I assume all of my passwords are either already in a breach and are available for sale on the dark web or that they will be in a breach at some point. Data breaches are so incredibly common and the scale of breaches is so huge that there are billions of passwords available on the dark web (over 10 billion to be exact).

I work in cybersecurity so I know about the scale of breaches and assuming my passwords have been in breaches is how I operate. Most people do not fully appreciate the scale of the problem or why your security team and your security training harp on not reusing passwords. Whenever I make an offhand comment about passwords being compromised, my wife and my kids roll their eyes and other people’s eyes gloss over. I know it does not really register.

But, the world of stolen passwords is real. And it’s fascinating how it works.

Data Breaches

Data breaches are a regular occurrence. New breaches are constantly in the news and penalties for breaches, increasingly under GDPR or from EU governments, are announced all the time. Oftentimes, these data breaches involve user credentials - usernames and passwords.

To appreciate the scale of the problem, the top 6 data breaches on the website haveibeenpwned each accessed over 500 million accounts. These are staggering numbers and the reason it is safe to assume your passwords have been in a data breach.

The Dark Web

To profit from a data breach, cybercriminals will often sell data from data breaches on the dark web. Sales of huge lists of usernames and passwords are pretty cheap, usually less than $20.

With these large databases of passwords, criminals will launch what is called credential stuffing attacks. Simply, this type of attack uses known usernames and passwords to attempt to log in to various applications and platforms. Since so many people reuse passwords, this is a highly effective method of hacking an account.

How do you protect yourself?

If you’re curious, you can check to see if your accounts and passwords have been in a data breach at haveibeenpwned. It’s quick and easy and probably eye-opening if you have never checked before.

The things you can do to protect your accounts in a world where your password has already been compromised or will be compromised is to never, ever reuse your passwords. Every time you set up a new account, you should use a new password. These passwords should be complex, long, and not dictionary words. Given how many accounts we all have, the easiest way to succeed at this is to use a password manager. Password managers generate complex passwords and store them for you, making it possible to have 100s of unique and complex passwords for all of your accounts.