The weakest link in today’s workplace is not your firewall, it is your people’s passwords

Stolen logins have become the fastest, cheapest, and most reliable way for attackers to break into organisations. As businesses move to cloud apps, hybrid work, and third party SaaS, identity has replaced the office network as the new perimeter. That shift is why compromised credentials now drive so many breaches, ransomware intrusions, and business email compromise incidents.

Attackers go where the odds are best. Passwords are reused, phished, bought and sold on criminal marketplaces, and captured by malware at scale. With one login, criminals can pivot across email, file shares, cloud consoles, finance systems, and developer tools. In 2025, defending your business starts with defending access.

How stolen passwords are harvested in 2025

  • Phishing and adversary in the middle kits Fake login pages proxy real sessions, stealing passwords and session cookies to bypass basic multifactor authentication
  • Infostealer malware Lightweight malware siphons saved passwords from browsers, grabs session tokens, and exfiltrates vault files in minutes
  • Credential stuffing Attackers test username and password combos from old breaches across dozens of sites, betting on reuse
  • MFA fatigue and voice scams Repeated push prompts and convincing phone calls trick users into approving fraudulent access
  • SIM swaps and number porting Phone based one time codes can be intercepted when a victim’s number is hijacked
  • QR code lures and OAuth abuse Users scan a code or consent to a malicious app, granting long lived access without a password

    • The real cost of compromised credentials

    When an attacker logs in rather than breaks in, alarms often stay quiet. That stealth extends dwell time, letting criminals map your environment, exfiltrate data, and stage monetisation.

  • Business email compromise Fraudulent invoices, payroll redirects, and supplier impersonation drain accounts and erode trust
  • Ransomware enablement Stolen admin accounts accelerate lateral movement and data theft before encryption
  • Operational disruption Downtime from account lockouts, incident response, and recovery stalls revenue
  • Regulatory exposure Data access through valid credentials still counts as a breach, triggering reporting and penalties
  • Insurance scrutiny Cyber cover increasingly requires strong authentication and access controls to pay out

    • A modern defense playbook for password pandemonium

    Attackers exploit identity. Defenders must make identity the control point. Prioritise these measures for the biggest risk reduction per dollar.

  • Adopt phishing resistant MFA Move high value users and apps to passkeys based on FIDO2 security keys or platform authenticators to neutralise phish and push fatigue
  • Consolidate with single sign on Fewer login portals mean fewer places to phish, easier monitoring, and consistent policy enforcement
  • Harden legacy protocols Disable basic authentication, IMAP and POP for mail, and enforce modern OAuth scopes with conditional access
  • Implement risk based access Evaluate device posture, geo velocity, impossible travel, and session risk, challenging or blocking dynamically
  • Lock down administrators Use just in time elevation, separate admin workstations, and block direct internet access for privileged sessions
  • Manage secrets properly Replace hardcoded and shared passwords with a secrets manager and rotate keys automatically
  • Deploy email and web controls Advanced phishing detection, link isolation, and attachment sandboxing cut credential theft at the source
  • Instrument identity logs Centralise sign in and audit logs, alert on new forwarding rules, consent grants, mailbox delegations, and token anomalies
  • Train for modern scams Go beyond annual modules with frequent micro learning on QR phish, MFA fatigue, and help desk impersonation
  • Prepare fast containment Standard operating procedures to revoke tokens, reset passwords, invalidate sessions, and audit OAuth consents reduce dwell time

    • Passkeys explained simply

    Passkeys replace passwords with a cryptographic key pair tied to a user device. The private key never leaves the device, and the login cannot be replayed on a fake site. That design makes passkeys resistant to phishing and credential stuffing. Start with executives, finance, IT admins, and third party access, then expand to the wider workforce and customer portals.

    Minimum viable improvements you can ship this quarter

  • First 30 days Inventory accounts and apps, disable dormant users, enforce unique passwords, and turn on conditional access baselines
  • Days 31 to 60 Roll out phishing resistant MFA for admins and finance, block legacy auth, and enable suspicious consent and inbox rule alerts
  • Days 61 to 90 Pilot passkeys with a high risk group, deploy a secrets manager for service accounts, and rehearse account takeover playbooks

    • Metrics that prove progress to executives

    Leaders want clarity and momentum. Track and report identity centric indicators that map to risk reduction.

  • MFA coverage Percentage of users and apps protected by phishing resistant MFA versus basic codes or pushes
  • Exposure reduction Dormant accounts eliminated, legacy protocols disabled, and number of standing admin privileges removed
  • Detection speed Median time to detect and contain account takeover, including token revocation and consent audits
  • User resilience Phishing simulation failure rates trending down, measured monthly, not annually
  • Attack surface Count of third party OAuth apps with high risk scopes and how many are removed or reapproved

    • Common pitfalls to avoid

  • Checkbox MFA One time codes alone do not stop adversary in the middle attacks or SIM swaps
  • Ignoring tokens Resetting a password without revoking sessions leaves the intruder still inside
  • Privilege sprawl Always on admin rights turn one phished user into a company wide breach
  • Overlooking machines Service accounts and automation keys are credentials too and are widely abused
  • Set and forget training Culture changes with repetition, relevance, and leadership participation

    • The takeaway

    In 2025, the easiest way into your company is still the front door with someone else’s keys. Treat identity as the new perimeter, retire weak login paths, and make phishing resistant authentication your default. Pair it with visibility into anomalous sign ins and a rehearsed response for account takeover. Do this well and you will blunt the most common initial access techniques, shrink blast radius when compromise happens, and turn password pandemonium into a manageable, measurable risk.