Delivers practical guidance on creating, managing, and storing passwords securely. Topics include password manager recommendations, passphrase strategies, credential rotation policies, and techniques for eliminating password reuse across personal and enterprise environments.
posts
In 2023, a single reused password gave threat actors access to 23andMe's credential stuffing attack, ultimately exposing the genetic data of 6.9 million users. The attackers didn't exploit a zero-day vulnerability. They didn't deploy sophisticated malware. They simply tried known username-password combinations from
In March 2024, a Cisco advisory revealed that a massive brute force campaign was targeting VPN devices, SSH services, and web application portals worldwide — using roughly 28,000 unique IP addresses. The attackers weren't sophisticated. They didn't need to be. They just hammered login pages with
In 2023, a single reused password gave a threat actor access to 23andMe's credential-stuffing attack that exposed the data of nearly 7 million users. The attacker didn't exploit a zero-day vulnerability or deploy sophisticated malware. They just tried stolen passwords from other breaches — and millions of
The Breach That Started With One Reused Password In 2022, a single employee at LastPass reused credentials across personal and work accounts. A threat actor exploited that overlap, eventually compromising encrypted password vaults for millions of users. The irony — a password management company breached because of poor password hygiene — should
The 23-Character Password That Still Got Cracked In 2024, a security researcher at Hive Systems demonstrated that a 12-character password using only lowercase letters could be brute-forced in about three weeks with modern GPU hardware. Bump that up to a complex 12-character mix of upper, lower, numbers, and symbols? Still
The Breach That Started With "CompanyName2024!" In January 2025, a mid-size healthcare provider in the Midwest discovered that an attacker had been living inside their network for eleven weeks. The initial access point? A reused password. An employee had used the same credential for their company email and
The 23 Billion Reasons Your Password Probably Isn't Good Enough In January 2024, researchers discovered a file called "RockYou2024" floating around dark web forums. It contained roughly 9.9 billion unique plaintext passwords — the largest credential dump in history at the time. By early 2025, threat
23andMe Lost 6.9 Million Records to a Credential Stuffing Attack In October 2023, genetic testing company 23andMe confirmed that threat actors had compromised roughly 14,000 accounts using stolen credentials from other breaches. Because of the platform's social sharing features, that initial foothold gave attackers access to
In December 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory warning that Russian military-linked threat actors were systematically using brute force attacks to compromise Microsoft 365 accounts across government agencies and critical infrastructure. These weren't sophisticated zero-day exploits. They were automated password-guessing scripts
In September 2023, a credential stuffing attack against 23andMe exposed the personal data of nearly 7 million users. The root cause wasn't some exotic zero-day exploit. It was reused, weak passwords. Attackers took credentials leaked from other breaches, tried them on 23andMe accounts, and walked right in. That&
