TL;DR: Compromised passwords are rising from about 14% of accounts in 2024 to roughly 19% in 2025, while unsafe credentials crossed 22%, according to Enzoic’s AD Lite scan data. This reinforces the Verizon DBIR finding that credential abuse is the leading initial access vector, and password exposure is now a continuous identity problem, not a one-time hygiene issue.
At a glance
What this is: Enzoic’s AD Lite data shows compromised and unsafe Active Directory credentials increasing year over year, with exposed passwords affecting a large share of scanned accounts.
Why it matters: For IAM, IGA, and PAM teams, this matters because password exposure drives account takeover, lateral movement, and privilege abuse across human identity estates, and stale account hygiene can turn a weak credential into an enterprise breach path.
By the numbers:
- In 2025, the average compromised-password rate was about 19% across AD Lite domain scans, or 196 compromised-password users out of 1,014 users per domain on average.
- Compromised passwords rose from about 14% in 2024 to roughly 19% in 2025, an increase of more than five percentage points.
- Unsafe passwords crossed the one-in-five mark in 2025, reaching about 22% of accounts per domain.
- Weak passwords increased from about 1.6% of accounts in 2024 to roughly 2.7% in 2025.
👉 Read Enzoic's analysis of rising Active Directory credential compromise risk
Context
Active Directory credential risk is rising because exposure is expanding faster than most password hygiene programmes can absorb. A password may not change, but once it appears in breach datasets it becomes a standing liability, especially when stale accounts and weak password choices remain in circulation across the domain.
For identity teams, the issue is not simply password quality. It is the combination of reused credentials, exposed passwords, and accounts that stay active long after they should have been reviewed or removed. That makes this a human IAM problem with direct implications for PAM, access review, and compromise containment.
Key questions
Q: How should security teams handle exposed Active Directory passwords?
A: They should treat exposed passwords as active compromise risk, not hygiene debt. The right response is to detect breached or weak credentials continuously, force remediation based on risk, and confirm whether the account still needs access. If the identity is stale or privileged, it should move to the front of the queue for containment and review.
Q: Why do stale accounts make credential compromise worse?
A: Stale accounts extend the time an attacker can use a valid password without raising suspicion. They often bypass the normal attention given to active users, yet still retain authentication paths and sometimes privileged entitlements. That makes them an efficient entry point when exposed credentials are circulating in breach data.
Q: What do security teams get wrong about password risk in Active Directory?
A: They often assume a strong policy alone is enough. In practice, exposure from breach datasets, password reuse, and inactive accounts can make a technically acceptable password unsafe. Monitoring has to look at the current threat context, not only at whether the password meets complexity rules.
Q: How do IAM teams reduce account takeover risk from compromised credentials?
A: They reduce risk by combining exposure detection, access review, and rapid remediation. That means identifying compromised passwords, removing stale accounts, tightening privileged access, and proving that each account still has a business purpose. The control succeeds when exposed credentials stop being usable fast enough to matter.
Technical breakdown
Why exposed passwords keep turning into account compromise
A compromised password is not just a poor secret, it is an identity control failure that persists after the original breach. Once a password is included in breach corpora, attackers can test it through credential stuffing, password spraying, or targeted sign-in attempts against Active Directory and connected applications. The risk grows when the same password is reused across accounts or when users have not changed credentials after exposure. In practice, password risk is cumulative: every new breach dataset increases the likelihood that an older secret has already been harvested somewhere else.
Practical implication: treat exposed-password detection as an active control signal, not a one-time audit result.
Why stale accounts amplify human identity risk
Inactive accounts expand the attack surface because they retain valid authentication paths even when nobody is watching them closely. If a stale account still has a live password, an attacker does not need to defeat fresh enrolment or MFA workflows to get value from it. Stale accounts also distort recertification because they appear legitimate in directories while no longer matching operational need. The combination of inactivity and lingering authentication material is a classic identity hygiene gap that becomes far more dangerous when breach exposure is rising.
Practical implication: fold stale-account discovery into the same remediation workflow as password exposure and access review.
How continuous monitoring changes the secret-management model
Periodic scanning gives a snapshot, but exposed credentials do not behave like static assets. Breach datasets, cracking capability, and account state change constantly, which means a password that looked acceptable last quarter may already be compromised today. Continuous monitoring shifts the model from verification to maintenance by repeatedly checking whether secrets are present in breach data, whether weak passwords exist, and whether accounts remain in risky states. That is the difference between spotting a problem and reducing the time an attacker has to exploit it.
Practical implication: pair exposure monitoring with automated remediation triggers so response is not limited to periodic reviews.
Threat narrative
Attacker objective: The attacker wants to turn an exposed password into authenticated access that can be reused for theft, lateral movement, or privilege abuse.
- Entry begins when attackers use stolen or exposed credentials against Active Directory and related services, often without needing to exploit a software vulnerability.
- Escalation follows when reused passwords, stale accounts, or weak credentials let the attacker access additional systems or find higher-value identities.
- Impact occurs when account compromise enables unauthorized access, data theft, or a broader breach that starts with identity rather than malware.
Breaches seen in the wild
- Cisco Active Directory credentials breach — Kraken ransomware group leaked Cisco Active Directory credentials.
- MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Exposed-password risk is now a lifecycle problem, not a hygiene issue. Password exposure does not end when a user changes behaviour once or when a scan is run. Breach datasets keep expanding, and that means the same identity can move from safe to compromised without any local change in the environment. The implication is that credential governance must be continuous across joiner, mover, and leaver states, not periodic and reactive.
Stale account persistence is the identity control gap this data exposes. The article’s numbers show that organisations are not only dealing with compromised passwords, they are also carrying inactive accounts and weak-password populations at the same time. That combination creates an avoidable attack surface because old identities retain authentication paths long after they stop being operationally relevant. Practitioners should read this as a failure of lifecycle discipline, not just password policy.
Accountability for password exposure belongs to IAM, PAM, and directory operations together. No single control layer resolves this pattern because the problem spans directory hygiene, credential risk detection, and privileged access review. When exposed passwords are not tied to ownership, recertification, and remediation timelines, the organisation inherits dormant identity debt. The practical conclusion is that identity governance must be measured by how quickly it removes exposed access paths, not by how many scans were completed.
Identity blast radius is determined by how long exposed credentials remain usable. The named concept here is the period between password exposure and enforced remediation. The shorter that window, the smaller the attacker’s opportunity to convert breach data into enterprise access. This is why exposed-password monitoring, stale-account cleanup, and access review should be treated as one governance loop, not separate tasks.
From our research:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
- From our research: 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Forward look: Read Ultimate Guide to NHIs , Key Challenges and Risks for the visibility and over-privilege patterns that keep exposure persistent.
What this signals
Exposed credential management is converging with identity lifecycle governance. The operational issue is no longer just whether a password is weak. It is whether the organisation can detect exposure, confirm ownership, and remove access before the credential becomes a reusable entry point. That makes stale-account cleanup, review cadence, and reset enforcement part of the same control loop.
Identity teams should expect password exposure to remain a recurring remediation burden. As breach datasets expand, old credentials age into current risk and periodic review becomes less effective on its own. Teams that still treat exposure as a quarterly problem will keep rediscovering the same accounts in remediation queues.
For practitioners
- Benchmark exposed-password prevalence across the directory Run a domain-wide scan for credentials that appear in breach datasets or common-password lists, then segment results by business unit, application tier, and account age so remediation can target the highest-risk identities first.
- Prioritise stale-account remediation with credential exposure Remove or disable inactive accounts only after confirming whether they still have valid passwords, privileged entitlements, or application dependencies, because stale identities become easy compromise targets when exposure is already high.
- Tie password policy exceptions to explicit ownership Track every exception, shared account, and service-linked user through a named owner and expiry date so exposed credentials cannot remain in place simply because no one is accountable for them.
- Automate response to newly exposed credentials Create a workflow that forces password resets, sign-in review, and access revalidation when a credential is detected in breach corpora, instead of waiting for the next periodic review cycle.
Key takeaways
- Active Directory credential exposure is increasing, and the risk now comes from both compromised and weak passwords.
- The data points to a governance problem that combines password reuse, stale accounts, and delayed remediation.
- Continuous monitoring and fast identity lifecycle action are the controls that reduce the window attackers can exploit.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Credential exposure and rotation gaps sit at the center of this article. |
| NIST CSF 2.0 | PR.AC-1 | Identity and credential management are directly in scope for access control. |
| NIST SP 800-53 Rev 5 | IA-5 | Authenticator management covers password handling and exposure remediation. |
| NIST Zero Trust (SP 800-207) | Zero Trust depends on continuous verification when credentials may already be compromised. | |
| MITRE ATT&CK | TA0006 , Credential Access; TA0008 , Lateral Movement | Stolen credentials enable the access and movement path described in the article. |
Revalidate identity and session trust whenever exposure signals indicate a password may no longer be safe.
Key terms
- Compromised Credential: A compromised credential is a password, token, or other authenticator that has already been exposed to attackers or appears in known breach data. In identity operations, it represents a live trust failure because the secret may still authenticate successfully even though it is no longer safe to use.
- Stale Account: A stale account is an identity that remains active even though it is no longer needed for a current business purpose. These accounts are risky because they often keep valid credentials, may escape regular review, and can become easy entry points when exposure or reuse is present.
- Password Spraying: Password spraying is an attack method that tries a small number of common passwords across many accounts to avoid lockouts and detection. It is effective against weak or reused passwords and becomes more dangerous when directories contain many inactive or under-reviewed identities.
- Identity Blast Radius: Identity blast radius is the amount of damage an attacker can cause once one account or secret is exposed. The wider the permissions, reuse, and lifecycle delay, the more an exposed credential can move from a single login problem to a broader compromise event.
What's in the full article
Enzoic's full blog post covers the operational detail this post intentionally leaves for the source:
- Step-by-step AD Lite scan interpretation for compromised and weak password findings
- Guidance on prioritising remediation for stale, expired, and no-credential accounts
- Operational examples of continuous monitoring and automated remediation workflows
- The article's specific breakdown of why unsafe-password rates rose between 2024 and 2025
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-02-03.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org