As security professionals, it’s easy to get caught up in a race to counter the latest advanced adversary techniques. Yet the most impactful attacks often aren’t from cutting-edge exploits, but from cracked credentials and compromised accounts. Despite widespread awareness of this threat vector, Picus Security’s Blue Report 2025 shows that organizations continue to struggle with preventing password cracking attacks and detecting the malicious use of compromised accounts.
With the first half of 2025 behind us, compromised valid accounts remain the most underprevented attack vector, highlighting the urgent need for a proactive approach focused on the threats that are evading organizations’ defenses.
A Wake-Up Call: The Alarming Rise in Password Cracking Success
The Picus Blue Report is an annual research publication that analyzes how well organizations are preventing and detecting real-world cyber threats. Unlike traditional reports that focus solely on threat trends or survey data, the Blue Report is based on empirical findings from over 160 million attack simulations conducted within organizations’ networks around the world, using the Picus Security Validation Platform.
In the Blue Report 2025, Picus Labs found that password cracking attempts succeeded in 46% of tested environments, nearly doubling the success rate from last year. This sharp increase highlights a fundamental weakness in how organizations are managing – or mismanaging – their password policies. Weak passwords and outdated hashing algorithms continue to leave critical systems vulnerable to attackers using brute-force or rainbow table attacks to crack passwords and gain unauthorized access.
Given that password cracking is one of the oldest and most reliably effective attack methods, this finding points to a serious issue: in their race to combat the latest, most sophisticated new breed of threats, many organizations are failing to enforce strong basic password hygiene policies while failing to adopt and integrate modern authentication practices into their defenses.
Why Organizations Are Failing to Prevent Password Cracking Attacks
So, why are organizations still failing to prevent password cracking attacks? The root cause lies in the continued use of weak passwords and outdated credential storage methods. Many organizations still rely on easily guessable passwords and weak hashing algorithms, often without using proper salting techniques or multi-factor authentication (MFA).
In fact, our survey results showed that 46% of environments had at least one password hash cracked and converted to cleartext, highlighting the inadequacy of many password policies, particularly for internal accounts, where controls are often more lax than they are for their external counterparts.
To combat this, organizations must enforce stronger password policies, implement multi-factor authentication (MFA) for all users, and regularly validate their credential defenses. Without these improvements, attackers will continue to compromise valid accounts, obtaining easy access to critical systems.
Credential-Based Attacks: A Silent but Devastating Threat
The threat of credential abuse is both pervasive and dangerous, yet as the Blue Report 2025 highlights, organizations are still underprepared for this form of attack. And once attackers obtain valid credentials, they can easily move laterally, escalate privileges, and compromise critical systems.
Infostealers and ransomware groups frequently rely on stolen credentials to spread across networks, burrowing deeper and deeper, often without triggering detection. This stealthy movement within the network allows attackers to maintain long dwell times, undetected, while they exfiltrate data at will.
Despite this ongoing and well-known issue, organizations continue to prioritize perimeter defenses, often leaving identity and credential protection overlooked and under-funded as a result. This year’s Blue Report clearly shows that valid account abuse is at the core of modern cyberattacks, reinforcing the urgent need for a stronger focus on identity security and credential validation.
Valid Accounts (T1078): The Most Exploited Path to Compromise
One of the key findings in the Blue Report 2025 is that Valid Accounts (MITRE ATT&CK T1078) remains the most exploited attack technique, with a truly concerning 98% success rate. This means that once attackers gain access to valid credentials, whether through password cracking or initial access brokers, they can swiftly move through an organization’s network, often bypassing traditional defenses.
The use of compromised credentials is particularly effective because it allows attackers to operate under the radar, making it harder for security teams to detect malicious activity. Once inside, they can access sensitive data, deploy malware, or create new attack paths, all while seamlessly blending in with legitimate user activity.
How to Strengthen Your Defenses Against Credential Abuse and Password Cracking
To protect against increasingly effective attacks, organizations should implement stronger password policies and enforce complexity requirements, while eliminating outdated hashing algorithms in favor of more secure alternatives. It is also essential to adopt multi-factor authentication (MFA) for all sensitive accounts, ensuring that even if credentials do become compromised, attackers can’t just use them to access the network without an additional verification step.
Regularly validating credential defenses through simulated attacks is crucial to identifying vulnerabilities and ensuring that your controls are performing as expected. Organizations also need to enhance their behavioral detection capabilities to catch anomalous activities tied to credential abuse and lateral movement.
Additionally, monitoring and inspecting outbound traffic for signs of data exfiltration and ensuring that data loss prevention (DLP) measures are both in place and operating effectively are critical to protecting your sensitive information.
Closing the Gaps in Credential and Password Management
The findings in the Blue Report 2025 show that, unfortunately, many organizations are still vulnerable to the silent threat of password cracking and compromised accounts. And while strengthening perimeter defenses continues to be a priority, it’s also clear that core weaknesses lie in credential management and internal controls. The report also highlighted the fact that infostealers and ransomware groups are leveraging these gaps effectively.
If you’re ready to take proactive steps to harden your security posture, reduce your exposure, and prioritize your critical vulnerabilities, the Blue Report 2025 offers invaluable insights to show you where to focus. And at Picus Security, we’re always happy to talk about helping your organization meet its specific security needs..
Don’t forget to get your copy of The Blue Report 2025 and take proactive steps today to improve your security posture.
