Despite ongoing efforts from major tech players like Apple, Google, Microsoft, the Cybersecurity and Infrastructure Security Agency (CISA), and Sophos, compromised credentials continue to be the leading cause of identity-based cyberattacks, according to new insights from Sophos.
Attackers are increasingly exploiting password breaches from widely used apps and platforms, leveraging them for large-scale “spray and pray” attacks or building password dictionaries based on user habits. This ongoing trend highlights a persistent vulnerability: users continue to rely on weak passwords and reuse them across multiple services.
Analysis of annual breach data reveals two critical issues—insufficient password complexity and widespread password reuse—both of which significantly increase the risk of unauthorized access.
In response, the National Institute of Standards and Technology (NIST) has updated its guidelines, recommending longer passphrases of at least 15 characters instead of focusing solely on complexity. The agency has also moved away from requiring frequent password changes, signaling a shift toward more user-friendly and effective security practices.
For consumers, experts recommend adopting password managers to automatically generate and store unique passphrases while monitoring for potential breaches. Meanwhile, organizations are encouraged to reassess their identity and authentication strategies, with a growing emphasis on transitioning to passkey-based systems—an approach that enhances both security and user experience.
Sophos also highlighted its CISO playbook, designed to guide enterprises in implementing modern authentication frameworks and reducing identity-related risks.
