With billions of leaks, is it time to move away from passwords?

15 Sep 2023

Image: © Andres Victorero/Wirestock Creators/Stock.adobe.com

With endless leaks and cyberattackers conducting ‘password spray’ attacks, the arguments for the move to passkeys appear to be gaining more merit.

A recent report may give more momentum to the anti-password cohorts out there, as it suggests the amount of leaks worldwide are massive.

The report from VPN service provider Surfshark claims that 9.5bn passwords have been leaked since 2004, along with 3.7bn unique email addresses that have been compromised. The company investigated data breach statistics globally between January 2004 and June 2023, through 29,000 publicly available databases.

In terms of continents, North America led the way with three leaked passwords per leaked unique email address on average, followed by Europe and Central Asia with 2.8. Ireland has had 17.7m passwords leaked since 2004, along with nearly 6m compromised email addresses.

“Keep in mind that the number of passwords far exceeds that of email addresses, as we rarely create a new email account for a service,” Surfshark said in a blogpost. “Email addresses leaked with passwords increase the risk of accounts being taken over by the threat actors.”

It can be difficult to translate these figures into an estimate for cyberattack victims, as people can have multiple email addresses and passwords. But the statistics suggest leaked passwords have been used to help take over emails.

Last year, the FIDO Alliance described password-only authentication as “one of the biggest security problems” on the web. This is because many users end up reusing the same password across multiple services, which can lead to data breaches and account takeovers.

During this time, Apple, Google and Microsoft shared plans to support a passwordless sign-in standard created by FIDO and the World Wide Web Consortium.

Hackers take aim at passwords

Meanwhile, cybercriminals have been devising new tactics in recent years to exploit the vulnerabilities associated with passwords.

One type of attack highlighted by Microsoft is the ‘password spray’ attack, which focuses on guessing the correct password for many accounts with a “limited set of commonly used passwords”.

“It makes the attack particularly effective against organisations with weak or easily guessable passwords, leading to severe data breaches and financial losses for organisations,” Microsoft said in a blogpost.

“Attackers use automated tools to repeatedly attempt to gain access to a specific account or system using a list of commonly used passwords. Attackers sometimes abuse legitimate cloud services by creating many virtual machines or containers to launch a password spray attack.”

The tech giant recently published a report on Peach Sandstorm, which is allegedly an Iranian nation-state threat actor that has targeted organisations in the satellite, defence and pharmaceutical sectors worldwide. Microsoft claims this threat actor has attacked thousands of organisations with password spray attacks.

Earlier this month, there were also reports of a new type of attack that can detect individual numeric keystrokes to steal passwords without hacking. Research analysing this ‘Wiki-Eve’ attack claimed it can achieve nearly 90pc accuracy for individual keystrokes and nearly 66pc “top 10 accuracy for stealing passwords of mobile applications”.

The push for passkeys

As attacks continue to mount on passwords, many organisations appear to be moving towards a future supported by passkeys. These enable people to sign in using an “authenticator” such as a fingerprint, face scan or lock PIN. Supporters of passkeys argue that they are more secure than passwords in various ways.

Earlier this year, password manager 1Password enabled passkey support in a public beta, which became available for users on five different web browsers.

“There’s no such thing as a ‘weak’ passkey, and they can’t be stolen in a data breach,” 1Password said in a blogpost. “These passwordless login credentials also speed up the process of signing in to your online accounts.”

In May, Google began rolling out support for passkeys across Google Accounts on “all major platforms”, in a move that the tech giant described as the “beginning of the end” of the password. A recent beta patch of Google Chrome has passkey support in iCloud Keychain, according to a report from Android Police.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic