Why Strong Passwords Still Get Hacked

You can do everything right and still lose

and

Oct 30, 2025

Hey there👋

A while back, I thought maybe we should “niche down.” That’s what every successful creator preaches.

But a friend stopped me…“Why bother?” he said.

He was right, nobody’s doing what we’re doing: breaking down tech for the everyday reader, making sense of systems most people feel locked out of.

Sure, the ROI isn’t great, but not everything’s about ROI - SK NEXUS never was.

Everything here exists to help you see how the digital world really runs and why that should matter to you. And hopefully turn the tide on what we call “ROI”.

Today I want to bring attention to yet another topic that doesn’t get much love or understanding, and perhaps change your approach to thinking about it - passwords.

You spent time crafting the perfect password. Numbers, symbols, uppercase letters. Feels secure, right?

But here’s the ugly truth: it doesn’t matter how strong your password is if the company holding it messes up. And they do. A lot.

We’re always told: “Make it stronger. Make it longer”. Sure, weak passwords are a disaster waiting to happen. But even the best lock is useless if the door it’s on is made of cardboard. That’s the part nobody tells you.

That’s what we’re unpacking today - the side of password security most people never see. In this piece, I’ll be break down the following:

How passwords are really stored
Why some storage methods are basically leaving the vault wide open
Why all of this matters & much more

How Passwords Are Stored

You’ve heard the lectures: use a strong password, throw in a capital letter. But does it really matter?

You might’ve heard scary terms tossed around - plaintext, hashes, encryptions….Sounds technical, right? So how about we break down the basics of how passwords actually live inside databases? Then we can pivot towards more advanced topics.

Plaintext - The Worst Way to Store Passwords

Plaintexts are by far the worst way to store passwords: saved exactly as you typed them, no scrambling, no protection.

If a hacker gets access, they get everything. Your password appears as simple text, it’s a hacker’s jackpot, especially since many users reuse the same password across services. Hackers won’t even need to use their computers to crack the passwords.

It’s a full win in one file - passwords, emails, username….all displayed like a grocery list.

And here’s the worst part:

Even today, plaintext storage isn’t extinct. Big names have been caught using it:

In 2019, Meta was fined $101 million by European regulators for storing hundreds of millions of user passwords in plaintext.
In 2024, the Firebase incident exposed over 19 million plaintext passwords due to poor security rules.

Hashes - Better, But Not Bulletproof

First, companies realized storing your password in plain text was dumb. So they moved to hashing.

A hash is basically a one-way math function: It scrambles your password into a messy string of characters that (in theory) can’t be turned back. If hackers steal the database, they only see gibberish.

But not all hashes are equal. Old ones like MD5 or SHA-1 are so weak that modern computers can crack them in seconds. What once took years now takes minutes on a decent PC.

And here’s where it gets worse - Hackers have cheat sheets called rainbow tables. These are like giant “answer keys” they can use to instantly match scrambled passwords to real ones.

Even stronger raw hashing isn’t enough on its own. With billions of guesses per second possible, an attacker can brute-force through shorter or common passwords without breaking a sweat.

So yes, hashing is better than plain text - but if companies use outdated methods, all that effort is just a waste.

Enter the Hacker’s POV

Now that you know the basics, switch the places for a second. Imagine you’re the attacker staring at a fresh leaked password database. What’s your reaction?

If the company stored passwords in plaintext or with weak hashes, you’re probably going to be happy. It’s going to be effortless - crack them all, resell on the darknet, maybe even reuse them across other accounts. Easy money, no sweat.

But what if the passwords are stored the right way?

Suddenly, everything is going to turn into a nightmare.

Your GPU works extra for days, rainbow tables become useless, and every second feels like wasted effort. That’s when you decide that you need to move on.

So the real question is - what makes passwords “the right way” secure?

Salts - Breaking the Copy-Paste Attack

So how do companies make passwords harder to crack? They add salt.

A salt is just a random string that gets mixed in with your password before it’s scrambled (hashed). It sounds simple, but it’s a game-changer.

Here’s why - Without salts, two people using the same password (“password123”) end up with the exact same hash result. Hackers see that and instantly know which accounts share the same weak key. With rainbow tables, they can crack them in bulk.

Add salt, and suddenly….everything changes - Even if 100 people pick the same password, each one gets stored as something unique. To hackers, it’s like every lock suddenly has its own custom key.

Even Salt Bae never forgets to salt his passwords

But it’s important to note that – Salting doesn’t make passwords uncrackable, but it forces attackers to start from scratch every single time. And in security, making the attacker’s life harder is the whole game.

Key Stretching – The Game Changer

If salts make life harder for attackers, key stretching is what makes it painful. This plays a key role in password security.

I’ll bet most of you have never even heard of it. (If you have, drop a comment - I’d love to know how deep you’ve gone into this rabbit hole.)

At its core, key stretching takes your password and makes the hashing process slower and heavier on purpose. Why? Because what’s cheap and instant for you becomes insanely expensive for an attacker trying to crack millions of passwords at once.

Here’s what the process looks like:

Initial Hashing → Imagine putting your valuables in a box and locking it once. That’s normal hashing.
Iterative Hashing → Now imagine adding thousands of extra locks, one after the other, around that same box. That’s key stretching.
Final Output → The end result is a fortress of locks. Even if a thief has master tools, breaking through all of them takes forever.

The Players: Common Algorithms

Now that you got the basics down.
The next question is: “what’s actually used in the real world?”

Following is a table that includes the most common key stretching algorithms - stripped down to the basics ( so your brain doesn’t hurt. )

Do keep in mind that - this table only tells about these concepts from high level pov and most people aren’t interested in understanding how these algorithms truly work…that’s why I didn’t go into the details - but if enough of you do insist that I talk more on these algorithms - I’ll make it happen.

Why Key Stretching Matters More Than the Password

Suppose that - a hacker can crack billions of passwords in seconds, you can think of this as “a hacker picking billions of locks in seconds”.

Now - if you introduce key stretching. Suddenly, that same task takes weeks or months and due to the extra effort, the exact jackpot becomes worthless for the hackers.

The truth is:
A weak password with proper stretching can outlast a strong password stored with weak hashing.

That’s the part most people never hear.
It’s not just about how clever your password is.
It’s about whether the system behind it is designed to protect you or expose you.

The Problem: You Can’t Control Storage

By now you know that - password safety isn’t fully in your hands.

Companies get to pick the rules, they decide whether Argon2 or some other half-baked algorithm from 2005 will be used to protect your passwords. And you have no say in it.

Also, if you zoom out a bit you’ll notice that the way companies store users’ passwords tells a lot about how they treat security, in general.

Anyway, at this point the real question that one should ask themselves is: “when the system fails, what options do you actually have?”

What You Can Control: Your Side

Breaches happen. That’s the company’s fault, not yours. But you can’t just shrug and say, “Well, nothing I can do.” You still have a role to play.

A strong, unique password won’t make you unhackable - but it will buy you time. Hackers want quick wins. If your password take too much time to crack, they’ll usually skip it.

Here’s what you should keep in mind:

Don’t overshare → Don’t hand over personal details you wouldn’t want leaked. Assume breaches will happen.
Enable 2FA → Even if your password gets cracked, 2FA can still block the attacker.
Use strong, unique passwords → Stop reusing the same password everywhere, a password manager is your best friend here.

And before you say, “I’ll never remember long passwords” - you’re not supposed to. That’s what password managers are for.

Password Managers 101

Humans aren’t built to memorize 200 unique keys to 200 different doors. Yet that’s exactly what modern life demands. No wonder people reuse the same password “Ilovemywifexoxo” everywhere.

And that’s where password managers step in. Think of them as your all-in-one vault:

Generate strong, random passwords.
Store them securely.
Autofill them when you need.

In short, they give you convenience and security at the same time.

Which password manager to choose?

For most people → go with 1Password, Bitwarden, or Dashlane.
For paranoid folks → KeePassXC or a self-hosted Bitwarden (Vaultwarden).

For those of you, who don’t know what self-hosting is - it basically means to store your data on your own computer instead of the cloud.

And if you’re curious about self-hosting but don’t know where to start, let me know in the comments. If enough of you want, I’ll happily write a step-by-step guide.

Why It All Matters

Let’s face it - you can’t control what companies do with your data. Some store it well, others leave the door wide open. But what is in your control is how much damage a breach can cause you.

Breaches are the new normal.

And in order for you to protect yourself from them - you don’t need to become untouchable, you just need to be harder to crack than the next person. Hackers go for easy wins. If your vault is stronger, they’ll move on.

Think of it like running from a hungry bear.
You don’t have to be the fastest.
You just can’t be the slowest.

Also, here’s the part most people miss - A password leak today can haunt you years later if you reuse or neglect hygiene. Once it leaks, it lives forever in dark web dumps, ready to be recycled against you months or even years later.

So yeah….it’s not just about avoiding the tiger now.
It’s about not carrying the bait for the next one.

The system is broken and you can’t fix the entire system. But that doesn’t mean you have to be the casualty, you can always shrink your attack surface and tilt the odds massively in your favor.

The Last Word on Passwords

Everyone tells you to “make a strong password.” Few talk about what happens behind the curtain - how your so-called safe password ends up selling on the dark web for $12.99 after a company fails to protect you.

Has this ever happened to you? If yes, you already know the sting.

Anyway, don’t let all this paralyze you. The point of this deep dive was to simply arm you. You now know how the game really works, and this time, you walked away with a playbook: how to make your passwords harder to crack, why password managers matter, and how to shrink your risk even when companies screw up.

And always remember…

Your password isn’t the lock - It’s the key.
The real lock is how companies store it.
If that lock is weak, anything is a key.

Congrats! If you made it this far, you’ve unlocked a new power:

Not X-ray vision that allows you to see through walls.
But the ability to see through companies security BS, and actual tools to outsmart it. And that’s way more useful.

It’s Your Turn

I’ve said enough. Now it’s your turn.

Have you ever had your password show up in a breach? What did that feel like?
Do you trust the companies you give your data to - or do you assume the worst?
And here’s one more: after reading this, what password manager do you see yourself using (if any)?

Drop your thoughts in the comments - I love reading them and connecting with you folks.

Also, a quick heads-up: soon I’ll be starting a mini-series on digital self-defense - a simple, step-by-step guide to making yourself secure online, even if you’re starting from zero (it’ll be free). So stay tuned

If you want more content like this, hit subscribe and restack. I’m on a mission to help people see through the noise, and make them understand what’s going on behind the curtain.

But for this to reach more people, I need your support. Subscribes and restacks aren’t just numbers - they’re what keep this mission alive and spreading.

Lastly, if you found value here, back me up.
Let’s get more people aware, more people secure.

And hey, if you want to talk 1-on-1, don’t hesitate to DM me.
I’m always up for a good conversation.