Passwords remain one of the weakest links in enterprise security — and new research suggests the problem is only getting worse. Despite years of awareness campaigns and stricter rules, weak and outdated password practices are still exposing organizations to credential theft and large-scale breaches.
According to Picus Security’s latest Blue Report, based on more than 160 million attack simulations, at least one password hash was cracked in 46% of enterprise environments in 2025. That’s almost double the 25% recorded in 2024.
The findings highlight how outdated policies and poor credential management continue to leave enterprises open to attack.
Why Passwords Are Still So Vulnerable
Cyber attackers are not just getting faster at password cracking — they are also smarter. Security research engineer Sıla Özeren of Picus Security explains that too many environments still allow weak or even old passwords, even for privileged accounts. In many cases, password rotation or complexity rules are outdated, or applied only sporadically.
This is a major problem in today’s complex IT environments. With identities spread across on-premises systems, multiple cloud apps, and hybrid infrastructures, consistent enforcement of strong password policies is becoming increasingly difficult.
“Decentralization makes visibility and enforcement harder, expanding the attack surface,” says Ivan Milenkovic, VP of risk technology at Qualys.
Attackers Are Getting Better at Cracking Passwords
Modern attackers use powerful techniques such as GPU-accelerated brute-forcing, rainbow tables, infostealer malware, and password spraying. These methods allow them to bypass lockouts, harvest credentials at scale, and exploit weak hashing practices.
Older hashing methods like MD5 or SHA-1 are no longer enough. Security experts recommend stronger standards such as bcrypt, Argon2, or scrypt, combined with unique salts and peppers, to make brute-force attacks significantly harder.
“Without proper hashing and salting, attackers can crack hashes at scale using rainbow tables and other shortcuts,” Özeren warns.
Credential Theft Is Even More Dangerous
While brute-force cracking remains a problem, experts stress that stolen credentials are an even bigger threat.
Attackers often don’t need to crack passwords if they can steal them through phishing, social engineering, or credential leaks. Once inside, they can move laterally, escalate privileges, and gain administrative control of critical systems.
According to the Blue Report, attacks using valid credentials succeed 98% of the time, making credential-based breaches one of the most successful attack vectors.
Even worse, attempts to stop data exfiltration were only effective 3% of the time in 2025, down from 9% in 2024 — a worrying trend given the rise of ransomware double-extortion attacks.
Why Enterprise Defenses Keep Failing
Experts argue that too many organizations still rely on outdated security practices. Weak complexity rules, legacy systems, incomplete MFA enforcement, and poor credential management continue to expose enterprises.
“Defenses exist, but they’re either underfunded, poorly enforced, or dependent on people following procedures,” says Roddy Bergeron of Sherweb.
Cybersecurity leaders agree that modern defenses should go beyond passwords. Multi-Factor Authentication (MFA) is now a baseline requirement, supplemented by behavioral analytics, privileged access controls, real-time anomaly detection, and phishing-resistant authentication methods like passkeys.
“Legacy password rules such as forced character substitutions or periodic resets offer little resistance to today’s attacks,” says Darren Guccione, CEO of Keeper Security.
Continuous Validation Is Key
One of the most concerning findings of the Picus Security report is the gap between perceived and actual protection. While enterprises scored an average 62% effectiveness rating, only 3% of data exfiltration attempts were successfully blocked.
Experts believe the real issue is not the tools themselves but the lack of continuous validation. Security controls are often deployed and then forgotten, gradually losing effectiveness due to configuration drift, outdated rules, or evolving attacker techniques.
“The key takeaway for CISOs is clear — enterprises must adopt a threat-informed defense,” says Milenkovic of Qualys. “That means moving beyond compliance checklists and embracing continuous testing, monitoring, and security control validation.”
Conclusion
The state of enterprise password security is a wake-up call. Weak, outdated, and poorly enforced password policies are leaving businesses exposed to credential theft and large-scale breaches. Attackers are not only cracking passwords faster but also stealing them more efficiently through phishing and social engineering.
To defend against this growing threat, organizations must:
Enforce unique, complex passwords across all systems.
Implement multi-factor authentication (MFA) everywhere.
Adopt phishing-resistant authentication methods like passkeys.
Regularly test and validate identity and access controls.
Replace legacy hashing with bcrypt, Argon2, or scrypt combined with salts and peppers.
Without these measures, enterprises risk leaving the “front door” wide open to attackers.
