The Verizon 2025 Data Breach Investigations Report shows that stolen login credentials were responsible for 22% of all confirmed data breaches (in web application attacks, this even rose to 88%). At the same time, IBM X-Force reported an 84% increase in so-called infostealer malware via phishing emails. Such malware stealthily steals saved passwords from browsers while users continue to work.
Another well-known problem arises: password reuse. According to Verizon, only 49% of all passwords were unique for the average user. In other words: one compromised password often opens multiple doors. Despite years of warnings, many people continue to use weak or reused passwords.
Initial access brokers
A complete criminal economy has now emerged around this practice. Research firm KELA counted a staggering 3.9 billion stolen login credentials from 4.3 million infected devices in 2025. These credentials are sold to so-called initial access brokers, who then resell network access to ransomware groups. According to Mandiant, stolen credentials were involved in 16% of all investigated incidents and 21% of ransomware cases. The step from stolen password to ransomware now takes days instead of months.
Multi-Factor Authentication helps, but offers no absolute protection. Attackers use methods such as prompt bombing and phishing kits that intercept tokens in real-time. MFA is no longer sufficient on its own; phishing-resistant variants are necessary.
Passkeys as an alternative
At the same time, an alternative is emerging: passkeys. This technology replaces passwords with cryptographic keys linked to a device or biometric verification. According to the FIDO Alliance, 69% of consumers now have at least one passkey. The login success rate is 93%, compared to 63% for traditional passwords. Organizations are also moving in this direction: 87% are working on implementation or have already introduced passkeys.
However, a complete transition is not easy. Many companies still operate on legacy systems, on-premises Active Directory, shared workspaces, or outdated hardware without a TPM chip or biometrics. Account recovery and management on a large scale are also not well organized everywhere yet. For many organizations, this means a prolonged hybrid phase where passwords and passkeys coexist.
The direction is clear, however. Instead of chasing better passwords, organizations should strive for fewer passwords. Put employees on a password manager, implement phishing-resistant MFA, and start using passkeys where possible. Passwords were once a necessary evil. Now they are mostly just evil.
Happy World Password Day!
Rich Greene
Certified Instructor at SANS Institute
