It’s Time for Stolen Passwords to Become a Problem of the Past


The 2022 ForgeRock Consumer Identity Breach Report shows that identity-based breaches are up. Again.

More stolen credentials, more unauthorized access, more breaches, more, more, more

Would it surprise you to know that breaches due to unauthorized access rose last year? Probably not, but I'll spare you the suspense: they did, and they now account for half of all breaches. But numbers and percentages on their own can only tell us so much. As we dug into the data, a story began to emerge that we can all learn from. And the story is exactly why we spend months each year compiling research from around the world to create these reports.

By the start of 2021, consumers had become accustomed to conducting much of their personal business online, from shopping and banking to paying taxes, taking classes, holding family gatherings, and conducting tele-health visits with their doctors. According to the U.S. Census Bureau, retail e-commerce alone grew 18.3% in 20211, even after the massive, pandemic-fueled growth of 31.8% in 20202. Each of these activities involves an online account that may contain a vast amount of sensitive information that is at risk of exposure or theft in the event of a breach.

Today, the average consumer has 100 online accounts, and, in a perfect world, each account would have unique and complex usernames and passwords. But that is not reality. Many people use simple (easy to guess) passwords and many more reuse passwords on multiple sites. To make matters worse, most people rarely change their passwords. All these practices present a huge challenge to IT and security professionals trying to prevent unauthorized access.

Stolen username and password combinations are regularly bought and sold on the black market. Attackers can use these stolen credentials to attempt new attacks. How many are we talking about? In 2021, more than 2 billion records containing usernames and passwords were stolen. These stolen credentials may very well be the source of new breaches that we'll have the unfortunate task of reporting on next year.

What else did the report reveal?

2022 ForgeRock Consumer Identity Breach Report
  • The average cost of a breach in the U.S. was $9.5 million.
  • Unauthorized access was the top vector in 2021, accounting for 50% of all breaches.
  • In the U.S. retail sector, the average cost of a single breach rose by nearly two-thirds to $3.27 million.
  • There was a 297% increase in breaches due to third-party or supply-chain attacks.


If we had no passwords, there'd be no passwords to steal

The report contains several "best practices" sections for mitigating the types of risks the report exposed. But one practice stands out in light of the relentless rise in crimes involving login credentials: Making passwordless authentication part of your MFA strategy.

Passwordless authentication improves both the security and the ease of use for online access, while greatly diminishing the usefulness of credentials stolen by cybercriminals. Phishing and other social engineering attacks rely on users to enter their login credentials, but in a passwordless world, such attacks are fruitless. Same with keylogging, which records a user's keystrokes as a way to get account numbers and login information. And, because no credentials are sent over the internet, they can't be intercepted or subject to man-in-the-middle (MiTM) attacks.

The industry's biggest players — Apple, Microsoft, and Google — have announced plans to enable passwordless authentication across multiple devices, browsers, and platforms. We believe the time for passwordless is now, so we can eliminate the threat of stolen credentials. We look forward to seeing the number and severity of breaches retreat, and going passwordless is a great way to start that trend.

Download the 2022 Consumer Identity Breach Report for all the data and for information on ways you can protect your customers and your organization from breaches.