Credentials, particularly usernames and passwords, are among the most sought-after digital assets because they can serve as the gateway to a person’s or organization’s sensitive data. Valid credential abuse has seen a significant uptick. Last year, compromised credentials became the most common initial access vector ahead of phishing. And with the rapid growth of infostealer malware—responsible for 2.1 billion (75%) out of the 3.2 billion credentials stolen in 2024—the attack surface is hitting closer and closer to home. This means prioritizing security fundamentals, like password hygiene, is key to preventing you and your organization from becoming an easy target.
Good cybersecurity starts with practicing good password habits—it's basic Security 101. Managing secure passwords is everyone’s job. Start by maintaining excellent password hygiene. Use complex passwords and passphrases and avoid re-using them. If you have shared passwords, be cautious how and who you share them with.
Why is password hygiene important?
Poor password hygiene is like securing a gate with flimsy cardboard lock, providing hackers easy entry to exactly where you want to keep them out. Frequently the first line of defense against hackers, key elements of good password hygiene include using strong passwords, keeping passwords unique, using a password manager, and enabling multi-factor authentication.
Individuals who use weak or reused passwords are at risk of data breaches, extortion, and financial loss. Even as organizations begin shifting to passwordless authentication—like biometrics, yubikeys, and passkeys—most of us still use passwords in our everyday professional and personal lives. The average person has around 200 passwords between personal and business accounts, which is a lot to keep track of. Hackers can take advantage of us if we don’t treat passwords as a priority like we should.
The risks of weak and reused passwords
Weak passwords are a major factor in security breaches and are responsible for a large share of data compromises. Some studies report that well over half of data breaches result from weak passwords. This is mainly because weak passwords can be easily guessed or cracked, enabling attackers to access systems and sensitive information without authorization. Using complex passwords makes it more difficult for hackers to crack and involves using both upper and lowercase letters, special characters, and numbers.
It’s natural for people to want to simplify their lives. On the surface, using the same password across several websites or services may seem like a good idea, but it can turn into a costly mistake and cause headaches in the long-term. Reusing passwords across multiple sites is like handing hackers the opportunity to use a credential-stuffing attack, making it easy for a threat actor to make the jump from one form of access to another. Cybernews researchers looked at data leaks from 2024-2025 and found that 94% of passwords are reused or duplicated. That means hackers’ jobs are made much easier to plug and chug away across accounts. Denying unauthorized access to more than one service after a breach is easy — make sure your passwords vary across all platforms.
Good cybersecurity habits fundamentally begin with strong, unique passwords and all-around adequate password management to give you a solid initial layer of protection.
How do attackers target passwords?
There are two main types of password-related attacks that are a major concern: brute force attacks and credential stuffing. Infostealers also pose a serious threat to passwords because they frequently target this information to enable attackers unauthorized access to conduct a wide range of follow-on attacks. Even if you have strong passwords and other security measures in place, social engineering can evade these protections in place by targeting the weakest link in cybersecurity: people.
Brute force attack
In a brute force attack, a malicious threat actor uses combinations of letters, numbers, and characters in an attempt to unlock credentials, oftentimes leveraging details tied to a user’s life, work, or even frequent behaviors. These attacks can also be methodical: trying a number of different combinations, one after the other, in sequential order. While this method works well, it can take a very long time and be thwarted with a complex password. Passwords are a fundamental aspect of data security, so hackers have become very creative in developing many tools and methods just for this purpose.
Credential stuffing
Another common way hackers target passwords is through credential stuffing. In this similar-but-different type of attack, leaked data (in this case, credentials made available in one attack) is used to attempt logins in an unrelated service in a separate attack. Hackers often find that people are using the same passwords in multiple places, and they use that insight to their advantage. If a company breach delivers a list of passwords or login credentials to an employee’s desktop, they can try to use those same passwords in places the employee likely tries to access, such as a bank or financial institution. The idea is simple: if a threat actor can crack one password, perhaps the same password is used elsewhere. Credential stuffing is just that: using leaked passwords for other services where they may also work. Insurance companies and real estate offices access mortgage companies. Store owners and employees access banks. Government services access other government services. With poor password hygiene, all of these entry points are at risk. Artificial intelligence and hacker tools used for automation to speed up these attacks will only increase the threat.
Infostealer malware
Infostealers pose another threat to passwords, enabling unauthorized access. Data stolen by infostealers frequently includes credentials as well as valid session tokens to try to gain unauthorized access quickly before credentials are rotated or cookies expire. To illustrate the scope of how prevalent and dangerous infostealers have become, 2.1 billion (75%) out of the 3.2 billion credentials stolen in 2024 were compromised by infostealer attacks. Infostealers have been responsible for some of the largest breaches over the last year. The attack targeting Snowflake in May 2024 began with exposed credentials that were popped by infostealers and were available on the dark web and led to data exposure, impacting about165 companies. These accounts didn’t have 2FA, and some credentials were exposed for years. The Hellcat ransomware gang recently breached multiple organizations in March using Jira credentials stolen from infostealer logs, leaking sensitive data. These relatively unsophisticated attacks could have been prevented with better credential management.
Social engineering
Additionally, hackers use social engineering strategies and phishing attempts to target employees and trick them into giving up their own information. Verizon’s DBIR 2025 report found that human involvement in breaches remains high, with a significant overlap between social engineering and credential abuse. It can be difficult to ensure that every member of an organization remains highly trained to avoid these schemes, but the use of a great password manager and the practice of good password hygiene can significantly reduce the risk.
How can I keep my passwords and accounts secure?
Creating strong, complex passwords
The National Institute of Standards and Technology (NIST) updated its drafted password security guidelines last year to make them more user-friendly while enhancing their effectiveness, and a final version of the guidelines is expected later this year. NIST recommends accepting a wide range of characters, including emojis, and emphasizing password length over complexity. For example, passwords should ideally be 15 characters or longer to maximize security. In addition, NIST strongly encourages the use of modern tools like password managers and passkeys, which leverage biometric data for authentication and help protect against phishing attacks. We went deeper into the proposed NIST password guidelines in our recent blog post.
The most common password mistakes are easy to make and even easier to steal. Stringing numbers together in sequential order (123456), using obvious words like "password," or leveraging personal dates like birthdays or anniversaries are just a few common pitfalls. Although the risks of using these default or lazy passwords have been widely shared, they are still a common pattern.
Instead, use complex passwords and avoid using words or phrases that associate back to the user, including the use of important or relevant dates. The safest passwords are meaningless strings of letters, numbers and special characters, with both uppercase and lowercase letters represented. For instance, using passphrases that might make little to no sense in context, but when strung together, forms a nonsensical thought that is easy to remember using mnemonics or other brain hacks. This makes passwords easier to remember for users and harder to crack for malicious actors.
Implementing two-factor authentication
Implementing two-factor authentication (2FA) is the second-most important step in establishing a solid security posture, allowing organizations and individuals to have full control of the login process. 2FA, as its name denotes, uses two forms of identification to access a service and identify a user. 2FA is becoming a well-known security method in identity and access management, growing as a powerful ally against unauthorized entry. Learn more about weighing secure 2FA options in our recent blog post here.
Understanding your exposure
Even if we do exercise good password management, the volume of data breaches may leave us vulnerable to exposed data, including credentials, that can be sold and shared across the dark web and criminal marketplaces. Getting even a basic understanding of your exposure and continuing to monitor that can be immensely helpful. Think about managing credentials as part of your tech stack. For example, even checking your passwords against the Have I Been Pwned exposed password list is a good start to identifying what is already out there and then act accordingly.
How password managers can help
While unique passwords are the core foundation of any good security posture, remembering all those complex passwords and passphrases can be a pain. That’s where a password manager comes in, ensuring that users have seamless, secure access to everything they need. A password manager can also enforce strong password hygiene by reducing the frustration that comes with allowing or limiting access to certain files. The key to selecting a strong password manager is checking for 2FA and MFA, a random password generator that creates unique passwords, and an encrypted vault that only lets the user access important files, documents and passwords. Other useful tools, like an auto form-filling tool, mobile app pin unlock, and fingerprint login, can be helpful as well.
The LastPass Security Dashboard provides users with a one-stop shop to review weak and reused passwords as well as any alerts on compromised accounts that need immediate action. Within the dashboard you can update weak and reused passwords and monitor your email addresses for involvement in data breaches and get alerts when your sensitive information is compromised.
