In early 2021, a list of leaked passwords was found on a popular hacker forum. Dubbed RockYou2021, the list contained 8.4 billion passwords, a shockingly high number considering it is almost double that of the total number of active internet users around the globe1. To put the significance of this into further context, the Chief Executive Officer of Colonial Pipeline testified this June that the massive cyberattack that took place against the company was caused by the theft of one single password2. Since the company’s system did not have a multifactor authentication solution in place, the hackers were able to access the company’s critical assets using the password alone, paralyzing transportation across the United States’ eastern seaboard.
The publication of the compromised password list combined with the Colonial Pipeline attack brings to light the increasing and troubling issues regarding the impact of cyberattacks on people and critical infrastructure. It also suggests that passwords alone are not sufficiently reliable to secure authentication. Hackers and malicious actors have become highly effective at stealing passwords, with phishing and social engineering attacks on the rise globally. These trends are increasingly making it clear that passwords need to be strengthened by other methods.