We're Moving! - Websites, That Is
24 billion usernames and passwords available on the dark web – an increase of 65% in just two years

24 billion usernames and passwords available on the dark web – an increase of 65% in just two years

24 billion usernames and passwords available on the dark web – an increase of 65% in just two years
June 15, 2022 | 4 Min Read

Consumers still using basic passwords which cybercriminals can ‘crack’ in under one second – nearly one in every 200 passwords is ‘123456’

London and San Francisco, June 15 2022 Digital Shadows, the leader in threat intelligence and digital risk protection, has today published new research quantifying the scale of password compromise globally. The study finds there are more than 24 billion usernames and password combinations in circulation in cybercriminal marketplaces, many on the dark web – the equivalent of nearly four for every person on the planet. This number represents a 65% increase from a previous report in 2020.

Worryingly, consumers continue to use easy to guess passwords. Digital Shadows found that the top 50 most common passwords are incredibly easy to guess and simply use the word ‘password’ or a combination of easily remembered numbers. Some 0.46% of all passwords – nearly one in every 200 – is 123456. Keyboard combinations such as ‘qwerty’ or ‘1q2w3e’ are commonly used. Of the 50 most commonly used passwords, 49 can be ‘cracked’ in under one second via easy-to-use tools commonly available on criminal forums which are often free of charge or at minimal cost.

However, the good news for the public is that adding a ‘special character’ (such as @ # or _) to a basic 10-character password adds approximately 90 minutes to the amount of time an offline attack would take to crack the password. Adding two special characters results in an offline cracking time of approximately 2 days and 4 hours. This makes it much less likely that a person will fall victim to an attack with criminals instead attacking accounts that are easier to breach.  

Cybercriminal marketplaces and forums remain the most commonplace for threat actors to advertise and sell stolen credentials. Over the last two years this ecosystem for criminals has continued to expand, along with the range and sophistication of malware at their disposal. This has helped fuel the increase. Some combinations are advertised more than once on forums, but even after removing duplicates, Digital Shadows still found that 6.7 billion unique credentials exist – an increase of approximately 1.7 billion or 34% in two years.

Chris Morgan, Senior Cyber Threat Intelligence Analyst at Digital Shadows, comments: “We will move to a ‘passwordless’ future but for now the issue of breached credentials is out of control. Criminals have an endless list of breached credentials they can try but adding to this problem is weak passwords which means many accounts can be guessed using automated tools in just seconds. In just the last 18 months we, at Digital Shadows have alerted our clients to 6.7 million exposed credentials. This includes the username and passwords of their staff, customers, servers and IoT devices. Many of these instances could have been mitigated through using stronger passwords and not sharing credentials across different accounts.”

Digital Shadows recommends the following steps to keep credentials safe:

·   Use a password manager – a password manager is an app on a phone, tablet or computer that stores passwords, so they can be made more complex and the person doesn’t need to remember them.

·   Use multi-factor authentication (MFA) where account providers offer it – this can confirm identity and can replace passwords using PINs, facial recognition, fingerprints or inserting a USB key

·   Use an authenticator app – these generate a new random six-digit code every 30 seconds that a user must enter to the website one which they are trying to authenticate.

The full report entitled ‘Account takeovers in 2022: The 24-billion password problem’ is available at: https://resources.digitalshadows.com/whitepapers-and-reports/account-takeover-in-2022/


Digital Shadows minimizes digital risk by identifying unwanted exposure and protecting against external threats. Organizations can suffer regulatory fines, loss of intellectual property, and reputational damage when digital risk is left unmanaged. Digital Shadows SearchLight™ helps you minimize these risks by detecting data loss, securing your online brand, and reducing your attack surface. To learn more, visit www.digitalshadows.com.

Related Blog Posts