The cost of compromise: Why password attacks are still winning in 2025 – Source: go.theregister.com

Sponsored feature The IT business likes to reinvent things as quickly as possible. Except passwords, that is. We’ve been using them since Roman times, only now they’re digital. They’re the fungal skin disease of tech; irritating and hard to get rid of.

We’ve tried. Passkeys and biometric authentication have made some inroads, but they’re far from ubiquitous. Each also has their own implementation problems. Despite their reliance on industry standards, passkeys are often trapped inside vendor ecosystems.

Biometrics vendors are in a constant cat-and-mouse game with hackers, and some smartphones fall back to a PIN code when that authentication fails anyway. What’s the betting that the code is a mixture of grandchildrens’ birthdays, which also unlocks a bank card?

So passwords remain the main digital access mechanism, and the primary point of friction. “The password is just the thing that gets in the way,” says Darren James, senior product manager at password management and authentication systems vendor Specops. “It’s just what people want to get past to do their job.”

Passwords are insecure

Unfortunately passwords aren’t just the biggest cause of friction; they’re also the single biggest point of failure. Our wish to just get past the login screen as quickly as possible causes some forehead-slapping mistakes, and creates fertile ground for attackers. That’s why Verizon’s 2025 Data Breach Investigations Report (DBIR) found that 38 percent of attacks involved credential abuse or phishing. Attackers keep exploiting this weakness because it’s the gift that keeps on giving.

Credential abuse is a low-effort, high-reward pastime, whether you’re stuffing credentials from a stolen database or brute-forcing a login form using a dictionary attack. It’s also a great way to get immediate access to internal systems, even if your target is working from home with a machine not directly connected to the corporate network.

If a sensitive area of a corporate system is segmented from the rest of the infrastructure, then stealing the account of a user with access to that area is the goal. Why try to break a window when you can pocket the key and walk through the door?

Common mistakes

One of the most common password mistakes involves using passwords that are easy to guess. The top five stolen passwords in 2025, according to the Specops Breached Password Report, were ‘123456’, ‘admin’, ‘12345678’, ‘password’, and ‘Password’.

Smart folks know that you should never use your dog’s name as a password, even if you cloak it in other information. ‘Patches2022!’ won’t work because it’s a predictable pattern that people can deduce from your social media information. Your dog’s name is only safe if he’s called something like ‘D$77-3#nad23i’, in which case good luck getting him in from the garden.

Even if you do follow password complexity guidelines, you’re still not necessarily safe. They’re often not strong enough to fool the attackers. The Specops report found that 230 million stolen passwords met standard complexity requirements, and included things like ‘P@ssw0rd’.

James  cites the password recommendations for Active Directory admins as an example. Microsoft’s guidance for AD passwords designated as ‘strong’ is a minimum of eight characters including three character types (choose from lowercase, uppercase, numbers, or symbols). Microsoft specifically warns against dictating four types because users will get frustrated. This means that according to Microsoft, ‘Password1’ would be a strong password.

Faux-complex passwords like these are easy to assemble in lists that intruders can then use to target online services in brute-force attacks. They’ll get into a cat-and-mouse game with defenders who will start rate-limiting login attempts, locking people out for a while after a set number of failures.

Other password generation ideas

“So if your lockout threshold is 10 attempts in 30 minutes, they’ll just try nine times, and then in 30 minutes try again,” says James. “They’re not just doing this on one account; They’re doing this on thousands of accounts in your organization.”

Others have come up with more innovative ideas for passwords, such as using the What3Words service to create a three-word location representing a place that’s meaningful to you. Lets just hope no one remembers where you proposed to your spouse. The UK’s National Cyber Security Centre suggests just using three random words instead.

Even if a password is truly strong, there’s the danger of someone stealing it via phishing, or theft of a plain-text or unsalted password database.

If a password is compromised, there’s the specter of password reuse. Many people who follow complex password guidelines proceed to reuse them across multiple accounts. “Then we’re in all sorts of trouble,” says James, “because they’ve not just stolen one login, they’ve stolen potentially multiple logins. That leaves a lot of organizations exposed.”

Password managers reduce reuse and enable strong, unique credentials, but uptake is limited. Consumers worry about putting all their eggs in a basket that turns out to be weaker than they thought and subject to compromise. Enterprises lag in adoption.

Taking stolen passwords out of circulation

At least Microsoft and the NCSC align on one thing: neither now recommends scheduling password expiration. The danger is that someone just reuses their existing password and adds an incremental number on the end.

Instead, only change a password if you fear it has been compromised, goes the new wisdom. “The challenge is, if you want to enforce that in Active Directory or Entera ID, it’s almost impossible to do it without a tool like Specops Password Policy,” says James.

Specops Password Policy solves the password management and enforcement problems facing Active Directory users. One of these is spotting passwords that have shown up in cyber attacks or lists of stolen credentials.

Specops operates a database of over four billion compromised passwords, which it populates from a range of sources. These include threat intelligence feeds, malware analysis, the dark web, and honeypots set up to slurp password attempts entered by credential stuffers.

If a user tries to enter a password that has already been compromised (perhaps one from a consumer site that they tried to reuse for work), Specops Password Policy will spot it.

One benefit of this system over others is that it scans for password compromise continuously, rather than restricting itself to checks when registering or changing passwords. For Mid Cheshire NHS Foundation Trust, that meant protecting 5,400 employees round the clock. If any of their passwords show up in the breach database, an admin will know about it and can enforce a change.

Registering or changing passwords needn’t be a Kafkaesque experience. Specops Password Policy offers friendly real-time feedback during the process. Enforcing ad hoc password changes is just one of its features. It surpasses the limited password complexity customization options that Microsoft gives admins by default.

AD lets you choose all alphanumeric characters or just numbers for PIN-based entry. You can also set minimum and maximum lengths, and how many character types to mandate. But that’s it.

Avoiding a password own-goal

Specops lets you do a lot more. This includes blocking specific strings, which helped get East Ayrshire Council’s password security back on track. The Council found many of its 6,000 employees using the names of local football teams for their logins. A 45-day password expiry policy changed nothing; instead of dozens of people with the password ‘Rangers’, it would now have dozens using ‘Rangers1’, because incrementing numbers is a standard trick employees use to change passwords as quickly as possible. A password ban list, along with a rule to stop incremental numbers, helped the Council to tame its passwords and increase its security

Specops can also enforce the use of multi-word phrases (but block weak repeated phrases like ‘no no no’, or those based on dictionary patterns, or even organization-specific terms). It also lets you apply appropriate policies for different groups. For example, the finance team, or individuals with privileged access, might need more stringent password controls than others based on your risk policy.

The ability to define different password requirements for different user groups was a selling point for Greater Manchester West Mental Health NHS Foundation Trust. It had been trying for certification under the NCSC’s Cyber Essentials program but many of its 6,000 staff members were not well-versed in password security and would use weak passwords, blocking its success.

Specops Password Policy enabled the Trust to create a block list for known weak passwords and also set different requirements for different user groups. That enabled it to tighten its authentication security while guiding employees towards better password choices via end-user feedback.

All authentication systems will have problems. Some even worry that random three-word techniques are vulnerable due to vocabulary sizes and word rotation math. But that’s the sign of a healthy security effort; There’s always more you can do to make your passwords better, and security agencies will likely continue to refine their guidance over time.

However, without tools to give you the appropriate customization and enforcement options, you’ll be limited to basic changes that don’t support the latest best practice, and which still allow laughable passwords through. Now that people are releasing billions of leaked passwords for sale at a time, no one can afford to do just the bare minimum.

Sponsored by Specops