One of cybersecurity’s biggest problems is that we tend to ask the wrong questions about malicious actors. We ask, “How can we defend our digital assets against threats?” That’s all well and good, but a better question might be, “How far will crooks go to get their hands on the world’s $454 trillion in wealth?” The answer should be obvious. They’ll do whatever it takes, moving any mountain necessary to grab the loot. Some of the most sophisticated technologies ever invented exist for the purpose of thievery.
What’s standing in the way? The password. And, as we’ve known for many years, the password is deficient. They can be stolen or guessed and then used to gain unauthorized access and take over accounts. The seriousness of this problem was brought home this month by the shocking revelation that 19 billion stolen passwords were available on the dark web.
These passwords will likely enable unprecedented breaches, but it offers a moment to think about the benefits of a passwordless world. This article explores this potential in light of this security disaster.
The News: 19 Billion Passwords Found on the Dark Web
Researchers from Cybernews reported in May, 2025 that they had found 19,030,305,929 passwords on the dark web. These passwords are available to malicious actors who can use them to break into networks, bank accounts, enterprise systems, and more. It is the largest stockpile of stolen credentials ever discovered.
How It Happened: The Triumph of InfoStealer Malware
The stolen passwords got to the dark web through hundreds of breaches over the previous year or so. Cybernews attributes the theft of most of the passwords to the use of InfoStealer malware, whose presence on target systems has primarily occurred through SMS phishing (“smishing”) and other types of social engineering attacks. InfoStealers can grab massive numbers of login credentials from compromised systems and exfiltrate them. The hackers are then able to crack the passwords’ hashes and render them readable in plain text.
Risks Resulting from this Cataclysmic Breach
Bearing in mind that your passwords and mine are among those 19 billion that were breached, consider the risks we are now facing. With stolen credentials in hand, attackers can attempt to log into legitimate accounts and take them over, e.g., log into software-as-a-service (SaaS) applications and exfiltrate sensitive data. Alternatively, they could mount brute force attacks that try different username-password pairs to gain unauthorized access.
What This Episode Reveals about Passwords
The risks posed by such a massive number of stolen passwords should make us think, yet again, about what’s wrong with passwords as a security control:
- Once stolen, the systems they protect are extremely vulnerable – If stealing credentials is all that a hacker needs to breach a system, then credentials are nowhere near adequate for cyber defense.
- Their effectiveness is based on behavior that runs contrary to human nature – It is possible to have relatively robust security through passwords, but only if there is no password sharing, password reuse, and weak passwords. The analysis by Cybernews reveals that these goals are not even close to being met. Out of the 19 billion passwords they found, just 6% were unique! The other 94% were duplicates, which makes that brute force attacker’s job infinitely easier. Four in ten were too short, with fewer than 10 characters, and 27% had no special characters or numbers. The problem here is that password security depends on people doing what has proven to be impossible, i.e., inventing hundreds of unique, long, complex passwords to use across their accounts. Administrators share some of the blame, too, if they don’t mandate strong passwords, biometrics, and multi-factor authentication (MFA). They’re human, too, and they don’t want to be accused of causing people a big hassle with too many difficult rules.
Remediating a Technology that No Longer Works
What can be done about the password problem? This “Uh-oh, we lost 19 billion passwords” moment should not pass without deep introspection. It’s time to get serious about a passwordless future once and for all.
This is what Unixi is all about. Our proprietary universal single sign-on (Universal SSO) technology enables users to log into multiple systems securely without the need for a password.
Contact us to learn more. Join the future.
