Table of Contents
It’s often the case that the simplest tools have the longest staying power, because they ultimately get the job done.
Take duct tape, for example: it’s a sturdy household classic that wasn’t invented to be elegant or high tech. It was made to work whether dealing with a leaky tent or an inconvenient puncture – a reliable way to just get the job done in a sticky situation.
Stolen credentials play a similar role in a threat actor’s playbook. It’s an old method that’s still effective.
When it comes to mass adoption, simplicity will always win out against sophistication. And in age of deepfakes and AI-assisted hacking, stolen credentials are still the cybercriminals’ tool of choice.
Rethinking the role of passwords
For similar reasons, the password is still with us: innovations need to be simple to catch on. People need a far better experience to really embrace change. And for all the irritations of passwords, with whole stand-up routines created out of the need for numbers and symbols, they are an everyday tool that everyone understands.
2FA adds an extra layer of security, and despite the best efforts of vendors to make the process slick and simple, people will still be irritated by the need to reach for their phone. Passkeys are gaining some traction, but still aren’t widely used. So, for the immediate future, we can expect many services to continue to have a username and password login.
This isn’t just user pressure, of course. The simplicity of a username and password make it simpler for developers: no need to turn to a vendor for an advanced passwordless solution when passwords are easily implemented.
Passwords are also popular with criminals
Unfortunately, that leaves passwords as a very common way for hackers to gain access to places they shouldn’t be. Most hacks come from databases of stolen usernames and passwords, a.k.a “combolists”, because they are cheap, effective, and readily available.
The exact number of passwords the average person can remember is hard to judge. Even though users are told repeatedly not to reuse passwords and about the benefits of password managers, the unfortunate truth is that many will take the path of least resistance. If they can’t use a simple, easily guessed password (and most services today won’t allow that) they’ll do the next best thing—they’ll use the same complex password repeatedly.
This unfortunate fact of human nature is what makes stolen passwords the duct tape in a threat actors’ arsenal. They are easy to use. While most hackers will automate the checking of passwords, you or I could simply buy some today and start checking them on different services. And while you may need some dark web savvy to access many combolists, the Genesis Market existed on the “clear net” (i.e., the “regular” internet) until it was taken down in 2023. Many alternative markets exist on a combination of internet, dark web, and Telegram channels.
The lack of two- or multi-factor authentication means we can stretch the metaphor—combolists, when they do contain reused passwords, don’t often “jam” on additional security checks. Even if they do, hackers can use them on other services as part of an attempt to gain wider access to someone’s private information.
Why it still matters in 2025
In cybersecurity, it’s easy to be distracted by the latest threat: a new vulnerability, a sophisticated technique, a hacker collective with the most absurd name yet. But we need to keep a focus on the fundamentals.
No matter what the latest news says, the humble password will remain a vulnerability for some time to come. Even if a business implements the best MFA technology available, poor security elsewhere could make social engineering attacks possible.
We can only change human nature so much, and that’s why we should continue to hammer home the principle of good password hygiene. If people understand that their personal information and services are at risk, this can help to stimulate a better approach that will apply to the workplace too.
We need to overcome the friction that comes with MFA and make it non-optional for everyone, from the CEO down, with no excuses. A good security culture needs everyone on board.
Like trusty duct tape, the combolist is going to be around for a long time, an effective tool in the cybercriminal’s arsenal. Whatever new threats arise, cybersecurity experts need to keep this technique in mind.
