With billions of leaks, is it time to move away from passwords?

With endless leaks and cyberattackers conducting ‘password spray’ attacks, the arguments to move to passkeys appear to be gaining more merit.

A recent report may give more momentum to the anti-password cohorts out there, as it suggests the amount of leaks worldwide are massive.

The report from VPN service provider Surfshark claims that 9.5bn passwords have been leaked since 2004, along with 3.7bn unique email addresses that have been compromised. The company investigated data breach statistics globally between January 2004 and June 2023, through 29,000 publicly available databases.

In terms of continents, North America led the way with three leaked passwords per leaked unique email address on average, followed by Europe and Central Asia with 2.8. Ireland has had 17.7m passwords leaked since 2004, along with nearly 6m compromised email addresses.

“Keep in mind that the number of passwords far exceeds that of email addresses, as we rarely create a new email account for a service,” Surfshark said in a blogpost. “Email addresses leaked with passwords increase the risk of accounts being taken over by the threat actors.”

It can be difficult to translate these figures into an estimate for cyberattack victims, as people can have multiple email addresses and passwords. But the statistics suggest leaked passwords have been used to help take over emails.

Last year, the FIDO Alliance described password-only authentication as “one of the biggest security problems” on the web This is because many users end up reusing the same password across multiple services, which can lead to data breaches and account takeovers.

During this time, Apple, Google and Microsoft shared plans to support a passwordless sign-in standard created by FIDO and the World Wide Web Consortium.

Hackers take aim at passwords

Meanwhile, cybercriminals have been devising new tactics in recent years to exploit the vulnerabilities associated with passwords.

One type of attack highlighted by Microsoft is the ‘password spray’ attack, which focuses on guessing the correct password for many accounts with a “limited set of commonly used passwords”.

“It makes the attack particularly effective against organisations with weak or easily guessable passwords, leading to severe data breaches and financial losses for organisations,” Microsoft said in a blogpost.

“Attackers use automated tools to repeatedly attempt to gain access to a specific account or system using a list of commonly used passwords. Attackers sometimes abuse legitimate cloud services by creating many virtual machines or containers to launch a password spray attack.”

The tech giant recently published a report on Peach Sandstorm, which is allegedly an Iranian nation-state threat actor that has targeted organisations in the satellite, defense and pharmaceutical sectors worldwide. Microsoft claims this attacker has attacked thousands of organisations with password spray attacks.

Earlier this month, there were also reports of a new type of attack that can detect individual numeric keystrokes to steal passwords without hacking. Research analysing this “Wiki-Eve” attack claimed it can achieve nearly 90pc accuracy for individual keystrokes and nearly 66pc “top-10 accuracy for stealing passwords of mobile applications”.

The push for passkeys

As attacks continue to mount on passwords, many organisations appear to be moving towards a future supported by passkeys. These enable people to sign in using an “authenticator” such as a fingerprint, face scan or lock PIN. Supporters of passkeys argue that they are more secure than passwords in various ways.

Earlier this year, password manager 1Password enabled passkey support on a public beta, which became available for users on five different web browsers.

“There’s no such thing as a “weak” passkey, and they can’t be stolen in a data breach,” 1Password said in a blog post. “These passwordless login credentials also speed up the process of signing in to your online accounts.”

In May, Google began rolling out support for passkeys across Google Accounts on “all major platforms”, in a move that the tech giant described as the “beginning of the end” of the password. A recent beta patch of Google Chrome has passkey support in iCloud Keychain, according to a report from Android Police.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

hacks episode f
fire kirin free
war robots free
fire kirin free
imvu Free Unlim
match masters f
free vc glitch
how to get free
nba 2k23 75000
snapchat score
fire kirin mobi
ghosts free pa
bingo blitz cod
codes of surviv
snapchat score
hack livu apk d
150k vc glitch
episode app Fre
working method
hacks money fir
war robots free
survivor io cod
survivor io mod
episode free pa
bingo blitz bon
diamonds and mo
snapchat score
war robots unli
latest free gem
episode Free Un
snap score hack