Researchers claim to have uncovered what they claim is the biggest cache of stolen credentials ever found.

Involving nearly a billion plaintext passwords found in a ‘rockyou2024.txt’ file by researchers from Cybernews, cybercriminals appear to have been aggregating passwords that would be used to drive brute force attacks at scale. The passwords appear to have been stolen over multiple years so it’s not clear how many might still provide access but there are enough of them for cybersecurity teams to at least consider requiring end users to change their passwords.

Mitch Ashley, principal analyst for Techstrong Research, notes this latest disclosure makes it clear the time has come to declare standalone passwords stone-cold dead. Passwords are only viable if they are system-generated, unique to one account, secured in a password manager and used in combination with multi-factor authentication (MFA), preferably with an authentication app, he notes.

However, more organizations are already moving beyond passwords to embrace passkeys that employ some type of biometric authentication, adds Ashley.

Cybercriminals have, of course, been creating repositories of stolen passwords for decades. How many of them is unknown but in recent years it’s become apparent that more breaches are being enabled by stolen credentials than malware. Many cybercriminals don’t see the need to craft malware to compromise IT environments when stolen credentials are readily available. That doesn’t mean they are no longer creating new strains of malware. After initially gaining access using stolen credentials, cybercriminals will often install malware that laterally propagates across a distributed computing environment.

Organizations that continue to rely on standalone passwords are now assuming a much higher level of risk than organizations that have embraced passkeys. Nothing is ever perfect, however, because cybercriminals can still, for example, abuse cookies to bypass passkey authentication mechanisms. However, passkeys at least reduce reliance on standalone passwords, that at this point don’t seem to provide any meaningful level of security.

The challenge is that passkeys require time and resources to implement. It’s not likely passwords will be replaced wholesale any time soon. Organizations transitioning to passkeys, or any other type of authentication alternative, may find they will still need to manage passwords for many years to come. As such, organizations should routinely rotate passwords to improve their overall cybersecurity posture.

Additionally, cybersecurity teams should assume that previously stolen credentials have been used to plant malware in their IT environments. The issue now is finding and removing that malware before it’s activated. Hopefully, advances in artificial intelligence (AI) will help level a playing field that today is decidedly lopsided.

In the meantime, however, cybersecurity teams need to make sure the senior leadership of the organizations understands the limitations of passwords. Moving away from passwords is as much a cultural challenge as it is technical. Passwords in various forms have been in use, ever since the first guard centuries ago asked someone for a countersign. The only difference between now and then is it’s a whole lot easier to steal those countersigns.