A billion stolen passwords make passkeys look good, despite growing pains

In breaking news that should come as no surprise, your password isn’t good enough. And no, not even if you just mash a bunch of characters together, or mix the combined names of your pets with a symbolic sequence based on your favourite football team’s win percentage.

New data released in the 2025 Specops Breached Password Report, which contains analysis of over one billion malware-stolen passwords discovered in 2024, shows that 230 million stolen passwords “actually met the standard complexity requirements (over eight characters, one capital, one number, and special character).”

As a release announcing the report says, “this shows simply meeting password security standards isn’t enough.”

“The amount of passwords being stolen by malware should be a concern for organizations,” says Darren James, senior product manager at Specops Software.

“Even if your organization’s password policy is strong and meets compliance standards, this won’t protect passwords from being stolen by malware. In fact, we see many stolen passwords in this dataset exceeding the length and complexity requirements in common cybersecurity regulations.”

That said, whether it’s ignorance or stupidity, human decisions still play a factor: the top five stolen passwords of 2024 are, in order, 12345, admin, 12345678, password and Password.

Fraudsters use malware like Redline, Vidar and Raccoon Stealer to nab passwords and gain access. These can foil protective hashing algorithms, meaning even complex passwords are vulnerable.

While Specops offers a few helpful tips, like blocking weak passwords with a custom password-exclusionary dictionary, the larger implications are clear.

The best password? It’s probably a biometric passkey.

Paper compares device-bound, synced passkeys

A new research paper on Arvix offers a comparative evaluation of device-bound versus synced passkey credentials. It notes that despite success in passkey adoption through the efforts of the FIDO Alliance “so far, little research has been done on the security and usability of passkeys, and even less has considered the differences between the different types of passkeys.”

The authors, from the University of Oslo, aim to categorize different access levels of  passkeys “to show how syncing credentials impacts their security and availability.” Their model differentiates device-bound passkeys in a single-user context (classed as low-risk), synced and shared passkeys in multi-user models (medium-risk) and exported passkeys with external scope (high-risk).

“Our findings support claims that synced passkeys are less secure than device-bound ones,” the paper says. “However, the range between secure and insecure passkeys varies widely depending on their implementation and usage. Thus, we emphasize the need for strong authentication for passkey provider accounts, cautious use of credential-sharing, and secure storage of backups.”

Vulnerabilities remain; authentication adapts

A recent story in Forbes provides a good illustration of the overarching message. The piece details a security advisory from Yubico, regarding a two-factor authentication partial bypass vulnerability in the open source pam-u2f pluggable authentication module software package.

While the vulnerability had no impact on any YubiKey hardware devices, it underlines the present truth in authentication: passkeys are a work in progress.

But they’re still way better than passwords.

Article Topics

biometric authentication  |  biometrics  |  FIDO Alliance  |  passkeys  |  passwordless authentication  |  passwords