TL;DR: Password reuse, weak password selection and phishing remain the main paths to account compromise, and GlobalSign cites NordPass data showing 123456 is still common while Microsoft estimates MFA can block 99.9% of account compromise attacks. The real lesson is that password policy alone is not a security model; identity programmes need layered controls, user education and MFA as baseline governance.
At a glance
What this is: This is a password security explainer showing that hygiene, hashing, salting and MFA all matter, but none is sufficient alone.
Why it matters: It matters because human IAM teams still face account takeover risk when password policy is treated as a standalone control instead of one layer in a broader identity programme.
By the numbers:
- The most common password remains 123456, according to NordPass, and it can be cracked in less than one second.
- The 13% of users reuse the same password for all accounts, and the 52% reuse a password for some accounts.
- Half of UK companies reported suffering some form of cyber breach in 2023.
👉 Read GlobalSign's guide to password hygiene, hashing and MFA
Context
Password security is the discipline of reducing account takeover risk through stronger secrets, better storage and layered authentication. The article argues that weak or reused passwords remain a common entry point, but the deeper issue is that organisations often treat passwords as if they were a complete control rather than one part of human IAM.
For practitioners, the operational question is not whether passwords should be hard to guess. It is whether password policy, hashing, salting and MFA are aligned with access governance, user education and compromise response so that a single exposed credential does not become a durable account path.
Key questions
Q: How should security teams reduce account takeover risk without relying on passwords alone?
A: Security teams should treat passwords as a baseline, not the primary control. The practical stack is long passwords, blocklists for common secrets, salted hashing at rest and MFA at authentication time. Once those are in place, focus on recovery flows, privileged accounts and reuse monitoring so one compromised secret does not create broad access.
Q: Why do reused passwords create such a large identity risk?
A: Reused passwords turn one compromise into a chain reaction. If a password leaks from any other service, attackers can try it elsewhere through credential stuffing and often find the same secret working across email, SaaS or internal systems. That is why uniqueness is a governance control, not just a user preference.
Q: What do organisations get wrong about hashing and salting?
A: They often assume hashing and salting solve password risk on their own. In reality, those controls protect stored secrets if a database is exposed, but they do not stop phishing, reuse or weak recovery design. Good identity governance separates storage protection from authentication assurance.
Q: Who is accountable when password-only authentication leads to account compromise?
A: Accountability sits with the identity and access programme, not just the end user. Security teams are responsible for MFA coverage, secure password storage, recovery policy and reuse monitoring, while business owners must accept the residual risk of any accounts left on password-only access.
Technical breakdown
Why weak password selection still drives account compromise
Weak passwords fail because attackers do not need to solve every secret, only the most common patterns. Brute force attacks succeed quickly against short or predictable passwords, while credential stuffing succeeds when a password reused on one service also works elsewhere. Password length, entropy and uniqueness change the economics of attack, but they do not remove the exposure created when users carry the same secret across multiple systems. That is why password policy is only the front edge of human IAM, not the control boundary.
Practical implication: enforce minimum length, block common passwords and measure reuse risk across authenticated accounts.
How hashing and salting change the storage risk model
Hashing converts a password into a fixed-length value so the original secret is not stored in clear text. Salting adds a unique random value before hashing so identical passwords produce different stored outputs, which disrupts precomputed cracking and rainbow table attacks. These are storage controls, not authentication controls. They reduce the damage if a database is exposed, but they do not protect against phishing, password reuse or weak recovery workflows. In identity terms, hashing and salting protect the secret at rest, not the account lifecycle around it.
Practical implication: verify that passwords are salted and hashed before storage, and do not treat that as a substitute for stronger authentication.
Why MFA is the decisive layer for human identity
Multi-factor authentication raises the cost of account takeover because possession or inherence factors add a second control beyond the password. In practice, MFA matters most where users authenticate remotely, reuse passwords, or face phishing and credential replay. The article cites Microsoft’s estimate that MFA blocks 99.9% of account compromise attacks, which is directionally consistent with its role as a compensating control for human login risk. MFA is not flawless, but it is the control that turns password hygiene from a single point of failure into a layered access check.
Practical implication: prioritise MFA coverage for all remote and privileged accounts before spending more effort on password complexity rules.
Threat narrative
Attacker objective: The attacker wants to turn one exposed or reused credential into broader access to accounts, data or services.
- Entry occurs through phishing, brute force or credential stuffing, where the attacker tests a known or guessed password against an account.
- Escalation occurs when the same secret works across additional services or when the account lacks MFA, allowing the attacker to expand access.
- Impact appears as account compromise, data exposure, service abuse or denial of service, depending on what the compromised identity can reach.
Breaches seen in the wild
- Google Firebase misconfiguration breach — Firebase misconfigurations exposed 19.8M secrets across developer instances.
- Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Password policy is necessary, but it is not an identity strategy. Length, complexity and uniqueness reduce guessability, yet the article itself shows that weak passwords still coexist with widespread reuse and phishing exposure. Human IAM fails when organisations mistake a secret-quality rule for a complete account governance model. The practitioner conclusion is that password hygiene must be treated as one control inside a broader access programme.
Hashing and salting protect stored secrets, not account trust. They matter when databases are exposed, but they do nothing if the attacker arrives through phishing, credential stuffing or weak recovery paths. That distinction is central to modern IAM design because too many programmes focus on how passwords are stored while underweighting how identities are actually accessed. The practitioner conclusion is to align storage controls with authentication controls, not substitute one for the other.
Multifactor authentication is the control that changes the economics of takeover. The article’s Microsoft statistic is the strongest indicator here: password policy may slow attackers, but MFA is what materially shrinks the success rate of compromised credentials. In NIST SP 800-63 terms, assurance rises when authentication depends on more than knowledge alone. The practitioner conclusion is to expand MFA coverage before pursuing marginal password complexity gains.
Credential reuse is the quiet bridge between human IAM and NHI risk. The same habit that weakens employee accounts also normalises secret reuse across service accounts, API keys and other non-human identities. That is why password hygiene discussions should not stop at the user login screen. The practitioner conclusion is to treat secret reuse as an enterprise-wide identity behaviour, not a user-training problem alone.
From our research:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
- If secret validity lingers for days after notification, then password and secret governance need to be paired with fast offboarding and rotation, as described in our Ultimate Guide to NHIs.
What this signals
Secret hygiene is converging across human and non-human identity programmes. The same organisational weakness that leaves employee passwords exposed also shows up in API keys, service accounts and certificates. With 96% of organisations storing secrets outside secrets managers in vulnerable locations such as code, config files and CI/CD tools, the programme lesson is clear: identity governance has to track secret handling across the full estate, not just login prompts.
Password policy metrics should now sit beside access governance metrics. If reuse rates, MFA coverage and reset hygiene are not measured together, teams will miss the real control gap. The practical signal to watch is whether identity controls reduce the number of credentials that can be replayed, not just whether users comply with complexity rules.
For practitioners
- Enforce long, blocklisted passwords first Set minimum lengths that make brute force impractical, and reject common passwords such as those found in public breach corpora. Pair that with password screening at creation and reset time so users cannot choose trivial secrets.
- Harden password storage with salted hashes Confirm that production systems store passwords only as salted hashes, with unique salts per secret and modern adaptive hashing where appropriate. Review legacy stores, recovery databases and synchronisation paths for clear-text exposure.
- Make MFA mandatory for all remote access Require MFA for employee, contractor and administrative access, with special priority for internet-facing logins and privileged pathways. If coverage is incomplete, close those gaps before tuning password policy further.
- Track credential reuse as a governance signal Measure how often the same secret appears across accounts and use that finding to drive targeted resets, user coaching and step-up controls. Reuse is a behaviour metric, not just a help desk issue.
Key takeaways
- Password security fails when organisations confuse secret quality with identity assurance.
- Hashing and salting reduce stored-secret exposure, but MFA is what materially changes account takeover economics.
- Identity teams should measure reuse, coverage and recovery flows, because password policy alone cannot contain modern credential abuse.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63, NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | SP 800-63B | Password and authenticator guidance is central to the article's MFA and storage discussion. |
| NIST CSF 2.0 | PR.AC-1 | The article focuses on authenticated access and identity assurance. |
| NIST Zero Trust (SP 800-207) | The article supports continuous verification rather than password-only trust. | |
| NIST SP 800-53 Rev 5 | IA-2 | MFA for user authentication maps directly to identification and authentication controls. |
Map password and MFA controls to PR.AC-1 and verify access is restricted to legitimate users.
Key terms
- Password Hygiene: Password hygiene is the practice of creating, storing and using passwords in ways that reduce compromise risk. It includes length, uniqueness, blocklisting common secrets and avoiding reuse across systems. In mature programmes, it is treated as a governance issue, not only a user-behaviour issue.
- Credential Stuffing: Credential stuffing is an attack method where stolen username and password pairs are tried against other services at scale. It works because many people reuse passwords across accounts, so one breach can unlock unrelated systems. The attack is automated, opportunistic and highly dependent on identity reuse.
- Salting: Salting adds a unique random value to a password before hashing it, so identical passwords do not produce the same stored result. This makes precomputed cracking and mass comparison far less effective. Salting protects stored credentials, but it does not replace strong authentication or MFA.
- Multi-Factor Authentication: Multi-factor authentication requires more than one proof of identity, usually combining something the user knows with something they have or are. It is one of the most effective controls against account takeover because a stolen password alone is no longer sufficient to authenticate.
What's in the full article
GlobalSign's full article covers the practical password hygiene details this post intentionally leaves at the strategic level:
- Step-by-step explanation of brute force, phishing and credential stuffing as compromise paths
- Detailed guidance on hashing and salting for password storage and verification
- Practical discussion of MFA as a compensating control for account compromise
- Plain-language reminders on password handling habits for end users and administrators
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-05-05.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org