Billion of usernames and passwords up for sale to criminals

More than 24 billion usernames and password combinations are for sale in the cybercriminal marketplace, according to a firm that specializes in minimizing organizations' digital risks.

A study by Digital Shadows https://resources.digitalshadows.com/whitepapers-and-reports/account-takeover-in-2022 estimates that's the equivalent of nearly four sets of credential sets for every person on the planet. And that's a 65% increase from a report in 2020.

Photo: Getty Images

Crooks advertise and sell stolen credentials on cybercriminal marketplaces and forums usually found on the dark web.

To make matters worse, people continue to use easy-to-guess passwords. The study found that the top 50 most-common passwords are just easily remembered (and guessed) numbers like "123456," the word 'password,' or keyboard combinations such as 'qwerty.' In fact, of the 50 most commonly used passwords, 49 can be cracked in under a second with easy-to-use tools available for free on criminal forums.

The good news is that adding a "special character" (such as @ # or _) to a 10-character password will add about 90 minutes to the time needed to crack it. Adding two boosts the time to around two days and four hours.

Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, predicts an eventual "passwordless" future, but for now he recommends the following steps to keep credentials safe:

  • Use a password manager - It's an app on your phone, tablet or computer that generates, stores and enters complex passwords that the user doesn't need to remember.
  • Use multi-factor authentication (MFA) where it's offered – This process can confirm identity using PINs, facial recognition, fingerprints or a USB key.
  • Use an authenticator app - These generate a new random six-digit code every 30 seconds that a user must enter on the website they are trying to access.


Other experts also caution against reusing passwords. That can lead to an account takeover, identity theft, financial theft, social media spam, and more. Every website, account or application deserves its own unique credentials. Reusing or creating easy-to-guess passwords is like leaving the door of your home unlocked 24/7.


View Full Site