A few months ago, a new “collection” of data breaches began circulating: someone had taken the time to aggregate cleaned-up data from multiple past breaches into a single consolidated database.
The result was a well-organized archive containing more than a billion email addresses and corresponding passwords.

This was nothing new, but due to its compact size and structured format, the dataset became particularly interesting to analyze.

We Have a Problem

While reviewing the file, it became clear that we face a significant issue: many people still do not understand how to manage passwords or the importance of doing so.

Analyzing only a small, yet statistically significant portion of the database revealed that the chosen passwords were extremely weak.

The problem is serious because the same careless behavior individuals use in their private lives often extends into the workplace. This means that not only are individuals exposing themselves to risks such as identity theft, but they are also exposing their companies to corporate security breaches.

It’s time to go back to the basics.

How Attackers Think About Passwords

From the attacker’s perspective, the reasoning is straightforward:

1. Define an objective (often financial gain).
2. Assess possible targets that can help achieve that objective.
3. Select targets that optimize effort—those most vulnerable or with the most available information.
4. Execute the attack.

With access to public online tools, past data breaches, and marketplaces on the Darknet, attackers can easily identify potential victims. Using exposed passwords and personal information, they gain a significant advantage.

The Risks of Weak Passwords

By obtaining one or more passwords for a target, an attacker can infer patterns in the target’s thinking. They can then attempt to access services using known or predictable credentials.

The risks are clear:

• For individuals: account takeover and identity theft.
• For organizations: unauthorized access to IT and telecommunication systems (as defined in 615-ter of the Italian penal code).

This may sound like a distant threat, but the hyper-digital nature of today’s world has led to an exponential increase in account theft reports. For organizations, this often manifests as anomalous login activity.

How Not to Choose a Password

When creating passwords, many people believe they are being clever, but they often:

• Fail to realize how common their logic actually is.
• Underestimate the likelihood of being targeted.
• Overlook the consequences of a focused attack.
• Use trivial passwords (e.g., margherita).
• Use predictable keyboard sequences (e.g., 1q2w3e4r).
• Apply “creative” formulas they believe to be unbreakable (e.g., googleLaVita3Bella).
• Reuse the same password across multiple sites.

We must face reality: every account containing personal data has value. The real question is how much value—and in the case of email or social media accounts, the answer is generally a lot.

From a corporate perspective, requiring users to set at least 12-character alphanumeric passwords with uppercase, lowercase, and special symbols often results in passwords like PizzaMargherita2012!.

Attacks Against Passwords

Let’s return to the attacker’s perspective. Given the available information:

• If a target reuses the same password across services, a single data breach exposes all their accounts—including corporate ones.
• If a target uses an algorithmic pattern, once one or two passwords are leaked, an attacker can deduce the formula and generate future credentials.
• If a password is simple, brute force attacks (using ordered probability dictionaries) can crack it quickly.

In nearly all cases, attackers can compromise at least some accounts.

Choosing and Managing Passwords

Given the threat landscape, each account must be protected by a password that is:

• Unique: otherwise, one breach compromises everything.
• Complex: otherwise, brute force attacks succeed in minutes.
• Non-mnemonic: otherwise, attackers can reverse-engineer personal patterns from leaked credentials.

This leads to a practical challenge: how do we manage unique, complex, and non-memorable passwords?
The answer: password managers. Users only need to remember two things:

1. The master password for the manager’s database.
2. Their computer login credentials.

Awareness and Training

This brings us to the main point: corporate security.

After an anomaly or compromise, users are often asked to change their passwords. But if the old password was Cristina43!, the new one will likely be Cristina44!—a useless change that ensures continued attacker access.

This is why training is crucial. Employees should not follow arbitrary rules they don’t understand. Instead, they need awareness—recognizing the personal benefits first, which then naturally extend to the company.

Conclusions

I, too, once assumed people understood the risks of weak passwords and how to manage them properly. But through conversations, I realized the reality was very different. More importantly, I began to understand the motivations behind their poor choices.

By sitting down with people, discussing digital security, real-world consequences, and—most importantly—listening, I was able to design a different strategy. This approach proved far more effective than generic “information security awareness” video courses.

The individuals I had the honor to train not only understood the risks, but also adopted a mindset that allows them to think critically about the digital world. The benefits extended far beyond password security, reaching areas we hadn’t even addressed yet.