This content highlights the pervasive threat of password leaks and data breaches in the digital age, offering practical advice on how to protect personal accounts from hackers through secure password creation and additional security measures.
Mind Map
Click to expand
Click to explore the full interactive mind map • Zoom, pan, and navigate
Hello, friends!
Do you know that your password
was leaked on the internet?
I'm not kidding.
This is serious.
There's a high chance that the passwords of hundreds
of thousands of you watching this video right now,
of Apple accounts,
Google accounts,
Facebook and Instagram accounts,
have been leaked on the internet.
And hackers can access them easily.
Look at this headline from a few days ago,
more than 16 billion passwords were breached.
Some news websites called it the largest ever data breach in history.
So the obvious question is
how will you know
if your account's password has been leaked or not.
And if it has,
how can you protect your account from hackers?
How can you create a password
that's so secure that
no one can ever hack it?
Let's try to answer these questions in this video.
We found out about the most recent data leak
from an investigation of the Cyber News website.
The Cyber News team was closely monitoring the dark web
for the data leak since the beginning of 2025.
In June, it found 30 different datasets
which were not secured by any password or encryption.
It could be accessed easily.
They claim that in these 30 datasets,
they found 16 billion login details.
"16 billion login credentials
have been uncovered online
in a massive worldwide breach."
Some experts say that
this story isn't entirely true.
This 16 billion number might be exaggerated.
Because it includes double and triple entries of the login IDs.
And on top of that, this 16 billion figure
was arrived at by collecting previous data leaks.
And there's little new data here.
But no matter how big or small the data leak is,
if your password was leaked,
then you will be in a big danger.
Using your password,
not only can one login to your personal accounts,
but one can steal your identity
and misuse it.
Your family or friends can be blackmailed using your name.
There can be attempts to access your financial accounts.
Your data can be sold on the dark web
or even you can be blackmailed.
So, friends, everything that I'm going to tell you in this video,
is very important in today's digital world.
Especially for your parents and the elders in your family.
Almost everyone uses smartphones these days.
But not everyone knows about these precautions.
So, show this video to your parents and the elders in your family.
Broadly speaking, there are four main ways used by hackers and cyber criminals
to steal your passwords.
The first and most common way is
Phishing.
In this, hackers try to trick you through emails, WhatsApp messages or SMSs
trying to convince you to reveal your password.
You might be thinking, how is this possible?
You must have seen such emails in your spam folder.
Email from 'Facebook' or 'Instagram'.
Offering you the blue tick.
Asking you to just click on the given button and add your details.
And then you'll get the blue tick.
This is a common example of a Phishing email.
Actually, this email was not sent by Facebook or Instagram.
Instead, it was sent by a hacker.
But the email is presented as if
it was sent by Facebook or Instagram.
When you click on the button, you are asked to enter your information on a webpage,
it looks like you are logging in to your Facebook or Instagram account.
But actually, that webpage is fake.
And when you enter your username and password while logging in,
that information goes to the hacker.
Similarly, you might get SMSs on your phone
which claims to be from the SBI.
Informing you that your bank account has been temporarily suspended.
Asking you to log in immediately.
There's a link too,
such as www.online-sbi.com.
Once again, it might feel like SBI's website URL
but it's not.
There are minor differences in the names or URLs of these websites,
to differentiate them from the real website.
But it might be difficult for a person to spot the differences on the webpage.
You might enter your username and password innocently,
while all your bank details and the access to the bank account,
is shared with the hacker.
Phishing is based on psychological manipulation.
You share your information with the hacker unknowingly.
The simple way to avoid this is
to never to log in by using the link from any email, SMS or WhatsApp link.
If you need to check something on their website,
then just go to any web browser
and search for the website's URL,
And use that.
The second method is Credential Stuffing.
In it, the hackers use past data leaks.
Like this news about 16 billion leaked passwords.
The hackers found out about the major data breach.
If you think that only your Instagram account's data has been leaked,
which might be pretty useless to you,
because you never use it,
so you may think that you are safe.
But the hackers will look at the username and password combination,
and will try to access various websites using it.
They can see your Instagram account's leaked data.
But you might use the same password on Facebook, Apple or Google.
Even if you don't use the exact same password,
you might be using somewhat similar passwords.
This is called credential stuffing.
They 'Stuff' your leaked credentials on different websites
to see if it works.
They try to guess.
And in most cases, it works.
Because often, when people create accounts,
they use the same username and password on different websites.
To avoid this, you should use completely different passwords for different websites.
If you are wondering how can this be possible,
how can you remember different passwords,
if you'd need to remember 10-15 passwords,
don't worry about it, I'll tell you more about this later in the video.
Before that, let's see the third method.
Password Spraying.
In this technique, hackers try to test common passwords for many usernames.
This technique is more successful than the previous one.
Because today, most systems
temporarily lock the account after a few failed login attempts.
But with password spraying, hackers try to log into an account only once or twice.
For example, let's say a hacker has a list of 500 email IDs of government employees.
Like abc@gov.in,
cde@gov.in,
xyz@gov.in.
These are the email IDs of 500 different people.
Now, hackers will use a common password on all of them.
It can be any type of common password.
For example, India@123.
This is a common password used by many Indians.
So, out of these 500 people, there might be a few who used this password.
Those who did,
their accounts would be easily accessed by the hackers.
The technique is special because
there was no need for phishing or a data leak.
These accounts were hacked with simple trial and error.
Only because some people
use extremely common passwords.
The fourth method is brute force.
In it, hackers try as many combinations of different passwords as they can.
You've seen or may even have used these suitcases.
It comes with a small lock,
With a 3-digit key.
Have you ever wondered how infallible these 3 digits can be?
If I try all the combinations from 000 to 999 one by one,
I can open the suitcase eventually.
This is true for such combination keys.
For this 3-digit lock,
there can be a maximum of 1,000 combinations only.
With only 1,000 attempts,
you can unlock it.
And it will take you only a few hours to do it.
This technique is called brute force.
You unlocked this with brute force.
When hackers use this technique,
they don't try each combination manually.
Instead, they use a specialised software
to try millions or billions of different passwords every second.
For a hacker, using brute force is made easier if your password is short.
If you use a 4-digit password,
it can be breached almost immediately.
It's a bit more difficult with 5-digit,
a bit more for 6-digit,
the longer your password is,
the more difficult it is for the computer software to try every combination.
Now the question is, how can you avoid this?
Because you won't use a 100-digits-long password.
Because the longer the password,
the more difficult it will be to remember and use.
So here comes the science of strong and weak passwords.
How strong a password is,
is measured in entropy.
You would've studied entropy in school.
In Maths, entropy means the degree of randomness.
Here, in the context of passwords,
it means the same.
How random and unpredictable your password is.
The more its entropy is.
The more unique, random and long a password is,
the more its entropy will be.
And hacking it with brute force
becomes difficult.
There is a mathematical formula
to check the entropy of passwords.
Here, L stands for the total length of the password,
the number of digits in the password.
And N stands for the number of possible characters.
The number of possible characters that can be used for a digit.
For example, if you choose a password that's completely in lowercase letters,
like dhruv in lowercase,
then N is 26.
Because there are only 26 possibilities of a to z for a character.
If you include numbers with lowercase letters,
then here it becomes N
26 + 10 possible combinations of numbers.
N becomes 36.
If I capitalise D in dhruv123,
then the possibility includes numbers, lowercase, and uppercase alphabets.
So N becomes 26 + 26 + 10 = 62.
So the more special characters you use,
if you're using lowercase, uppercase, numbers or even symbols like + = -
the higher the N becomes.
And the higher is the entropy of the password.
In the first case, where the password was dhruv,
the entropy of that password was only 23 bits.
If I change it to dhruv123,
the length of the password increases from 5 to 8,
and the entropy increases to 41 bits.
And by making capitalising one of the letters,
the entropy becomes 47 bits.
But is this entropy enough?
The simple answer is, No.
Entropy lower than 50 Bits is considered weak.
50 Bits to 75 Bits is reasonable,
75 Bits to 100 Bits is strong,
And entropy above 100 Bits
is considered to be a very strong password.
For example, this password Dhruv123,
can be cracked using brute force in only 17 minutes.
And surprisingly, there are many people all over the world,
who use even weaker passwords.
If we look at the top 10 most common passwords used in India,
the one most used is 123456
second is the word 'password'
third is 12345678
you can see the other common passwords too,
at the 9th spot is the password I mentioned before, india123.
If you are using any of these passwords,
there's a high chance that your inbox is full of phishing emails.
Another safe way to protect yourself against phishing email is,
NordVPN's Threat Protection system.
NordVPN is a primarily VPN app,
but it offers a separate threat protection feature.
If you turn it on while web browsing,
not only does it block ads and trackers,
but if you are taken to a scammy website by any phishing link,
it gives you a fraud alert too.
It is equipped with malware scanners too.
It works as the second layer of protection against phishing.
If you are tricked by a phishing link,
you will get an instant fraud alert,
before you enter your log in information.
Apart from this, NordVPN's VPN feature is very useful too.
It helps you spoof your location.
It's useful in bypassing blocked websites and location restrictions of a country.
And for protecting your privacy.
And the best thing is, even if you keep the VPN turned off,
you can still use the threat protection.
Or you can use them together if you want to.
Here, since they've sponsored this video,
you will get a big discount on their 2-year plan,
plus, 4 additional months for free.
This is completely risk free.
Because NordVPN offers a 30-day money-back guarantee.
So go try them out,
The link is NordVPN.com/Dhruv
It's given in the description too.
You can access this offer on this link.
And now, getting back to our list of passwords,
the Top 10 Most Common Passwords.
Let's look at the 10th spot.
1qaz@wsx
This sounds complicated.
But actually, this is a keyboard pattern.
If you use a keyboard pattern,
whether diagonal, vertical or horizontal,
it is very easy to crack such passwords.
In fact, it takes less than 1 minute for hackers to use brute force to breach it.
You might be confused here.
It too 17 minutes to breach dhruv123,
but less than a minute for 1qaz@wsx,
even though it uses alphabets, number, and even a symbol.
How is this possible?
There is a simple reason, friends.
When hackers choose to use brute force,
first, they look up the most common passwords online.
If they are going to use brute force,
or password spraying,
they begin by trying these common passwords with different user accounts.
So even though the entropy of a password might be higher,
it can still be easy to hack that password,
if it is one of the common passwords.
In America, one of the most common passwords is the word 'secret'.
Similarly, some people use the name of
their favourite celebrities as the password.
Like Sachin Tendulkar, MS Dhoni or Shahrukh Khan,
and add some numbers for the password.
Of course, it is silly to do this,
but at the same time,
it's as dangerous as putting the name of a close one as the password.
In this age of social media,
everyone's information is publicly available.
"Every part of a private life, today,
is found on someone's phone.
We used to say, a man's home is his castle.
Today, a man's phone is his castle."
If you use your best friend's name, or your
girlfriend's or wife's name as your password,
hackers can crack it very easily.
Actually, a name password
can be cracked in less than 10 seconds by brute force.
Because nowadays, everyone knows that if you need to create a password,
most websites have a minimum limit of 8 characters.
With at least one uppercase and one lowercase alphabet,
a number and a special character.
So most people use their spouse's name,
or their child's name,
with their birth date or phone number as a combination.
For example, if I was born in 1995,
some people will use dhruv@1995 as the password.
Its entropy is ~58 bits
and it will take less than 9 minutes to crack.
Even with a capital D,
it can be hacked in 19 minutes.
If I replace my year of birth with any random 4-digit number,
like Dhruv@7488,
this password is stronger than the previous,
but it can still be cracked within 3 days.
Friends, if you truly want to make a strong password,
never use anyone's name,
date of birth or phone number.
And have a 12 to 16 characters long password.
Only after 12 characters,
is a password long enough
that it takes more than a year to be cracked.
If you ask about how to remember such long passwords,
I would like to tell you about two techniques.
The 2 techniques to make the strongest passwords.
The first technique is the first letter combination.
Think of a memorable sentence.
For example, you can remember,
"My First Car Was A 1995 Honda Civic That I Loved."
This is a sentence.
Take the first letter of each word in this sentence.
mfcwa1995hctil
Now put this password through any password strength testing tool.
There are many websites for this online.
You will see that it will take 9 years to crack it.
In this sentence, if you capitalise some of the alphabets,
like C, A, and L,
then literally, the time increases from 9 years to 93 years.
It will take 93 years to crack this password by brute force.
Okay, so you can try this one thing,
but don't use the exact same sentence that I shared.
Come up with your own sentence.
It doesn't need to be car-related.
But if you don't like this, then the second technique is using passphrases.
Think of any random, memorable four words,
and make it your password.
Like, coffee, mountains, bicycles, and justice.
Four random words.
If I put this password without any special letter or number,
it will take years to crack it through brute force.
But for extra safety,
Capitalise some letters,
and add some special characters and numbers in between,
then it will literally become an unbreakable password.
Along with this, you should also remember that
you need to create different passwords for each website.
Because whenever you hear about a data leak,
as soon as the leaked data reaches the hackers,
if you use the same password for more websites,
they can try to pair it up with your other accounts,
to check whether the same password works or not.
So to remember all your passwords,
I'd suggest associating a word with every social media website.
Like Facebook uses blue,
and the sky looks blue too.
So link the word 'sky' with Facebook.
Similarly, link another word with Instagram.
And another with Apple.
And in the four-letter word combination that you come up with,
one of those words should be associated with the platform like this.
In addition to making these strong passwords,
you need to take some more precautions.
Like, always opt for two-factor authentication.
So that, even if a hacker has your password,
it won't be enough to breach your account.
With two-factor authentication,
to access the account, you need to prove identification in two different ways.
These two ways are,
first, something that is known to you only,
like, the password.
And second, something that you have.
Like your phone, app, message or fingerprint.
So, most of the websites today,
requires two-factor authentication.
Where not only do you need to enter your password,
but after entering the password,
you will receive an SMS or an email on your mail or phone.
You will receive an OTP
and only after you enter that OTP
will you be able to enter the account.
So, one more thing to remember here is that
never share your OTP with anyone.
And the third thing is
if you forget your passwords,
or you can't generally remember them,
then don't just write them down in a notes app or paper.
Use password managers.
This is inbuilt in Apple's iOS as well as Android.
Your phone will remember your passwords.
And it will be authenticated through your fingerprint.
And finally, the fourth thing you should remember is
don't use the same password for multiple accounts.
Otherwise, even if only one set of data is leaked,
all your accounts will be compromised.
That's why it is important to use different passwords.
Now, a final question that you might have is,
how can you check whether or not your account was hacked in these data leaks.
For this, you can use this website.
haveibeenpwned.com
You can check your email id on this website
whether your email id and its corresponding password has been leaked online or not.
Don't worry, I am not asking you to enter your password here.
You have to enter your email ID only.
Once you enter your email ID,
you will see the history
of the past data leaks where the login info and
password associated with the email ID was leaked.
For example, if I check the email ID narendramodi1234@gmail.com,
which, according to some new websites,
is PM Modi's actual gmail id,
you will get the entire email breach history
where this email id was included in 13 data breaches.
With the latest being this Alien Txt Base Stealer Logs.
And as you scroll down,
you will see that at different times,
when different websites faced data leaks,
for example, the Twitter data leak in January 2021
that affected more than 200 million user accounts,
it mentions the compromised data too,
email addresses, names, social media profiles and the username.
Similarly, if you scroll further, you will see Bitly's data leak in May 2014.
Where the compromised data included email address, password, and username.
When you enter your email ID here,
you will find out
that if you had signed up for a website like Bitly
and the email id and password you used there,
you will know that has been compromised,
and it can be hacked.
In this case, you need to instantly change the account on that website.
And second, ensure that the specific password
and any similar passwords you use,
need to be changed every where.
So overall, there's a lot to soak in.
But remember one thing,
after watching this video, the first thing you need to do,
is go change the password of all your important accounts.
This is for your safety and security.
Link to NordVPN is given in the description below,
and if you liked this video on consumer awareness,
you'd like my other similar videos.
Like this one,
where I tell you the underhanded ways companies use to fool us.
It has some shocking revelations.
You can click here to watch it.
Thank you very much!
Click on any text or timestamp to jump to that moment in the video
Share:
Most transcripts ready in under 5 seconds
One-Click Copy125+ LanguagesSearch ContentJump to Timestamps
Paste YouTube URL
Enter any YouTube video link to get the full transcript
Transcript Extraction Form
Most transcripts ready in under 5 seconds
Get Our Chrome Extension
Get transcripts instantly without leaving YouTube. Install our Chrome extension for one-click access to any video's transcript directly on the watch page.
