Getting into a well-guarded computer system doesn’t always require sophisticated tricks like breaking through a firewall or injecting a virus. In many cases, intruders can simply log in with a username and password they’ve stolen or simply guessed.

According to Verizon’s latest annual data breach study, which is considered an essential report in the security industry, last year “63% of confirmed data breaches involved leveraging weak/default/stolen passwords.” The theft and reuse of stolen usernames and passwords, according to the report, “is used in highly targeted attacks as well as in opportunistic malware infections. It is in the standard toolkit of organized criminal groups and state-affiliated attackers alike.”

And why is it so common?

Part of the reason, of course, is that people too often choose passwords that are easy to guess or reused from elsewhere. Hackers can figure these out using a variety of methods, such as trying them out of a list of common passwords, stealing them from a file they’ve managed to obtain in another hack, tricking the victim into revealing them, or deducing them from other information about the victim.

But the other part is that websites and computer systems too often don’t require their users to use “two-step authentication.” This involves requiring you to enter another piece of information after your password, such as a one-time verification code texted to your phone. Even if a hacker has your username and password, two-step authentication will usually protect you.

Some industries and workplaces have embraced that kind of authentication more widely than others. But even those that have it often don’t make it mandatory. Because of that, as we recently found, it may very well be easier to break into your bank account than your email.