Back to Blog
Developer Tools

Digital Privacy and Password Security: What the Research Says About What Actually Protects You

11 min readBy KBC Grandcentral Research Team

Troy Hunt's Have I Been Pwned database contains over 13 billion compromised accounts as of 2026. The most common passwords in breach databases are not 'password123' — they're plausible-looking strings like 'Spring2024!' that satisfy every complexity requirement but appear in credential stuffing lists. Password complexity rules were formally debunked by NIST in 2017. Length is what matters, and reuse is the actual vulnerability.

Password Cracking Time: Length vs ComplexityPasswordCharactersCrack time (GPU cluster)Commentpassword19 (low entropy)millisecondsIn every dictionary listP@ssw0rd!9 (mixed types)seconds–minutesRule-based mutation listscorrect-horse-battery20 (lowercase only)centuries4× XKCD passphraserandom-16-chars-mix16 (full charset)millions of yearsPassword manager territorySpring2024!11 (predictable pattern)In breach databasesMost common "complex" pw⚡ Complexity ≠ security. Length + uniqueness = security. Source: NIST SP 800-63B (2017)Reuse Is the Real Vulnerability, Not Weak Passwords

Key Takeaways

  • NIST 2017 ended complexity requirements — no more mandatory special characters, expiry rotations, or complexity rules; length and uniqueness are what matter
  • Credential stuffing is the real attack vector — attackers take emails + passwords from one breach and try them everywhere else; reuse = catastrophic
  • A password manager solves both problems — generates long random unique passwords for every site; you only remember one strong master password
  • Passkeys (FIDO2) eliminate passwords entirely — cryptographic authentication tied to your device; no password to steal or phish
  • Check breaches at haveibeenpwned.com — Troy Hunt's free service; API is used by 1Password, Firefox Monitor, Google Password Checkup

Why NIST Reversed Password Complexity Rules

NIST Special Publication 800-63B (2017) was a landmark reversal. The guidance that preceded it — require uppercase, lowercase, numbers, and symbols; force rotation every 90 days — turned out to produce predictable patterns: people would write "Password1!" and change it to "Password2!" next quarter. The complexity theater provided almost no actual security improvement.

The new guidance: check passwords against known breach databases at creation (don't allow known-compromised passwords), allow long passphrases (up to 64+ characters), only require changes when there's evidence of compromise, and stop mandatory periodic rotation. Longer passwords, unique per service — that's the actual security model.

Credential Stuffing: The Actual Threat Model

The most common account compromise scenario isn't brute-force guessing — it's credential stuffing: using email/password pairs from one breach to try other services. If you use the same password for your email and your bank, one forum breach can expose your financial accounts. Breaches at sites you've forgotten you even created accounts on are being actively traded.

Attack TypeWhat It IsDefense
Credential stuffingUsing leaked email+password from one breach on other sitesUnique password per site (password manager)
Brute forceSystematically trying all combinationsLong password (16+ chars) makes this infeasible
Dictionary attackTrying common passwords and variationsAvoid real words, names, dates, keyboard patterns
PhishingFake login page steals your credentialsPasskeys / hardware keys; URL verification
SIM swappingHijack your phone number for SMS 2FAUse authenticator app or hardware key, not SMS
Social engineeringTricking support to reset your accountAccount recovery codes stored securely

Password Managers: What They Do and Which to Trust

A password manager generates, stores, and autofills unique strong passwords for every site — meaning you only need to remember one strong master password. They encrypt your vault with your master password locally before syncing, so even the service provider can't read your passwords (this is called zero-knowledge architecture).

Well-regarded options include Bitwarden (open-source, free tier is genuinely useful), 1Password, and Apple Keychain (excellent if you're within the Apple ecosystem). The worst security choice is reusing passwords. The second worst is keeping passwords in an unencrypted text file. Any password manager, including free options, is a massive security improvement over either.

Hash Generator and Security Tools

Developer Security Tools

Generate cryptographic hashes (SHA-256, SHA-512, MD5, bcrypt), create secure random tokens, check password entropy, and explore encoding tools.

Open Security Tools →