Than You Think In December 2021, NordPass published its annual list of the most common passwords. Sitting at number one — for the third year running — was "123456." Number two? "123456789." These aren't passwords from 2005. They're passwords
In the 2020 Verizon Data Breach Investigations Report, over 80% of hacking-related breaches involved stolen or brute-forced credentials. Not sophisticated zero-day exploits. Not nation-state malware. Passwords. The single thing most people treat as an afterthought is the single thing that gets most organizations compromised. Knowing how to create a strong
In 2023, a single reused password gave threat actors access to 23andMe's credential-stuffing attack, exposing the genetic data of nearly 7 million users. The attackers didn't exploit some exotic zero-day vulnerability. They just tried stolen username-password pairs from other breaches — and millions of them worked. If
