Enterprise passwords are becoming easier to steal and increasingly difficult to stop being abused once they leak.

According to the Picus Security’s latest annual Blue Report, based on more than 160 million real-world attack simulations, at least one password hash was cracked in 46% of tested environments — up from 25% in 2024.

The rise highlights continued reliance on weak or outdated password policies, Picus concluded.

Sıla Özeren, security research engineer at Picus Security, tells CSO that attackers are getting faster and smarter while many organizations have failed to improve password security practices.

“There are still too many environments that allow weak or even old passwords — even for privileged accounts — with no force of rotation or complexity,” Özeren says. “And even when there are strong policies, they are very old or only enforced sporadically.”

Despite years of awareness campaigns, users continue to rely on weak, reused, and easily guessable passwords — a challenge amplified by the growing architectural complexity of the modern enterprise.

“Identities are fragmented across many on-prem systems, cloud applications, and services,” explains Ivan Milenkovic, vice president of risk technology for EMEA at cloud security vendor Qualys. “This decentralization makes visibility and consistent policy enforcement incredibly difficult, expanding the potential attack surface.”

Cracks in enterprise defenses

Attackers are becoming more effective at cracking passwords, using GPU-accelerated brute-forcing, rainbow tables, and infostealer malware to harvest credentials at scale while techniques such as password spraying enable attackers to avoid triggering account lockouts. These methods exploit weak or reused passwords and flaws in how hashes are stored, making it easier to gain valid logins.

“Storing passwords using old methods such as MD5 or SHA-1 is no longer sufficient,” Picus Security’s Özeren says. “New standards such as bcrypt, Argon2, or scrypt slow down brute-force attacks.”

Strong hashing should also be combined with salt, a random value unique to each password, and pepper, a secret key stored away from the password. “Without these, an attacker can use rainbow tables and other shortcuts to crack hashes at scale,” he says.

Matthew Bell, founder of cybersecurity and software development firm Cyber Protection Group, adds: “Too many organizations still rely on weak complexity rules, outdated hashing methods, and static password policies. This leaves the door wide open to credential-based attacks, which are one of the most successful initial access vectors.”

Independent experts quizzed by CSO agree that advances in password cracking were an issue while arguing that attacks based on stolen credentials were an even larger threat.

“While brute-force cracking is a concern, especially for older systems or those still storing hashes in less secure ways, many breaches today start with stolen credentials, often harvested through phishing or social engineering, and then abused via credential stuffing,” notes Paul Kenny, vice president of customer success for EMEA and APAC at digital identity and security company Daon.

“Attackers don’t really need to ‘crack’ a password if they can trick someone into handing it over,” he adds.

Roddy Bergeron, cybersecurity technical fellow at Sherweb, a vendor that works with MSPs to deliver security services, believes attackers are not so much better at cracking passwords but getting better at phishing and social engineering.

“We’re also still seeing massive amounts of credentials getting leaked due to poor security practices such as customer databases storing plain text passwords and credentials being hardcoded into applications,” Bergeron says. “Defenses exist for these attacks, but they are either not properly invested in or rely on people to follow proper procedures.”

Growing threat from stolen credentials

Attackers actively target user credentials because they offer the most direct route or foothold into a targeted organization’s network. Once inside, attackers can move laterally across systems, searching for other user accounts to compromise, or they attempt to escalate their privileges and gain administrative control.

This hunt for credentials extends beyond user accounts to include code repositories, where developers may have hard-coded access keys and other secrets into application source code.

Attacks using valid credentials were successful 98% of the time, according to Picus Security.

Picus Security’s Blue Report also found that data exfiltration attempts were stopped only 3% of the time, down from 9% in 2024. That statistic is particularly bad news at a time when ransomware operators are ramping up double-extortion attacks based on threats to leak compromised information alongside demands for compromised companies to pay in order to regain access to hacked systems.

“This suggests that even when attackers are detected, response mechanisms are either too slow, poorly integrated or simply ineffective at stopping the damage,” says Cyber Protection Group’s Bell.

Qualys’ Milenkovic argues that organizations should be deploying a range of defensive strategies to protect digital identities.

“Multi-factor authentication (MFA) is now considered a baseline control, adding a crucial verification layer beyond a simple password,” Milenkovic tells CSO. “This is often supplemented by user behavior analytics, which can flag anomalous activity indicative of a compromised account.”

Darren Guccione, CEO and co-founder of zero-trust password management and encryption vendor Keeper Security, says that legacy complexity rules, such as forcing periodic password changes or minor character substitutions offer “little resistance” against modern brute-force and dictionary attacks.

“Defenses must evolve to include comprehensive credential lifecycle management, privileged access controls and real-time anomaly detection,” Guccione says. “The adoption of phishing-resistant authentication methods, such as passkeys, can also significantly reduce the risk of compromised credentials being exploited and prevent lateral movement in the event of a breach.”

Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University, notes that too many organizations still rely on legacy systems, inconsistent password policies, and incomplete MFA enforcement.

“CISOs and security teams should focus on enforcing strong, unique passwords, using MFA everywhere, managing privileged accounts rigorously and testing identity controls regularly,” Curran says. “Combined with well-tuned DLP [data loss prevention] and continuous monitoring that can detect abnormal patterns quickly, these measures can help limit the impact of stolen or cracked credentials.”

Picus Security’s latest findings reveal a concerning gap between the perceived protection of security tools and their actual performance. An overall protection effectiveness score of 62% contrasts with a shockingly low 3% prevention rate for data exfiltration.

“Failures in detection rule configuration, logging gaps and system integration continue to undermine visibility across security operations,” according to Picus Security.

Effective countermeasures require continuous validation

Rather than pointing towards inherent limitations of security countermeasures, Qualys’ Milenkovic argues that these findings show that the effectiveness of these tools are often severely undermined by a lack of continuous validation and management.

“The primary culprit is a ‘set-and-forget’ mentality,” Milenkovic says. “Security controls are potent when deployed, but their effectiveness degrades over time due to configuration drift, environmental changes, and evolving attacker techniques.”

Milenkovic adds: “For the modern CISO, the key takeaway is the critical need to shift towards a threat-informed defense. This involves moving beyond compliance-based box-ticking and embracing a proactive strategy of continuous security control validation.”