Explains the principles behind creating strong passwords that resist brute-force attacks, dictionary attacks, and credential stuffing. Articles cover password length, complexity, the use of password managers, multi-factor authentication, and organizational password policies.
posts
In 2023, a single reused password gave a threat actor access to 23andMe's credential-stuffing attack that exposed the data of nearly 7 million users. The attacker didn't exploit a zero-day vulnerability or deploy sophisticated malware. They just tried stolen passwords from other breaches — and millions of
The 23-Character Password That Still Got Cracked In 2024, a security researcher at Hive Systems demonstrated that a 12-character password using only lowercase letters could be brute-forced in about three weeks with modern GPU hardware. Bump that up to a complex 12-character mix of upper, lower, numbers, and symbols? Still
In September 2023, a credential stuffing attack against 23andMe exposed the personal data of nearly 7 million users. The root cause wasn't some exotic zero-day exploit. It was reused, weak passwords. Attackers took credentials leaked from other breaches, tried them on 23andMe accounts, and walked right in. That&
The Password That Cost One Company $4.4 Billion In 2017, Equifax suffered a breach that exposed 147 million records and eventually cost the company over $4 billion in total losses and settlements. One of the contributing factors? Weak internal credential management. The admin username and password for a critical
The 123456 Problem Is Worse Than You Think In December 2021, NordPass published its annual list of the most common passwords. Sitting at number one — for the third year running — was "123456." Number two? "123456789." These aren't passwords from 2005. They're passwords
In January 2022, a credential stuffing attack hit Norton LifeLock, compromising roughly 925,000 accounts. The common thread? Weak and reused passwords. I've spent years watching organizations hemorrhage data because employees — and everyday users — still think "Company2022!" is a strong password. It's not. This
In the 2020 Verizon Data Breach Investigations Report, over 80% of hacking-related breaches involved stolen or brute-forced credentials. Not sophisticated zero-day exploits. Not nation-state malware. Passwords. The single thing most people treat as an afterthought is the single thing that gets most organizations compromised. Knowing how to create a strong
In 2023, a single reused password gave threat actors access to 23andMe's credential-stuffing attack, exposing the genetic data of nearly 7 million users. The attackers didn't exploit some exotic zero-day vulnerability. They just tried stolen username-password pairs from other breaches — and millions of them worked. If
The 59-Second Crack That Cost a Hospital Chain Everything In 2023, CommonSpirit Health disclosed a ransomware attack that disrupted operations across more than 140 hospitals. Post-incident analysis pointed to compromised credentials as a key factor. The password in question wasn't "password123" — it was a seemingly reasonable
