Over the course of 2021, hackers managed to steal more than two billion passwords (opens in new tab), a new report from ForgeRock has claimed.
The company’s fourth annual breach report found that besides passwords, hackers have also been stealing people’s names, addresses, Social Security numbers, dates of birth, protected health information (PHI), and payment or banking details.
What’s more, the two billion is an increase of more than a third (35%), compared to just two years ago.
Most of the time, hackers sell the data on the black market, such as underground web forums and trading sites. While the passwords themselves often aren’t that expensive to purchase, they do open the gates for a number of potential attacks, from identity theft, to ransomware, and everything in between.
Two years ago, there had been more than 15 billion passwords on sale, on the dark web, the same report claims.
“Usernames and passwords are the internet’s weakest link. The world has moved far beyond the point where a simple password can provide sufficient protection, and attackers know it. Spurred by the FIDO2 WebAuthn standard, the move to passwordless authentication is gaining momentum: it improves both security and ease of use for online access, while greatly diminishing the usefulness of stolen credentials by cybercriminals,” said ForgeRock CEO, Fran Rosch.
ForgeRock believes the future is passwordless, with biometric solutions (facial recognition, fingerprint scanners, and similar) being at the forefront. Others lean more towards multi-factor authentication as the best way to protect online accounts, as time-based keys and tokens prevent those with just the password from accessing other people’s accounts.
That being said, ForgeRock expects the passwordless authentication market to grow from $12.79 billion last year, to more than $53 billion by 2030. Whether or not that actually happens, remains to be seen. The password has been pronounced dead countless times before, yet somehow, it still prevails despite its shortcomings.