Estimated reading time: 4 minutes
Password Cracking Doubles in One Year –
You could say it’s as easy as 1,2,3… Passwords remain the weakest link in enterprise defense. Picus Security’s new Blue Report 2025 shows cracked password hashes in 46% of environments. That’s nearly double last year’s 25%. The surge reflects poor password policies and reliance on outdated hashing methods. Once cracked, attackers gain entry and escalate privileges. A single weak password often leads to lateral movement and large-scale data theft.
“We must operate under the assumption that adversaries already have access,” said Dr. Süleyman Ozarslan, co-founder of Picus Security and VP of Picus Labs.
The report is based on more than 160 million simulated attacks carried out between January and June 2025. These simulations were executed safely in live production environments using the Picus Security Validation Platform. The data was then aggregated and analyzed by Picus Labs and the Picus Data Science teams to measure the effectiveness of real-world prevention and detection.
The Importance of Passwords
A 158‑year‑old British transport company, Knights of Old (owned by KNP), collapsed after hackers guessed a single weak employee password. The ransomware attack encrypted systems, destroyed backups, and triggered a £5 million ransom demand.
Stolen Credentials Fuel Attacks
Attacks using valid accounts succeeded 98% of the time. Adversaries exploit stolen logins to blend in as legitimate users.
The Blue Report warns that defenders rarely stop these intrusions. With infostealer malware tripling, compromised credentials have become a nearly unstoppable threat vector.
Data Theft Prevention Hits Record Low
Data exfiltration defenses collapsed in 2025. Only 3% of theft attempts were stopped, down from 9% in 2024.
This drop arrives as ransomware groups expand double-extortion tactics. Attackers steal and threaten to leak sensitive data, bypassing traditional encryption defenses.
Ransomware Still Outpaces Defenses
BlackByte ransomware remains the hardest to block, with a prevention score of only 26%. BabLock and Maori followed with prevention rates of 34% and 41%.
Even with improved backups, ransomware operators adapt. Encryptionless extortion strategies now threaten leaks instead of locking files.
Prevention Effectiveness Declines Across the Board
Overall prevention effectiveness fell to 62% in 2025, down from 69% in 2024.
This decline reverses last year’s progress and underscores the fragility of defenses, like so many human conditions it is perishable. Without continuous validation, these security controls lose effectiveness rapidly.
Get The Cyber Insurance News Upload Delivered
Every Sunday
Subscribe to our newsletter!
Detection Efforts Show Little Progress
Logging held steady at 54%, but alerts rose slightly to 14%. The gap remains wide: most malicious actions are logged but fail to trigger alerts.
Half of the detection rule failures stemmed from log collection issues. Misconfigurations and integration gaps accounted for another third.
Regional Performance Varies Widely
Latin America led prevention with 70%. South Asia lagged at 55%.
North America achieved a relatively high 20% alert rate. In contrast, South Asia’s alert score was only 9%.
Industry Breakdown Reveals Mixed Results
Healthcare topped prevention effectiveness with a score of 83%. Manufacturing followed it at 81%. Transportation ranked lowest at 50%, while Technology scored 62%. Despite sophistication, the sector struggles with shifting priorities and resource allocation.
Improvements in macOS Security
macOS prevention jumped to 76%, a dramatic rise from 23% in 2024.
Windows held steady at 79%. Linux followed with 69%. The improvement stems from more investments in Apple ecosystem protections.
Attack Techniques Still Effective
Discovery techniques like System Network Configuration Discovery scored prevention rates under 12%.
Valid Accounts (T1078) recorded just 2% prevention. Attackers easily blend in with stolen credentials, bypassing most defenses.
Threat Groups Adapt Faster Than Defenders
New groups like Outlaw and Silver Fox evaded detection in most simulations.
Longstanding espionage actors like Turla and Kimsuky also bypassed controls. The findings show adversaries quietly evolve and adpat, all while defenses stagnate.
Expert Perspective
Dr. Süleyman Ozarslan of Picus Security urged organizations to adopt an “assume breach” mindset. “We must detect misuse of valid credentials faster,” he said.
He stressed continuous validation of identity controls and stronger behavioral detection.
Recommendations for Defense
The report outlines five priorities for defenders:
- Enforce stronger password hygiene.
- Improve data exfiltration defenses.
- Validate controls continuously.
- Strengthen ransomware defenses.
- Expand behavioral detection to catch stealthy activity.
Tell Me Like I’m a Child
Think of enterprise passwords like the locks on your front door. Picus Security just revealed that nearly half of them are breakable with a cheap key from the corner store. Imagine leaving your house each morning knowing someone with a copy of the key might already be inside.
Related Posts
