Every year, security teams gear up to defend against the latest wave of zero-days, advanced persistent threats, and nation-state malware. But while we’re busy preparing for cyberwarfare, attackers are walking through the front door, using nothing more than cracked credentials.
That’s the uncomfortable truth behind The Blue Report 2025, the latest research from Picus Security. Based on over 160 million attack simulations across real enterprise environments, this year’s report delivers a wake-up call: password cracking is back with a vengeance, and we’re not nearly ready for it.
Credential Abuse: The Silent, Successful Threat
Let’s get to the headline number:
46% of environments tested were successfully breached through password cracking.
That’s not a typo and it’s nearly double last year’s rate. Despite years of awareness campaigns, password guidelines, and MFA recommendations, attackers are still consistently breaking in using one of the oldest methods in the book.
Why? Because it still works.
Behind the scenes, attackers are exploiting weak password policies, outdated hashing algorithms, and systems that haven’t seen a security update in years. Internal accounts, those used by employees, admins, or service applications, are particularly at risk. In fact, nearly half of organizations had at least one password hash cracked and converted to cleartext.
That’s not a fluke. That’s a systemic failure in basic credential hygiene.
When Valid Accounts Become the Ultimate Stealth Tool
Once attackers have valid credentials, they don’t need fancy exploits or exotic malware. They blend in. They move laterally. They escalate privileges. They become invisible.
The MITRE ATT&CK technique T1078 – Valid Accounts had a 98% success rate in simulations run by Picus Labs. That makes it the most effective and most abused attack vector today. And unlike malware, cracked credentials won’t trigger antivirus alerts or sandbox detonations, they look like real users.
From ransomware affiliates to info-stealer operators, threat actors know that a cracked password is the golden key to an organization’s most critical systems. And they’re using it to devastating effect.
Why Organizations Are Still Losing to Password Cracking
Let’s be honest: we’ve made things too easy.
- Weak password complexity requirements
- Outdated hashing methods (looking at you, unsalted MD5/SHA1)
- Lack of MFA on internal services
- Rarely rotated credentials
- Infrequent validation of password security controls
These aren’t advanced misconfigurations, they’re Security 101 mistakes. But they’re still widespread. And as the report shows, they’re costing organizations more than they realize.
Fighting Back: How to Close the Door on Credential-Based Attacks
Defending against password cracking doesn’t require a bleeding-edge SOC or an army of analysts. It starts with going back to basics:
- Enforce strong password policies with length, complexity, and rotation.
- Eliminate weak hashing algorithms and use secure methods like bcrypt, scrypt, or Argon2.
- Salt every hash, no exceptions.
- Apply MFA everywhere, including internal and admin interfaces.
- Continuously validate your defenses through simulated attacks.
- Monitor for anomalous behavior that could indicate lateral movement or unauthorized access.
And perhaps most importantly, stop treating identity as an afterthought. The network perimeter isn’t where attackers are getting in anymore, it’s your users, your credentials, and your identity systems that are being exploited
