The IT Nerd

For the first time since NordPass began observing password usage trends in 2020, the average number of passwords managed by an individual has finally decreased. A new study from the password manager provider reveals that in 2026, the average person handles approximately 120 personal and 67 work-related passwords.

This marks a significant reversal of a multi-year trend that saw password burdens skyrocket. The peak was recorded in 2024, when the average user was juggling 168 personal and 87 business-related passwords.

First decrease

NordPass has chronicled the expanding digital footprint of the average user. An initial research in February 2020, just before the COVID-19 pandemic, found users managed around 80 passwords. That number quickly jumped by 25% to 100 within the first eight months of the pandemic, beginning a steady climb that has only now started to recede.

The new data offers hope that passwords are finally being replaced by passkeys and other login methods. But he stresses that these figures should be interpreted cautiously because the overall number of accounts and associated login credentials continues to grow.

Also SSO is not always the safest option, especially if a person reuses a password, which around 60% of Americans and Brits do.

Trouble with too many accounts

It’s a well-known security risk that when people manage too many passwords, they often reuse them or create simple variations, such as changing a single letter or number. This practice creates significant vulnerabilities — if one of these accounts is breached, all other accounts sharing the same or a similar password become compromised.

Forgotten or abandoned accounts also pose a security risk because users may overlook data breach notifications and remain unaware that their information has been exposed. In these cases, tools like the Data Breach Scanner can help. They actively scan the internet and dark web for your credentials and alert you if your information appears in a breach, helping to protect even your forgotten accounts.

Methodology: The quantitative research by NordPass was conducted on April 4-15, 2026, and included 1,509 NordPass users.

By Karolis Arbaciauskas, head of product at NordPass

Yet another new authentication method has emerged. A team led by researchers at Rutgers University (USA) has developed a system called “VitalID” based on a newly proposed biometric — tiny vibrations from breathing and heartbeats that resonate through the skull in patterns unique to each person’s bone structure and facial tissues.

This is far from the first attempt to eliminate passwords and the need to remember them. From swallowable microchip pills and electronic tattoos to logging in via the echo of your skull, the tech industry has spent more than a decade searching for the password’s successor.

“Nobody likes passwords. We all have too many of them — about 170 on average, by our count. And we can’t remember them all, so people reuse passwords, and those reused credentials often become a common attack vector. It’s no surprise that there have been and still are many attempts to free us from passwords and remembering them. At NordPass, we’re also developing passwordless authentication. But for now, there is no universally practical way to live without passwords — especially since not all websites and platforms support passkeys yet,” says Karolis Arbaciauskas, head of product at the password manager company NordPass.

Bizarre passwordless experiments

Let’s take a look at the strangest and most interesting authentication methods proposed.

The password pill. In 2013, around the time Apple’s Touch ID launched, Motorola unveiled a striking prototype — a swallowable authentication pill containing a tiny chip powered by stomach acid. The device produced an 18‑bit, ECG‑like signal that effectively turned the user’s body into an authentication token. It never advanced beyond demos, largely because it felt more like surveillance than authentication, and because Touch ID offered a simpler, far less invasive alternative.

Electronic tattoo. At the same 2013 conference, Motorola also showcased a temporary password tattoo — ultra‑thin, flexible circuits that adhered to the skin for on‑body authentication. The demos were unforgettable, but the concept stalled due to practicality, privacy, and adoption hurdles — users had to replace the tattoo weekly, or it stopped working, making it more cumbersome and costly than passwords. Notably, while that authentication concept faded, similar flexible electronics now power consumer products such as adhesive baby thermometers.

Bone-conducted skull signatures. Researchers have repeatedly explored using the way sound travels through the skull as a unique biometric, from early “SkullConduct” work to recent systems like Rutgers’ VitalID. The core idea is simple — your skull’s acoustic response can be as distinctive as a fingerprint. It’s a clever concept, but so far it has remained largely at the prototype stage because it’s impractical to rely on a head‑mounted device every time you log in. However, VitalID may be on the right track by focusing on virtual and augmented reality environments, where users already wear a device on their heads.

Heartbeat recognition (ECG). Devices like the Nymi Band use a person’s unique heart rhythm as a biometric signature. Because no two ECG patterns are identical, the wearer can authenticate simply by being near authorized devices. This is one of the few experimental methods that actually reached the market — but it remains niche, designed for B2B and research scenarios where staff must authenticate to equipment beyond standard computers (it requires both an ECG bracelet and a compatible reader plugged into a machine). For the mass market, it is still too costly and impractical.

Vein pattern mapping. This method uses infrared light to map the unique vein patterns beneath the skin, typically in the palm or fingers. It is already deployed in high‑security environments such as laboratories and data centers, as well as for patient identification and secure access to electronic medical records (e.g., Imprivata PatientSecure). Like ECG bracelets, however, it remains impractical for mass‑market use because it requires specialized sensors or additional hardware on smartphones and computers.

Lip-reading software. Researchers have developed systems that identify users based on the unique way they mouth specific words or phrases. While the technology is now relatively mature, it is used more often to support solutions for people with hearing impairments and for forensic analysis (e.g., extracting speech cues from silent CCTV footage). It could be applied to authentication, but it remains impractical — most users won’t want to mouth passphrases at a computer or phone every time they log in.

Ear shape, heartbeat, gait, and odor. Over the years, various academic teams have tested everything from ear morphology and gait to body odor and body proportions as identity signals. While these traits can be distinctive, they struggle with reliability, sensor availability, and user acceptance, which is why you don’t scan your ear or authenticate by aroma at the office door.

Mainstream biometrics

So far, the search for a password successor has produced few mainstream winners. Only a handful of biometrics — primarily face and fingerprint — have become everyday tools. Passkeys, a phishing‑resistant login method built on on‑device biometrics and supported by technology heavyweights, are progressing in the same direction, but their adoption is slower than expected.

“Fingerprint login became mainstream in 2013 and face scan in 2017, driven primarily by Apple’s introduction of Touch ID and Face ID. These technologies succeeded because they are simple to use, fast, built into phones and laptops, and work offline on the device. Voice recognition as a biometric authentication has been demoed some time ago and even existed for some time but never became common. Now that AI can clone a voice from a few seconds of audio, it’s not reliable. Keystroke dynamics also exist. AI can infer identity from typing patterns, but this technology also remains niche. AI can recognize handwriting as well, though that’s more relevant to forensic analysis than authentication,” says Arbaciauskas.

Most likely successor

According to him, passkeys have the potential to become the dominant form of authentication because they are based on previous technology that is already built into nearly all modern devices and solves the password problem.

“Passkeys replace passwords with public‑key cryptography. A private key stays on your device, while a website holds the public key. When you sign in, your phone or laptop proves possession of the private key — often unlocked by your fingerprint or face — without revealing anything that can be phished or reused. As a result, passkeys are resistant to phishing, credential stuffing, and brute‑force guessing. Major platforms now support them, and modern password managers include passkey functionality to help organizations and users adopt them,” says Arbaciauskas.

He adds that even with broad platform support, it will take years for websites, apps, and enterprises to standardize on passkeys. During this transition, we live in a mixed world — some accounts support passkeys, while many still rely on passwords, so we’re using both for now.

“Use passkeys wherever they’re available. Everywhere else, use long, unique, randomly generated passwords stored in a password manager. These are harder to phish or disclose in the heat of the moment because you don’t memorize them. And always enable multi‑factor authentication,” says Arbaciauskas.

A new analysis reveals that a common habit of making small tweaks to existing passwords — such as adding a number or changing a symbol in an existing password, instead of creating a unique one — is a massive security risk that hackers easily exploit. Despite company policies and security training, this widespread practice of using near-identical passwords remains one of the biggest, most underestimated threats, cybersecurity experts warn.

This risky behaviour is indeed widespread. NordPass’ password reuse survey reveals that 62% of Americans, 60% of Brits, and 50% of Germans reuse passwords across multiple online accounts. On average, people reuse passwords for about five accounts, with one-fifth admitting to reusing them for 10 or more accounts. 

“This risky habit, affecting nearly three in five users, creates a domino effect of vulnerability, where a single compromised password can unlock an entire digital life,” says Karolis Arbaciauskas, head of product at NordPass. 

Adding a letter, a number, or a symbol

According to the survey data, 68% of Americans who reuse passwords make at least some changes before reusing them. The same is true for 62% of Brits and 61% of Germans. The most common change is adding or changing a number, symbol, or letter.

“Such a lax approach to security can result in stolen data or an emptied bank account, and a lot of anxiety,” says Arbaciauskas. “However, I must agree that, in terms of sheer damage that a threat actor could do, this practice is an especially dangerous phenomenon in the corporate environment. Because it technically does not violate most password policies, and it often stays unnoticed by administrators. This way, it can become an entry point for threat actors, who would gladly extort or blackmail the company.”

Most common variations 

In the “Top 200 most common passwords 2025” list, researchers found 119 nearly identical passwords, which were divided into seven approximate groups:

• Sequential number variations. Examples: 12345, 123456, 1234567,987654321.
• “Admin” variations. Examples: admin, Admin, adminadmin, admin123.
• “Password” variations. Example: password, Password1, p@ssw0rd, Passw0rd.
• Keyboard pattern variations. Examples: qwerty, qwerty123, abcd1234, Abcd@1234.
• Repetitive pattern variations. Examples: 11111111, 111111111, aa112233, aabb1122.
• Common word variations. Examples: welcome, Welcome1, test123, Test@123.
• Prefix/suffix variations. Examples: a123456, Aa123456, Aa@123456, 12345678a.

The most numerous groups are sequential number variations, keyboard pattern variations, and repetitive pattern variations.

“This is just a rough breakdown, based on variations of the same passwords. However, in principle, all 200 passwords can be placed into certain predictable categories. For example, when compiling the list itself, we noticed that popular names and surnames, place names, swear words, brand names and equivalents of the word ‘password’ in various languages, are often used as passwords. Often with added numbers or special characters. Those passwords feel unique, but are all predictable patterns. Threat actors know this, and the automated hacking tools they use, most certainly can apply common transformations, such as adding or changing characters, and incrementing numbers,” says Arbaciauskas.

Why do people reuse passwords?

A third of internet users who reuse passwords say they do it because they have too many accounts to manage different passwords for each one. About 25% say that they find it inconvenient to create and manage unique passwords. 

“People reuse passwords because it’s easier that way. Between work tools, financial apps, subscriptions, social networks, online shopping, and gaming, the number of accounts adds up quickly. The average person has around 170 passwords. Remembering unique passwords for all of them isn’t realistic. But it is worrying that, despite repeated warnings, about 10% of respondents still don’t think there’s a significant risk in reusing passwords. This mindset is a disaster waiting to happen. Threat actors could gain access to all your accounts, your identity could be stolen, and your credit card — maxed out, or a loan could be taken out in your name. In a corporate setting, this behaviour could cost millions, if you let ransomware in,” says Arbaciauskas.

Password safety tips

According to Arbaciauskas, a few general rules can greatly improve digital hygiene and help avoid falling victim to cyberattacks due to ineffective password management:

• Security training. Many companies are already doing this. Although this doesn’t always work — sometimes even cybersecurity professionals get fooled — training bears fruit. Companies that run regular security workshops experience fewer cases of reused credentials, and employees often use this knowledge in personal life.
• Password policies and technologies. Companies should have robust password policies. Ideally, the company’s system would automatically compare newly created passwords with those already leaked on the dark web and prevent the creation of one that is the same or very similar to the one already leaked. It’s best to use password generators for both personal and work accounts.
• Multi‑factor authentication (MFA). So far, this is the most reliable and convenient way to provide additional protection for business and personal accounts. MFA, which requires you to provide a one-time code when logging in, can stop account takeover even when the threat actors have your password.
• Password manager. It can help you generate, store, manage, and safely share passwords. A password manager removes the need to rely on memory altogether. Instead of trying to come up with something clever or easy to remember it creates long, random passwords that don’t follow patterns. And you don’t need to remember them — just autofill or copy paste.
• Consider passkeys. A passkey pairs public‑key cryptography with device biometrics, so there’s nothing to type, nothing to forget, and nothing to reuse. Although adoption is somewhat slower than expected, many major platforms already support them. Where passkeys are unavailable, turn on MFA.

What will the cybersecurity landscape look like in 2026 and beyond?

As we enter 2026, the cybersecurity battleground continues to shift, presenting internet users and organizations with a mix of threats and challenges. Karolis Arbaciauskas, head of product at the cybersecurity company NordPass, offers his expert outlook for the year ahead.

“Artificial intelligence will sharpen the tools of both attackers and defenders, while the integrity of global supply chains will face increasing scrutiny,” says Arbaciauskas.

According to Arbaciauskas,  the cybersecurity landscape is generally poised for a period of evolution, characterized by both technological advancements (including AI) and persistent, fundamental vulnerabilities.

Here are Arbaciauskas’ key cybersecurity predictions for 2026:

AI integration — Smarter and more widespread

The integration of artificial intelligence (AI) capabilities by both threat actors (red teams) and defensive security practitioners (blue teams) will continue. On the offensive side, AI will be predominantly leveraged to enhance reconnaissance operations, enabling higher-fidelity data collection and intelligence gathering. The cybersecurity community is also starting to worry that threat actors might soon figure out a way to use AI for automated vulnerability discovery and start scanning networks and applications for flaws and misconfigurations.

Supply chain attacks will increase

In the enterprise field, supply chain attacks might become an even bigger problem than they are now. The trend is emerging — mature organizations increasingly strengthen their cybersecurity, so for bad actors it is becoming easier to penetrate companies through vendors.

I would advocate prioritizing investment in resilience against this attack vector. More attention should be paid to the technical part of vendor assessment and the final agreement. Prior to onboarding any third-party service provider, organizations should implement comprehensive vendor risk assessment protocols. This evaluation should include verification of SOC Type 2, ISO 270001, penetration testing outcomes, and documented security practices.

Negligence – One of the biggest challenges ahead

The most significant challenges that private users and organizations will face this year will stem from common security deficiencies rather than novel attack methodologies. The threat landscape will remain substantially shaped by threats caused by our own negligence, such as infrastructure and application misconfigurations, insufficient digital hygiene, weak credential management, password reuse, and lack of MFA.

For businesses, an underaddressed risk may come from malicious actors inside the company. Rogue employees or privileged administrators possess authorized access enabling them to bypass security controls. And they often maintain that access even after leaving the company. It is worrying that, according to a survey commissioned by PasswordManager.com last year, about 40% of workers used passwords from a former employer after leaving the company.

Moreover, the threat extends beyond disgruntled or laid-off employees with a vendetta. Last year, media outlets reported on multiple instances of foreign state-linked operatives digitally infiltrating Western companies. Consequently, organizations should dedicate more attention and resources to mitigating these sophisticated threats.

The great corporate migration to browsers

As more and more companies indicate that browsers are the main workspace, where their  employees spend most of their time, we will see more security focused extensions and browsers, including new enterprise browsers and tools.

Passwords will remain the first line of defense

Together with industry researchers we have been studying password-related behavior and data leaked to the dark web for 7 years now, and unfortunately, we see no significant improvement in digital hygiene globally. At least for now, it looks like passwords will remain the first line of defense against digital intruders and one of the weakest links in the security chain at the same time. Credentials will remain the predominant initial access vector enabling cyber incidents.

Passkey adoption will increase but will not overtake passwords

As advocates of passkey authentication, we initially projected more rapid and widespread adoption, given the technology’s inherent phishing-resistant properties and superior security architecture. While actual adoption rates have proven slower than anticipated, the trajectory remains consistently positive. Major platform providers like Apple, Google, and Microsoft have integrated native passkey support across their ecosystems.

Consumer-facing services such as PayPal, eBay, and Amazon are progressively implementing passkey authentication options as well. We also see more enterprise organizations that are beginning to deploy passkeys within their workforce.

However, several barriers continue to impede accelerated adoption. Consumer awareness and comprehension of passkey technology remains limited, account recovery workflows present usability challenges, and cross-platform interoperability issues persist. These factors constitute the primary obstacles to mainstream adoption. Based on current trajectory analysis, passkeys remain multiple years from achieving predominant status as a consumer authentication method.

Regulation will determine increased spending

Regulations and compliance requirements in the European Union (for example, the EU Cyber Resilience Act and NIS2) signal a broader shift toward standardized mandated cybersecurity. This will probably create some additional challenges for CISOs and stimulate an increase in general cybersecurity spending but is expected to have positive implications for overall ecosystem resilience.”

NordPass simplifies secure logins by including Authenticator on multiple devices in the application for personal use. The time-based one-time password (TOTP) support enables users to add an extra layer of security to their accounts with two-factor authentication, without the need to download or install additional applications. Authentication codes are synchronized within the account, letting users access them on both the mobile app or browser extension.

NordPass Authenticator stands out in the market with an added biometric layer that protects verification codes. Unlike most authentication apps, which display codes as soon as a user logs in, NordPass Authenticator requires biometric verification before revealing the security code. This true second-factor approach enhances security without compromising the user experience. Business users have already been able to access NordPass Authenticator to secure their corporate accounts. Now NordPass Authenticator is available for Premium and Family plan users.

Moreover, users will benefit from autofilling TOTP codes on any devices. This solution will bring more convenience while logging in to banking, social media, and other high-security services, browsing in incognito mode or switching between devices. 

Additionally, sharing access to accounts protected by two-factor authentication is inconvenient and often insecure – people tend to send codes through chats or SMS, which puts their accounts at risk. Moreover, relying on SMS prompts increases vulnerability to manipulation by smishing. This lack of a simple, secure way to manage and share logins protected by second factor authentication makes everyday digital tasks complicated.

With the TOTP support, NordPass functions as an authentication tool, generating two-factor codes for any credential the user has configured. For each account with two-factor authentication enabled, the user must first add its TOTP setup key to the corresponding item in the vault. Once the secret key is added, NordPass will generate the time-based codes that could be used when the service prompts for them during login.

NordPass, together with NordStellar, has released the seventh edition of its annual Top 200 Most Common Passwords research. In addition to identifying the most popular passwords globally and in 44 countries, this year, the research focused on understanding how the passwords used by different generations vary. 

Most common passwords in Canada

Below are the top 20 most common passwords in Canada. The full list of global passwords and those from other countries covered by this research is available here.

1. admin
2. 123456
3. gallant123
4. password
5. 1hateyou
6. 12345678
7. 123456789
8. ZZZzzz111
9. 12345
10. Password
11. stinky124
12. Cutie121
13. Password1
14. pelletier123
15. winners1
16. wowme234
17. 123four56
18. 12345678910
19. imstupid
20. 1234567890

Although cybersecurity experts keep repeating that simple passwords are extremely easy to guess using a dictionary and brute-force attacks, Canadians seem to ignore the warnings. Words, number combinations, and common keyboard patterns dominate Canada’s top 20 list.

This year, “admin” is the most common password in Canada, replacing last year’s top choice, “qwerty123,” while “123456” ranks second. However, different variations of the word “password” take up as many as three spots in Canada’s top 20 most common passwords list. Different numeric combinations take up six spots.

Researchers also point out that sports-related terms (e.g., “hockey”) are being replaced by swear words in some countries. But Canadians are too polite for that. Their top 20 lists for both last year and this year contain no profanities.

Global trends 

Globally, “123456” is the most common password, followed by “admin” in second place, and “12345678” in third — another simple numeric sequence. Such weak patterns, ranging from “12345” to “1234567890,” along with common weak passwords like “qwerty123,” dominate top 20 lists across many countries.

Compared to last year, researchers observed a significant increase in the use of special characters in passwords. This year, 32 passwords on the global list include them, a notable rise from just six last year. The most common special character in passwords is “@,” and most of the passwords are unfortunately no more complicated than “P@ssw0rd,” “Admin@123,” or “Abcd@1234.”

The word “password” remains one of the most popular passwords worldwide. It’s used both in English form and in local languages in nearly every country we studied — from Slovak “heslo” and Finnish “salasana” to French “motdepasse” and Spanish “contraseña.” 

“Generally speaking, despite all efforts in cybersecurity education and digital awareness over the years, data reveals only minor improvements in password hygiene. The world is slowly moving towards passkeys — a new passwordless authentication method based on biometric data — but in the interim, until passkeys become ubiquitous, strong passwords are very important. Especially since around 80% of data breaches are caused by compromised, weak, and reused passwords, and criminals will intensify their attacks as much as they can until they reach an obstacle they can’t overcome,” says Karolis Arbaciauskas, head of product at NordPass.

The myth of the “digital native”

Research shows that for Digital Natives — those who grew up immersed in the online world — extensive exposure to technology doesn’t automatically translate into a strong understanding of fundamental password security practices or the severe risks associated with poor choices.

“The password habits of 18-year-olds are similar to those of 80-year-olds. Number combinations, such as ‘12345’ and ‘123456,’ are in the top spots across all age groups. The biggest difference is that older generations are more likely to use names in their passwords,” says Arbaciauskas.

Research reveals that Generations Z and Y rarely use names in their passwords, preferring combinations like “1234567890” and “skibidi” instead. The use of names in passwords becomes more prevalent starting with Generation X, peaking among Baby Boomers. 

Among Generation X, the most popular name used as a password is “Veronica.” For Baby Boomers, it’s “Maria,” and for the Silent Generation, it’s “Susana.”

The full list is available here.

Password safety tips

According to Arbaciauskas, a few basic rules can greatly improve digital hygiene and help avoid falling victim to cyberattacks due to irresponsible password management:

• Create strong random passwords or passphrases. Passwords should be at least 20 characters long and consist of a random combination of numbers, letters, and special characters. 
• Never reuse passwords. The rule of thumb is that each account should have a unique password because if one account gets broken into, hackers can use the same credentials for other accounts.
• Review your passwords. Make sure to regularly check the health of your passwords. Identify any weak, old, or reused ones and upgrade them to new, complex passwords for a safer online experience.
• Use a password manager. It can help you generate, store, review, and safely manage all your passwords, ensuring they’re well protected, difficult to crack, and easily available when you need them.
• Turn on multi-factor authentication (MFA). It adds an extra layer of security. MFA helps keep hackers out even if a password gets breached.

Research methodology

This report is the result of a joint effort between NordPass and NordStellar together with independent researchers specializing in research of cybersecurity incidents. Recent public data breaches and dark web repositories were analyzed for passwords exposed from  September 2024 to September 2025, with statistically aggregated data extracted. No personal data was acquired or purchased for this research.

How carefree summer habits put personal data at risk — and what to do before autumn begins

As the summer sun sets, cybersecurity experts look back at how people stayed connected during their holidays — and where security slipped through the cracks.

This year, travel and technology were more intertwined than ever. Many vacationers relied on airport Wi-Fi to quickly check work emails, logged into airline apps with the same old password, or shared streaming accounts during rainy evenings abroad. While these habits made summer easier, they also exposed common security pitfalls.

“One recurring pattern was the rise of “workations.” Employees working from Mediterranean beaches or Alpine chalets often connected to company accounts via unsecured networks, creating easy opportunities for cybercriminals. Meanwhile, families on group trips frequently admitted to reusing the same password across multiple booking apps to keep it simple,” says Karolis Arbaciauskas, head of product at NordPass.

When convenience meets risk

The risks are far from theoretical. Fake Wi-Fi hotspots set up in airports, hotels, or even beach cafés can look identical to the real thing. Once connected, cybercriminals can monitor traffic and capture login details. If your credit card information is stored in one of those accounts for “quick checkouts,” your summer getaway could quickly turn into a nightmare — with bank alerts cutting your vacation short.

Summer is all about carefree living, but the digital traces we leave behind don’t disappear with the season. A single weak password or unsafe connection can undo months of careful planning — whether it’s for a holiday or a work trip.

Connectivity choices played a big role in these digital risks. Many travelers admitted that they connected to whichever Wi-Fi popped up first — often without checking if it was genuine. That convenience, while tempting, can be what opens the door to attackers.

“We’ve seen how travelers lean on quick connections to stay in touch with home, work, or entertainment,” said Vykintas Maknickas, CEO of Saily. “But not all networks are created equal. Choosing a secure, reliable connection can make the difference between a smooth trip and one filled with unexpected cyber troubles.”

5 tips to carry into autumn

• Audit your passwords: Replace any that are weak, reused, or shared over the summer.
• Think twice about Wi-Fi: Public hotspots are a hacker’s favorite playground — use mobile data or a VPN.
• Keep accounts personal: Sharing logins may seem harmless, but it weakens your digital defenses.
• Secure work accounts: If you worked on the road, reset critical passwords now.
• Use tools that do the heavy lifting: A password manager helps generate and store strong, unique passwords effortlessly.

As summer ends, there is a reminder for everyone: your digital security and connectivity should travel with you — whether you’re heading back to the office, campus, or planning the next holiday.

ABOUT NORDPASS

NordPass is a password manager for both business and consumer clients. It’s powered by the latest technology for the utmost security. Developed with affordability, simplicity, and ease of use in mind, NordPass allows users to access passwords securely on desktop, mobile, and browsers. All passwords are encrypted on the device, so only the user can access them. NordPass was created by the experts behind NordVPN — the advanced security and privacy app. For more information: nordpass.com.

A new malware called Raven Stealer has emerged and started targeting users of Chromium-based browsers, such as Google Chrome and Microsoft Edge. This malware is designed to harvest credentials and other sensitive information, cybersecurity researchers warn.

According to a blog post published by a team that discovered the infostealer, it spreads through underground forums and cracked software (phishing emails) and has a unique exfiltration method through the Telegram chat app.

Once installed, Raven Stealer accesses local storage paths and credential vaults on browsers to locate encryption keys. It leverages native Windows API calls to decrypt and extract saved data. The stealer’s primary target is browser-based authentication data, including saved passwords and session cookies, but it also gathers autofill entries, payment data, browsing history, and other data types. After the job is done, text files are stored in the .zip folder and sent to the attacker’s Telegram channel. 

Karolis Arbaciausias, head of product at NordPass, comments:

“The emergence of Raven Stealer is a significant concern. This malware is particularly insidious because it silently targets the data people believe is encrypted and safe within their browsers. Raven Stealer is specifically engineered to search for stored credentials and encryption keys, making the browser’s vault a primary target and a weakness. Raven Stealer’s unique Telegram exfiltration makes detection challenging. Sending information through encrypted messaging channels lets it bypass many conventional security filters. Moreover, this malware is also capable of bypassing many corporate network filters.

“For individuals, probably the simplest and fastest way of dealing with this new threat is a dedicated password manager, which acts as an isolated, encrypted box for credentials and other data. It ensures that even if your browser is compromised, your actual passwords and session cookies remain secure and out of reach.”

To protect against Raven Stealer and other similar threats, Arbaciauskas also advises to:

• Enable multi-factor Authentication (MFA) everywhere because it acts as a vital second line of defense, preventing unauthorized access.
• Avoid using cracked software because it’s dangerous. Only download software from official, trusted sources.
• Carefully scrutinize all emails, especially those with links or attachments. Malware like Raven Stealer often spreads through phishing. Never click on suspicious links or open unexpected attachments, even if they appear to come from a known sender. Remember – if a deal seems too good to be true, it likely is.
• Keep software updated because updates often include critical security patches that protect against known vulnerabilities and exploits.

For companies, centralized password and access rights management is essential. Besides that, Arbaciauskas recommends that you:

• Apply application whitelisting and software restriction policies to ensure that employees only have access to trusted download sources and that only approved applications can run on corporate endpoints.
• Make MFA mandatory for all corporate applications, VPNs, cloud services, and employee accounts. 
• Conduct regular cybersecurity training.
• Maintain an expedited patch management program for all operating systems, browsers, and critical applications.
• Segment your network and implement the principle of least privilege for user accounts and applications, restricting their ability to access or modify sensitive data.
• Deploy Data Loss Prevention (DLP) solutions to monitor and prevent unauthorized exfiltration of sensitive company data.
• Regularly back up your data and ensure that backups are stored securely offline.
• Have an incident response plan ready.

Be careful – customer emails and passwords have been stolen 

Plex, a popular media streaming platform, has issued a warning to its customers regarding a recent data breach. During the incident, a hacker stole customer authentication data. As a result, users are being advised to reset their passwords.

According to Plex, the stolen data includes email addresses, usernames, securely hashed passwords, and authentication data.

In its data breach notification, Plex stated: “We have recently experienced a security incident that may potentially involve your Plex account information. We believe the actual impact of this incident is limited; however, action is required from you to ensure your account remains secure. An unauthorized third party accessed a limited subset of customer data from one of our databases. While we quickly contained the incident, information that was accessed included emails, usernames, securely hashed passwords and authentication data.” The company added that no payment card information was stolen.

Karolis Arbaciauskas, head of product at NordPass comments:

“Plex stresses that account passwords were securely hashed, in accordance with best practices, meaning they cannot be read by a third party. But we still recommend resetting passwords. You can do this here. I would also advise enabling the ‘Sign out connected devices after password change’ option and turning on two-factor authentication for added protection.

“For those using SSO to log in, it would be best to log out of all active sessions. That can be done here, by clicking the button ‘Sign out of all devices.’ For step-by-step instructions on how to reset your password, visit this link. 

“Remember to also inform your family and friends about this change. After a password reset, users will need to log in again on all their devices using the new credentials. A password manager can be helpful for securely generating and sharing these new credentials.

“Although the company insists the data leak was limited and the passwords were hashed, users should still be extra careful, especially if they reuse passwords. And people do reuse passwords. As many as 62% of Americans, 60% of Brits, and 50% of Germans admit doing so across multiple online accounts, our survey shows. 

“For those who reuse passwords, there’s a risk that some credentials may have already been or will be exposed on the dark web. It’s highly probable that malicious actors will attempt to connect the dots and use these previously leaked passwords to gain unauthorized access to Plex accounts.

“Remember that after major data leaks, social engineering attacks tend to intensify. So users should be a bit more suspicious for some time. Be wary of unsolicited emails and messages, even if they seemingly are from Plex or even the police. If you receive such messages, be extremely careful because links can lead to pages that are designed to steal even more of your data. If you are not sure about the email or a message, it is better not to click on the link. In its breach notification, Plex also emphasizes that it never reaches out over email to ask for a password or credit card number for payments.” 

ABOUT NORDPASS

NordPass is a password manager for both business and consumer clients. It’s powered by the latest technology for the utmost security. Developed with affordability, simplicity, and ease of use in mind, NordPass allows users to securely access their passwords on desktop, mobile, and browsers. All passwords are encrypted on the device, so only the user can access them. NordPass was created by the experts behind NordVPN – the advanced security and privacy app trusted by more than 14 million customers worldwide. For more information: nordpass.com.

Dropbox is not the first company to make such a decision this year

Starting this Thursday, August 28, Dropbox will turn off the autofill functionality and users won’t be able to edit or add new passwords anymore. Though, you will be able to download your credentials for around a week after that. 

Dropbox recently announced that it is focusing on its core product and discontinuing Dropbox Passwords — a security application designed to host and manage login credentials. Users are urged to migrate any saved content to their personal storage solutions by October 28. Otherwise, access to saved passwords could be lost.

Phasing out timeline

• On August 28, the autofill functionality will be turned off and users won’t be able to edit or add new passwords anymore.
• On September 11, the mobile app will be closed. But the browser extension will still work for a while.
• On October 28, the browser extension will be closed and all entries will be deleted.

Starting to look like a trend

“We’ve certainly taken note of Dropbox’s announcement regarding the discontinuation of Dropbox Passwords. For those who relied on it, this news can feel disruptive and leave people wondering how best to secure their online lives going forward. But it’s not the first time this sort of decision has been made this year. Companies abandoning non-core activities and disabling password managers or password management functions is starting to look like a trend in the technology market. Earlier this year, Deutsche Bank turned off the document and password vault in its online banking platform, and Microsoft just finished phasing out password management functionality in its Authenticator app,” says Karolis Arbaciauskas, head of business product at NordPass.

“This development, while challenging for affected individuals, highlights an increasingly crucial aspect of personal and organizational cybersecurity: the need for robust, reliable, and dedicated solutions. In other words, relying on integrated features within a broader service, which might be subject to strategic shifts, can expose users to unexpected vulnerabilities. But in the long run, this shift can be beneficial. Users will likely move from integrated solutions to dedicated cybersecurity tools. Meanwhile, Dropbox, Deutsche Bank and other non-cybersecurity companies will be able to focus on their core products. Keeping services, such as password vaults secure and up to date is costly and requires constant attention,” he adds.

Note for admins

Arbačiauskas notes that businesses, more specifically IT or cybersecurity administrators, should also pay attention to Dropbox’s notification, because each team member will also need to take the action to export their password data.

“Admins: Each team member will need to take the action above to export their password data. To see which of your team members are using Dropbox Passwords, go to the Passwords page in the admin console. If a team member has a Passwords score, then that indicates they’re using Dropbox Passwords. If it says Inactive then that user is not using Dropbox Passwords.” Dropbox informs.

How to export your passwords

Dropbox provides the following instructions:

Browser extension

• Open the Dropbox Passwords browser extension.
• Click your avatar (profile picture or initials) in the bottom-left corner.
• Click “Preferences.”
• Click the “Account” tab.
• Click “Export.”
• Click “Export” to confirm.

Mobile app

• Open the Dropbox Passwords mobile app.
• Tap “Settings.”
• Tap “Export.”
• Tap “Export” to confirm.

“Just remember to delete the unencrypted CSV file after you import your credentials to another password manager,” says Arbaciauskas.

ABOUT NORDPASS

NordPass is a password manager for both business and consumer clients. It’s powered by the latest technology for the utmost security. Developed with affordability, simplicity, and ease of use in mind, NordPass allows users to access passwords securely on desktops, mobile devices, and browsers. All passwords are encrypted on the device, so only the user can access them. NordPass was created by the experts behind NordVPN — the advanced security and privacy app. For more information: nordpass.com.