There came a time in my adult life when I accumulated so many keys—for doors, bars, and gates—that losing one was almost routine. More than once I had to look for them all over the house, losing valuable minutes. Something similar happens in my digital life: I have forgotten passwords again and again, and recovering them is usually a real headache. It’s not strange. a user average has 168 passwordsaccording to a study from NordPass. The risk is not only forgetfulness, cybercriminals They are constantly on the lookout.
And it’s not just about personal accounts. The report reveals that, on average, a worker also manages 87 work passwords. The question is obvious: how to keep that volume under control and prevent it from falling into the hands of third parties?
SEE ALSO: Can they hack you and steal your accounts just for opening a website?
Common methods of cybercriminals
July Seminarcybersecurity expert Intecnia Corpexplains that today an attacker does not need to be “the movie hacker” to steal a password.
“They do it mainly through phishing“: emails or messages that appear legitimate and that lead to false pages for the user to enter their password”points to The Commerce.
Phishing is not new—it dates back to the early years of the Internet—but it has become every time further sophisticated. Social engineering, combined with artificial intelligence, allows hoaxes to be personalized with a level of detail that makes them highly credible.
There are also, although less frequently, malware designed specifically to steal passwords. Seminar mentions two of the most common: keyloggers y spyware. The former record every key pressed; the latter can even take screenshots or monitor device activity.
/
“The worrying thing is that they work in the background and the user does not notice anything strange”he warns.
These malicious programs are usually installed through attachments, deceptive downloads o pirated software. Once inside the system, they can extract information in a matter of seconds.
Added to this is another risk factor: massive data leaks. When a service is compromised, millions of passwords end up circulating in clandestine forums. And since many users reuse keys, criminals test them on social networks, emails or banking services. That’s where the old accounts. Abandoned, with recycled passwords and no additional protection, they become easy backdoors to exploit.
Password managers: are they secure?
In daily practice, few keep a physical record of all their keys. Most use integrated managers like those of Google or Apple, which—in general terms—perform their function well.
“They encrypt passwords, synchronize data between devices and offer alerts if a key appears in a leak”explains Martina Lopez, computer security researcher at ESET Latin America.
But he notes a crucial point: “Everything is only as secure as the master password. or the main method of unlocking the device”.
A weak PIN or simple password reduce significantly the protection. Maintaining strict control of device access—ideally with biometric authentication or strong passwords—is essential.
There are also third party managersquite well-known, which usually offer more advanced functions, such as securely sharing passwords, managing corporate access or managing identities. Although some have suffered security incidents, Lopez clarifies that “The important thing is to understand that, even when they occurred, user information was encrypted and was not directly exposed”.
“The key is to choose transparent providers, who publish audits and clearly explain how they protect data”he adds.
/
Passkeys: a technology on the rise
As cybercriminals refine their techniques, so do defense technologies. One of the most promising are the passkeys o access keys: digital credentials that allow you to authenticate without writing a password.
They are based on biometric or physical factorswhich eliminates risks associated with weak or reused keys.
“They represent a paradigm shift, because they eliminate the problem of remembering passwords and make it very difficult for an attacker to steal them through phishing”says Lopez.
Seminar agrees, since it considers that “They greatly reduce the risk because there is no password to write or steal”. But he warns that there are still limitations: “Not all services support them yet and they depend a lot on the device where they are stored”.
The adoption is gradual and still presents challenges—interoperability between devices, confusing configurations, barriers in corporate environments—but the direction is clear: a future with fewer passwords and more mechanisms invisible to the user.
/
Security measures
Both specialists agree that, in the face of an increasingly complex digital ecosystem, the key is to adopt simple but consistent habits. Wear unique and strong passwords —long, with special characters and numbers—for each service drastically reduces the impact of any leak. To achieve this without falling into oblivion, the most practical thing is to rely on a password managerwhether it is integrated into the operating system, that of Google or Apple, or a dedicated application.
They also emphasize the importance of always activating the multi-factor authentication. That extra step, which sometimes seems like a hassle, greatly complicates access for attackers even if they manage to obtain a password. Check the llegitimacy of the sites where credentials are entered—especially if they are reached from a link or a quick search—is another critical layer of protection.
Experts also recommend review and close old accounts, update devices regularly and distrust links that arrive by mail or instant messaging. Finally, keep installed a security solution that detects threats such as keyloggers o spyware adds an additional barrier to silent information theft. In an environment where we manage hundreds of keys, prevention remains the most effective defense.