{"id":14652,"date":"2025-08-21T07:24:30","date_gmt":"2025-08-21T07:24:30","guid":{"rendered":"https:\/\/newestek.com\/?p=14652"},"modified":"2025-08-21T07:24:30","modified_gmt":"2025-08-21T07:24:30","slug":"enterprise-passwords-becoming-even-easier-to-steal-and-abuse","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14652","title":{"rendered":"Enterprise passwords becoming even easier to steal and abuse"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Enterprise passwords are becoming easier to steal and increasingly difficult to stop being abused once they leak.<\/p>\n

According to the Picus Security\u2019s latest annual Blue Report<\/a>, based on more than 160 million real-world attack simulations, at least one password hash was cracked in 46% of tested environments \u2014 up from 25% in 2024.<\/p>\n

The rise highlights continued reliance on weak or outdated password policies, Picus concluded.<\/p>\n

S\u0131la \u00d6zeren<\/a>, security research engineer at Picus Security, tells CSO that attackers are getting faster and smarter while many organizations have failed to improve password security practices.<\/p>\n

\u201cThere are still too many environments that allow weak or even old passwords \u2014 even for privileged accounts \u2014 with no force of rotation or complexity,\u201d \u00d6zeren says. \u201cAnd even when there are strong policies, they are very old or only enforced sporadically.\u201d<\/p>\n

Despite years of awareness campaigns<\/a>, users continue to rely on weak, reused, and easily guessable passwords \u2014 a challenge amplified by the growing architectural complexity of the modern enterprise.<\/p>\n

\u201cIdentities are fragmented across many on-prem systems, cloud applications, and services,\u201d explains Ivan Milenkovic, vice president of risk technology for EMEA at cloud security vendor Qualys. \u201cThis decentralization makes visibility and consistent policy enforcement incredibly difficult, expanding the potential attack surface.\u201d<\/p>\n

Cracks in enterprise defenses<\/h2>\n

Attackers are becoming more effective at cracking passwords, using GPU-accelerated brute-forcing, rainbow tables, and infostealer malware<\/a> to harvest credentials at scale while techniques such as password spraying<\/a> enable attackers to avoid triggering account lockouts. These methods exploit weak or reused passwords and flaws in how hashes are stored, making it easier to gain valid logins.<\/p>\n

\u201cStoring passwords using old methods such as MD5 or SHA-1 is no longer sufficient,\u201d Picus Security\u2019s \u00d6zeren says. \u201cNew standards such as bcrypt, Argon2, or scrypt slow down brute-force attacks.\u201d<\/p>\n

Strong hashing should also be combined with salt, a random value unique to each password, and pepper, a secret key stored away from the password. \u201cWithout these, an attacker can use rainbow tables and other shortcuts to crack hashes at scale,\u201d he says.<\/p>\n

Matthew Bell<\/a>, founder of cybersecurity and software development firm Cyber Protection Group, adds: \u201cToo many organizations still rely on weak complexity rules, outdated hashing methods, and static password policies. This leaves the door wide open to credential-based attacks, which are one of the most successful initial access vectors.\u201d<\/p>\n

Independent experts quizzed by CSO agree that advances in password cracking were an issue while arguing that attacks based on stolen credentials were an even larger threat<\/a>.<\/p>\n

\u201cWhile brute-force cracking is a concern, especially for older systems or those still storing hashes in less secure ways, many breaches today start with stolen credentials, often harvested through phishing or social engineering, and then abused via credential stuffing<\/a>,\u201d notes Paul Kenny<\/a>, vice president of customer success for EMEA and APAC at digital identity and security company Daon.<\/p>\n

\u201cAttackers don\u2019t really need to \u2018crack\u2019 a password if they can trick someone into handing it over,\u201d he adds.<\/p>\n

Roddy Bergeron<\/a>, cybersecurity technical fellow at Sherweb, a vendor that works with MSPs to deliver security services, believes attackers are not so much better at cracking passwords but getting better at phishing and social engineering<\/a>.<\/p>\n

\u201cWe\u2019re also still seeing massive amounts of credentials getting leaked due to poor security practices such as customer databases storing plain text passwords and credentials being hardcoded into applications,\u201d Bergeron says. \u201cDefenses exist for these attacks, but they are either not properly invested in or rely on people to follow proper procedures.\u201d<\/p>\n

Growing threat from stolen credentials<\/h2>\n

Attackers actively target user credentials because they offer the most direct route or foothold into a targeted organization\u2019s network. Once inside, attackers can move laterally across systems, searching for other user accounts to compromise, or they attempt to escalate their privileges and gain administrative control.<\/p>\n

This hunt for credentials extends beyond user accounts to include code repositories, where developers may have hard-coded access keys and other secrets into application source code.<\/p>\n

<\/a>Attacks using valid credentials were successful 98% of the time, according to Picus Security.<\/p>\n

Picus Security\u2019s Blue Report also found that data exfiltration attempts were stopped only 3% of the time, down from 9% in 2024. That statistic is particularly bad news at a time <\/a>when ransomware operators are ramping up double-extortion attacks<\/a> based on threats to leak compromised information alongside demands for compromised companies to pay in order to regain access to hacked systems.<\/p>\n

\u201cThis suggests that even when attackers are detected, response mechanisms are either too slow, poorly integrated or simply ineffective at stopping the damage,\u201d says Cyber Protection Group\u2019s Bell.<\/p>\n

Qualys\u2019 Milenkovic argues that organizations should be deploying a range of defensive strategies to protect digital identities.<\/p>\n

\u201cMulti-factor authentication<\/a> (MFA) is now considered a baseline control, adding a crucial verification layer beyond a simple password,\u201d Milenkovic tells CSO. \u201cThis is often supplemented by user behavior analytics, which can flag anomalous activity indicative of a compromised account.\u201d<\/p>\n

Darren Guccione<\/a>, CEO and co-founder of zero-trust password management and encryption vendor Keeper Security, says that legacy complexity rules, such as forcing periodic password changes or minor character substitutions offer \u201clittle resistance\u201d against modern brute-force and dictionary attacks.<\/p>\n

\u201cDefenses must evolve to include comprehensive credential lifecycle management, privileged access controls and real-time anomaly detection,\u201d Guccione says. \u201cThe adoption of phishing-resistant authentication methods, such as passkeys<\/a>, can also significantly reduce the risk of compromised credentials being exploited and prevent lateral movement in the event of a breach.\u201d<\/p>\n

Kevin Curran<\/a>, IEEE senior member and professor of cybersecurity at Ulster University, notes that too many organizations still rely on legacy systems, inconsistent password policies, and incomplete MFA enforcement.<\/p>\n

\u201cCISOs and security teams should focus on enforcing strong, unique passwords, using MFA everywhere, managing privileged accounts rigorously and testing identity controls regularly,\u201d Curran says. \u201cCombined with well-tuned DLP [data loss prevention<\/a>] and continuous monitoring that can detect abnormal patterns quickly, these measures can help limit the impact of stolen or cracked credentials.\u201d<\/p>\n

Picus Security\u2019s latest findings reveal a concerning gap between the perceived protection of security tools and their actual performance. An overall protection effectiveness score of 62% contrasts with a shockingly low 3% prevention rate for data exfiltration.<\/p>\n

\u201c<\/a>Failures in detection rule configuration, logging gaps and system integration continue to undermine visibility across security operations,\u201d according to Picus Security.<\/p>\n

Effective countermeasures require continuous validation<\/h2>\n

Rather than pointing towards inherent limitations of security countermeasures, Qualys\u2019 Milenkovic argues that these findings show that the effectiveness of these tools are often severely undermined by a lack of continuous validation and management.<\/p>\n

\u201cThe primary culprit is a \u2018set-and-forget\u2019 mentality,\u201d Milenkovic says. \u201cSecurity controls are potent when deployed, but their effectiveness degrades over time due to configuration drift, environmental changes, and evolving attacker techniques.\u201d<\/p>\n

Milenkovic adds: \u201cFor the modern CISO, the key takeaway is the critical need to shift towards a threat-informed defense. This involves moving beyond compliance-based box-ticking and embracing a proactive strategy of continuous security control validation.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Enterprise passwords are becoming easier to steal and increasingly difficult to stop being abused once they leak. According to the Picus Security\u2019s latest annual Blue Report, based on more than 160 million real-world attack simulations, at least one password hash was cracked in 46% of tested environments \u2014 up from 25% in 2024. The rise highlights continued reliance on weak or outdated password policies, Picus… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14652","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14652","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14652"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14652\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14652"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14652"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14652"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}