Delivers practical guidance on creating, managing, and storing passwords securely. Topics include password manager recommendations, passphrase strategies, credential rotation policies, and techniques for eliminating password reuse across personal and enterprise environments.
posts
In 2024, the FBI's Internet Crime Complaint Center reported losses exceeding $16 billion from cybercrime — and compromised credentials were the gateway for a staggering number of those incidents. Right now, billions of username-and-password combinations sit on dark web marketplaces, priced anywhere from $1 to $500 depending on what
The 6-Character Password That Cost a Company $4.88 Million IBM's 2024 Cost of a Data Breach Report pegged the global average breach cost at $4.88 million. In my experience analyzing post-breach forensics, weak or reused passwords remain the single most common entry point for threat actors.
In 2023, a single reused password gave threat actors access to 23andMe's credential stuffing attack, ultimately exposing the genetic data of 6.9 million users. The attackers didn't exploit a zero-day vulnerability. They didn't deploy sophisticated malware. They simply tried known username-password combinations from
In March 2024, a Cisco advisory revealed that a massive brute force campaign was targeting VPN devices, SSH services, and web application portals worldwide — using roughly 28,000 unique IP addresses. The attackers weren't sophisticated. They didn't need to be. They just hammered login pages with
In 2023, a single reused password gave a threat actor access to 23andMe's credential-stuffing attack that exposed the data of nearly 7 million users. The attacker didn't exploit a zero-day vulnerability or deploy sophisticated malware. They just tried stolen passwords from other breaches — and millions of
The Breach That Started With One Reused Password In 2022, a single employee at LastPass reused credentials across personal and work accounts. A threat actor exploited that overlap, eventually compromising encrypted password vaults for millions of users. The irony — a password management company breached because of poor password hygiene — should
The 23-Character Password That Still Got Cracked In 2024, a security researcher at Hive Systems demonstrated that a 12-character password using only lowercase letters could be brute-forced in about three weeks with modern GPU hardware. Bump that up to a complex 12-character mix of upper, lower, numbers, and symbols? Still
The Breach That Started With "CompanyName2024!" In January 2025, a mid-size healthcare provider in the Midwest discovered that an attacker had been living inside their network for eleven weeks. The initial access point? A reused password. An employee had used the same credential for their company email and
The 23 Billion Reasons Your Password Probably Isn't Good Enough In January 2024, researchers discovered a file called "RockYou2024" floating around dark web forums. It contained roughly 9.9 billion unique plaintext passwords — the largest credential dump in history at the time. By early 2025, threat
23andMe Lost 6.9 Million Records to a Credential Stuffing Attack In October 2023, genetic testing company 23andMe confirmed that threat actors had compromised roughly 14,000 accounts using stolen credentials from other breaches. Because of the platform's social sharing features, that initial foothold gave attackers access to
