In a typical sky, is falling media beat-up global media reported 16 billion passwords stolen. Oh, hell, the end of the world!
The reality was that those 16 billion passwords and logins were stolen over the years from over 30 different breaches, including Apple, Facebook, Google, Microsoft, and other old hacks.
The only difference is that the Dark Web’s DarkBERT is the most malicious dark web AI. It’s coming after you (or something similar) used the breaches as a Large Language Module to filter out usable passwords and logins and to learn, to a granular level (that means to each of the 16 billion breaches), what passwords you are likely to use.
So, the 16 billion passwords stolen is NOT the greatest data breach in history
There was no new massive breach, no new malware password stealer, nada, nine, zip, zilch. The headline reflects ever so poorly on media integrity, looking for a sure-fire way to clickbait readers.
But here are a few takeaway messages where passwords are used.
Cybernews analysed 19 billion passwords from over 200 breaches.
- Only 1.1 billion (6%) were unique. That is a shocking lack of imagination and reuse of passwords.
- If you use swearwords, you are more likely to be hacked by a brute-force or dictionary attack. The US is the most potty-mouthed, followed by the UK and Australia. Damn I was sure Aussies were the worst!
- If you use defaults, you are 12.19% more likely.
- If you use all lowercase letters, you decrease the time for dictionary attacks by half.
- If you use given names, the percentage is 7.94%, but it is way higher if they are you, your kids, a friend, etc.
Cybernews has a free password checker that examines over 33 billion stolen passwords. Its advice is to get a paid Password Manager (like LastPass, which I recommend because I use it) and enable two-factor authentication (2FA) everywhere.
“This is not just a leak – it’s a blueprint for mass exploitation. With over 16 billion login records exposed, cybercriminals now have unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing. What’s especially concerning is the structure and recency of these datasets – these aren’t just old breaches being recycled. This is fresh, weaponisable intelligence at scale,” a CyberNews researcher.
The worst passwords are
Our advice is to stop using any password that can be linked to you via AI trawling your profile on social media or the dark web. That means NO:
- Kids, pets, or friends’ names.
- Birthdays, wedding anniversaries or other numerical passwords.
- Address related names
- Favourite food names. If you use food, make sure it is part of a unique passphrase like ILovePizzaFromTonys2468, as long as you have not recommended Pizza from Tony’s.
- Football or sports teams or players you support
- Bucket list items (too often shared on social media)
- Holiday locations
- Reuse of passwords, especially if they have been part of a breach (see password checker above)
- Your job or profession
- School, mum’s maiden name or the host of secret questions answers that you have given.
- No easy keystrokes like QWERTY
- In short, nothing you have ever mentioned online
The best passwords are
Easily memorable 16 or more character phrases with a mix of upper and lower case, an ASCII symbol and numbers.
For example, PercyThePinkGalah$2025 is safe against brute force and dictionary attacks. If you like Percy, there is no reason you cannot build a password story about it like PercyPoopedOnMyCar&2378 or PercyPrangedIntoAWall^5678. Your password manager will memorise these.
CyberShack says passwords have become increasingly insecure
What used to take years to brute force attack now takes seconds. One day, AI and computers will have enough power to crack 16 characters in seconds.
First, please read Use the same password. Please hack me!
Get a paid password manager. I don’t care which one, but make sure it runs on Windows, macOS, iOS and Android. Don’t be stingy – pay for it and look for family packs that allow you to share specific logins with them (in case you die!).
I use LastPass, and Charlie Brown uses the free BitWarden because we know they are dedicated to protecting you. Do not use Google, Apple, Microsoft, Facebook, or others where passwords are not their primary business. Do not trust so-called reviews citing the ‘best password managers’—these are invariably paid advertorials.
Use unique Password pass phrases.
Do not click on links in SMS or RCS texts.
16 billion passwords stolen, 16 billion passwords stolen, 16 billion passwords stolen, 16 billion passwords stolen
Comments