World Password Day 2026: Attackers simply log in
On World Password Day 2026, Rich Greene from the Sans Institute draws a sobering conclusion: stolen login credentials have long been the most common entry point for cyber attacks. Passwords alone no longer provide protection - and even MFA is no panacea.
With World Password Day 2026 coming up on May 7, security teams need to face an unpleasant truth: Attackers aren't breaking in anymore - they're logging in. Rich Greene, instructor at the Sans Institute, classifies the current threat situation and shows where action is needed.
Stolen access data as the biggest weak point
The Verizon DBIR 2025 analyzed over 22,000 security incidents and found that stolen credentials were the first point of entry for 22 percent of all confirmed security breaches. For simple attacks on web applications, this proportion even rises to 88 percent. Also alarming: IBM X-Force recorded an increase of 84 percent compared to the previous year for Infostealer malware, which is distributed via phishing emails. This is not sophisticated zero-day exploits, but malware that quietly collects saved passwords from the browser.
The reuse of passwords further exacerbates the situation. Verizon's analysis of Infostealer logs found that in the median case, only 49 percent of a user's passwords were unique across different services. This means that in more than half of the cases, a single compromised password opens multiple doors. «We keep telling people to use strong, unique passwords. They nod in agreement and do the exact opposite,» says Greene.
The Infostealer economy has industrialized
According to the Kela 2025 report, security researchers recorded 3.9 billion stolen credentials on 4.3 million infected devices. This access data is bundled in so-called logs and sold to initial access brokers, who in turn sell the network access to ransomware groups. The criminal infrastructure behind this is professionally organized and scales continuously.
MFA helps - but is not a panacea
Multi-factor authentication (MFA) is considered a standard measure in many places, but it is not a magic bullet. Attackers circumvent it through prompt-bombing, session hijacking and adversary-in-the-middle phishing kits that capture tokens in real time. The Verizon DBIR has identified prompt-bombing as one of the most common attack methods for the first time. Greene's conclusion is clear: «Having an MFA enabled is the least you can do. A phishing-resistant MFA is what actually makes a difference.»
Passkeys as a promising alternative
The Fido Alliance reports that 69 percent of consumers now have at least one passkey - compared to an awareness level of just 39 percent two years ago. Passkeys achieve a login success rate of 93 percent, compared to 63 percent for traditional passwords. On the enterprise side, 87 percent of organizations have adopted or are in the process of adopting passkeys, according to research from HID and the Fido Alliance. Google has over 800 million accounts using passkeys, with 2.5 billion passkey logins.
However, there are real barriers to adoption that security teams must not ignore. Enterprise environments with outdated infrastructure, local Active Directory, shared workstations and older devices without Trusted Platform Module (TPM) or biometric hardware face significant challenges. While cross-platform interoperability is improving, it is not yet fully mature. Account recovery and the delegation of credentials in large organizations are also not yet fully resolved. Organizations will need to operate hybrid authentication during the transition - and this transition could take years depending on the environment.
Conclusion: fewer passwords, more security
The time to search for the better password has passed. Instead, security teams should work towards using fewer passwords: Every password is an attack surface, every passkey eliminates one. Password managers and the widespread use of phishing-resistant MFA are also recommended. «Passwords were a necessary evil. Now they are simply an evil. The sooner security teams replace them, the better,» says Greene. Organizations need to be met where they are - not every company has new hardware, and the path to passwordless must take this reality into account.
More information: https://www.sans.org
This article originally appeared on m-q.ch - https://www.m-q.ch/de/world-password-day-2026-angreifer-loggen-sich-einfach-ein/
