By Davey Winder, Senior Contributor. In a shocking revelation, billions of stolen passwords have made their way onto the internet. Recently, I reported that an astounding 19 billion stolen passwords had been discovered on the dark web and various criminal marketplaces. This report gained unexpected traction, highlighting the urgent need for vigilance in password security as new warnings emerge regarding compromised passwords and their role in cyberattacks.

It’s easy to feel confident about password security, but the stark reality is that many individuals are not as protected as they believe. A recent analysis revealed that approximately 2.9 billion unique yet compromised passwords are circulating on dark web forums and Telegram channels. This staggering statistic begs the question: how secure is your password? If you are not utilizing random processes for creating strong passwords—like employing a password manager for generating unique passwords for each service—you may be inadvertently putting yourself at risk.

The 2025 password table, released by Hive Systems, offers a troubling glimpse into the speed at which passwords can be cracked. While I often critique the effectiveness of measuring password security solely by the time it takes to crack a password, the data serves as a crucial illustration of the importance of password hygiene. The report, authored by Corey Neskey, the vice president of quantitative risk at Hive Systems, discusses a hacker using a black box methodology to crack an unknown hash. However, Neskey points out that for those using easily guessable passwords or those linked to previous breaches, the situation is far more dire, succinctly illustrated by a table that simply repeats the word “instantly” multiple times.

Adding to the conversation is Marcus White, a cybersecurity specialist at Specops with expertise in authentication and password management. In a report published on May 13, White details the passwords that hackers typically exploit to launch attacks on file transfer protocol (FTP) ports. While some may view this focus as relatively niche, it is imperative to understand that FTP is often targeted by cybercriminals, primarily due to its tendency to provide easy access to networks through brute-force attacks. Specops’ research team has been monitoring FTP port attacks over the past month to identify the most frequently used passwords by these malicious actors.

“Understanding the tactics employed by real-world attackers can significantly shape your organization’s password policies and enhance defenses against brute-force attacks,” White explains. It’s essential to note that brute-force attacks typically involve the use of known username and password combinations until access is granted. So, where do many of these compromised credentials originate? You guessed it: infostealer logs.

As cybersecurity expert Vakaris Noreika from NordStellar indicates, the threat posed by infostealer malware is far more significant than many realize. Not only are countless passwords and other credentials—such as session cookies that can bypass two-factor authentication—being stolen, but the accessibility of these stolen credentials to cybercriminals is alarmingly easy. “Dark web users can obtain stealer logs by subscribing to private channels,” Noreika highlights, referring to Telegram channels where individuals can purchase access to millions of compromised passwords for as little as $81.

So, what can be done to combat the issue of stolen passwords on such a massive scale? While it may sound impractical, the most effective solution is to stop relying on passwords altogether. Why risk your seemingly robust password when you can adopt a far more secure and virtually impregnable passkey system? If passkeys aren’t yet available for the services you use, it is crucial to avoid password reuse to safeguard your digital identity.