Darknet: 24 billion username-password combinations available

Around 24 billion usernames and their associated passwords are offered for sale on cybercriminal marketplaces. This is the result of a recent study by Digital Shadows.


The fact that login data is stolen and then sold on the dark web is now common cybercrime practice. Digital Shadows, a provider of digital risk management and threat intelligence solutions, has now uncovered the alarming extent of trade in stolen username-password combinations on cybercriminal platforms in its study “Account Takeover in 2022”.

During their research, the experts counted around 24 billion username-password combinations. This corresponds to an increase of 65 percent compared to the last survey in 2020. According to the world population clock of the German Foundation for World Population, there are currently (as of August 25, 2021) around 7.89 billion people in the world. As a result, an average of almost four access combinations are currently for sale on the dark web for every person on earth.


Users continue to use simple passwords

The scariest part is that users continue to use easy-to-crack passwords. In the course of their research, the experts from Digital Shadows discovered, for example, that around 0.46 percent of all passwords – after all, almost every 200th password – is the number combination “123456”. The word “password” or simple key combinations such as “qwerty”/”qwertz” are still frequently used.

According to the study, 49 of the 50 most common passwords can be cracked in less than a second using tools that are often provided free of charge on cybercriminal forums and are also easy to use.


Recommendations for action

Even simple measures can help. Adding a special character like “@”, “#” or “_” to a basic 10-character password increases the time it would take an offline attack to crack the password by about 90 minutes. If you add two special characters at once, the offline cracking time is already around 2 days and 4 hours. As a result, the probability that the hackers will look for an easier target increases enormously. Password managers are recommended to ensure that the new, stronger passwords are not forgotten.

In addition to more secure passwords, the use of two or multi-factor authentication is also useful. Best in combination with an authentication app such as Google Authenticator, Microsoft Authenticator or FreeOTP – Darknet: 24 billion username-password combinations available – Sicherheit.

Source: Digital Shadows