In This Issue

Title Story

The Password is Dead (R.I.P.)

We are gathered here today to mourn the passing of the password.

Born sometime in the 1960s, the password served us well—for a while. It protected our bank accounts (until it didn’t), guarded our email (before it got phished), and stood valiantly between our Netflix logins and freeloading in-laws. But alas, the password died not with a bang, but with a data dump—RockYou2024, may it rest in plaintext.

It lived a long life, but not necessarily a useful one. Towards the end, the password struggled. It was forgotten, reused, mistyped, written on sticky notes, and stored in browsers it never trusted. It endured the indignity of being “123456” and the futility of being “P@ssw0rd!”—because even when it tried to be strong, it was still weak.

In the end, it wasn’t hacked so much as it was… outgrown.

We now lay it to rest—not in peace, but with relief—and look to a future where facial recognition, biometrics, passkeys, and multi-factor authentication step up to do what the password never could: keep us safe.

Amen, and please—do not resurrect.

The Password is an Achilles Heel

In May 2021, a hacker used a defunct virtual private network (VPN) account to slip into the digital defenses of Colonial Pipeline—the largest fuel transmission company in the United States. That single account didn’t use multi-factor authentication. Only a lonely password—one weak link in a chain of infrastructure that supplies nearly half the East Coast’s fuel.

What followed was a ransomware attack that shut down 5,500 miles of pipeline, caused panic at gas stations from Georgia to D.C., and forced Colonial Pipeline to pay a $4.4 million ransom. All because a long-forgotten password opened the door.

The Colonial Pipeline attack wasn’t some genius heist. It was low-hanging fruit—sold on the Dark Web, tried by a bottom-tier cybercriminal, and successful only because a security best practice wasn’t followed. No Multi-factor Authentication (MFA).

With tensions with Iran rising and the threat of retaliation against U.S. infrastructure growing, this kind of oversight is unacceptable. Cyberwar won’t start with bombs—it’ll start with breached logins. If we don’t take security seriously now, we’ll pay the price later.

It’s time to kill the password.

The Password is a Lie

Here’s the truth we don’t like to admit: the password is our digital Achilles heel.

Most of our usernames and passwords are already floating around the Dark Web—packaged from mega breaches into downloadable “bargain bins.” Attackers buy these in bulk, learn a few things about you from social media, and start logging in everywhere.

It’s called credential stuffing. And it works. Especially because most people reuse the same password across everything—from your 401(k) account to your frozen yogurt punch card.

And the problem keeps growing. In July 2024, a massive leak called RockYou2024 dumped nearly 10 billionpasswords online—the largest password compilation in history. If you’re online, your password is probably in there. Don’t be surprised if your Netflix queue has new entries you didn’t add or if Spotify starts suggesting playlists in Russian.

Even complex passwords aren’t safe. With powerful hardware, cracking long, randomized passwords is faster than ever. That’s why cybersecurity pros use password managers—tools like Bitwarden or 1Password—to store unique, complex passwords. But even that isn’t enough.

The best password is no password at all.

Tech Giants Are Ditching the Password

The big three—Apple, Microsoft, and Google—have all moved beyond passwords.

· Microsoft now lets new users ditch the password entirely. You can log in with a secure app, a hardware key, or biometric data like facial recognition using Windows Hello. Passwordless login is now the default for all new accounts.

· Apple replaced the password with Face ID, Touch ID and Passkeys. And they’ve improved it since the early days when kids used their mom’s sleeping finger to buy Pokémon. Face ID is now so secure, Apple estimates the chance of a false match at less than 1 in 1,000,000.

· Google is promoting passkeys and two-factor authentication (2FA) across its ecosystem. You’ll notice more apps asking for an authentication code or biometric check—even on your Gmail.

What Should You Do?

1. Use a password manager like Bitwarden or 1Password to generate and store strong, unique passwords for each account. Let the robots do the remembering.

2. Enable MFA (Multi-Factor Authentication) on every account that offers it—from your bank to your kid’s school portal. Use an authenticator app, not just a text message, whenever possible.

3. Ditch SMS-only security—text messages can be intercepted. Use biometric logins or security apps when available.

4. Prepare for the worst. Make sure a trusted person knows how to access your critical digital accounts in case you’re abducted by aliens. (Or something more mundane.)

5. Adopt passkeys and biometrics wherever you can. Let your face, your finger, or your secure device replace the outdated password entirely.

The password gave us a false sense of security. It’s time we stop relying on it to protect our most valuable data. Because in a world of cyberwarfare, ransomware gangs, and Dark Web markets, one password is all it takes to bring down a pipeline, a company, or a country. Rest in Peace and good riddance!

Cybersecurity Tip of the Week

Order My New Book, Then Check if You’ve Been Pwned (and try not to panic)

Before we dive into this week’s security advice, I’ve got some exciting news. My new book, Spies, Lies, and Cybercrime, hits shelves October 7—and for a limited time, you can preorder it at a steep discount!

📚 From July 8–11, Barnes & Noble is giving Rewards and Premium Members 25% off all pre-orders—and Premium Members get an additional 10% off. That means more digital defense tips (like how to finally leave your password behind) for less.

▶️ Click here to preorder at Barnes & Noble

This book is packed with real-world stories, practical takeaways, and no-fluff advice on protecting yourself from cybercriminals, spies, scammers, and the ever-failing password. Get your copy before the hackers get you!

Now, let’s get to this week’s cybersecurity tip…

Ever wonder if your username and password were swept up in a data breach? Maybe even multiple breaches?

There’s a free, legit site where you can find out: www.haveibeenpwned.com — run by cybersecurity expert Troy Hunt. It collects data from major breaches and lists the websites and organizations that have been, in gamer slang, “pwned” (translation: completely owned by attackers).

Take a deep breath, then plug in the email addresses tied to your most important accounts. Odds are, at least one has been compromised and is now up for sale on the Dark Web.

Cybersecurity Breach of the Week

Phishing Scam Targets Social Security Recipients

This week, cybercriminals are going after some of the most vulnerable: retirees.

A new phishing scam is impersonating the Social Security Administration (SSA), sending official-looking emails and texts claiming there’s a problem with your benefits or account. The message urges recipients to click a link or call a number—fast—before benefits are “suspended.”

Here’s the danger:

If someone falls for it, they could unknowingly hand over their Social Security number, banking info, or login credentials. In some cases, scammers are even rerouting monthly SSA payments into their own accounts, cutting off income and leaving victims scrambling.

What to do now:

1. Don’t click links in unsolicited SSA messages—official notices won’t come that way.

2. Log in directly at ssa.gov to check your account.

3. Turn on alerts so you’re notified of any changes.

4. Report scams at reportfraud.ftc.gov.

Make sure your family, especially elderly loved ones, knows the signs. Hunt this threat before the threat hunts you!

Tech of the Week

China’s Robot Soccer League Is Wild (and Weirdly Impressive)

Move over, Messi—there’s a new generation of athletes, and they don’t need halftime pep talks or orange slices.

China just kicked off a robot soccer league, where humanoid bots dribble, pass, and take shots on goal—occasionally falling over in spectacular fashion. It’s all part of a global AI and robotics initiative to train machines to operate in unpredictable, real-world environments. Today’s challenge? Soccer. Tomorrow? Search and rescue, battlefield support, or space missions.

The effort is backed by RoboCup, an international project with a bold goal: to field a robot soccer team that can defeat human World Cup champions by 2050. Ambitious? Definitely. Hilarious to watch? Also yes.

And here’s a wild but plausible thought: within our lifetime, we might witness a Robo-Olympics—a full-scale global tournament where tech superpowers showcase their best robots in events that test strength, agility, speed, and tactical AI. Imagine autonomous sprinters, weightlifting mechs, or synchronized swimming drones—all competing for national glory.

As for Robo-Soccer - not quite ready for prime time yet. Watch below and you decide!

Appearance of the Week

Listen to my interview on NightSide with Dan Rea.

Like What You're Reading?

Don’t miss a newsletter! Subscribe to Spies, Lies & Cybercrime for our top espionage, cybercrime and security stories delivered right to your inbox. Always weekly, never intrusive, totally secure.

Are you protected?

Recently nearly 3 billion records containing all our sensitive data was exposed on the dark web for criminals, fraudsters and scammers to data mine for identity fraud. Was your social security number and birthdate exposed? Identity threat monitoring is now a must to protect yourself? Use this affiliate link to get up to 60% off of Aura’s Cybersecurity, Identity monitoring and threat detecting software!

Want to start a newsletter?

Use this Link to get a 30 days trial + 2-% Beehiiv!

Ready for Next Week?

What do YOU want to learn about in my next newsletter? Reply to this email or comment on the web version, and I’ll include your question in next month’s issue!

Thank you for subscribing to Spies, Lies and Cybercrime. Please comment and share the newsletter. I look forward to helping you stay safe in the digital world.

Best,
Eric

Let's make sure my emails land straight in your inbox.

Gmail users: Move this email to your primary inbox

On your phone? Hit the 3 dots at top right corner, click "Move to" then "Primary."

On desktop? Close this email then drag and drop this email into the "Primary" tab near the top left of your screen

Apple mail users: Tap on our email address at the top of this email (next to "From:" on mobile) and click “Add to VIPs”

For everyone else: follow these instructions

Partner Disclosure: Please note that some of the links in this post are affiliate links, which means if you click on them and make a purchase, I may receive a small commission at no extra cost to you. This helps support my work and allows me to continue to provide valuable content. I only recommend products that I use and love. Thank you for your support!