Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Active Directory password risk is rising. Are your controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10965
Topic starter  

TL;DR: Compromised passwords are rising from about 14% of accounts in 2024 to roughly 19% in 2025, while unsafe credentials crossed 22%, according to Enzoic’s AD Lite scan data. This reinforces the Verizon DBIR finding that credential abuse is the leading initial access vector, and password exposure is now a continuous identity problem, not a one-time hygiene issue.

NHIMG editorial — based on content published by Enzoic: Rising Risk of Compromised Credentials in AD Active Directory Credential Screening

By the numbers:

Questions worth separating out

Q: How should security teams handle exposed Active Directory passwords?

A: They should treat exposed passwords as active compromise risk, not hygiene debt.

Q: Why do stale accounts make credential compromise worse?

A: Stale accounts extend the time an attacker can use a valid password without raising suspicion.

Q: What do security teams get wrong about password risk in Active Directory?

A: They often assume a strong policy alone is enough.

Practitioner guidance

  • Benchmark exposed-password prevalence across the directory Run a domain-wide scan for credentials that appear in breach datasets or common-password lists, then segment results by business unit, application tier, and account age so remediation can target the highest-risk identities first.
  • Prioritise stale-account remediation with credential exposure Remove or disable inactive accounts only after confirming whether they still have valid passwords, privileged entitlements, or application dependencies, because stale identities become easy compromise targets when exposure is already high.
  • Tie password policy exceptions to explicit ownership Track every exception, shared account, and service-linked user through a named owner and expiry date so exposed credentials cannot remain in place simply because no one is accountable for them.

What's in the full article

Enzoic's full blog post covers the operational detail this post intentionally leaves for the source:

  • Step-by-step AD Lite scan interpretation for compromised and weak password findings
  • Guidance on prioritising remediation for stale, expired, and no-credential accounts
  • Operational examples of continuous monitoring and automated remediation workflows
  • The article's specific breakdown of why unsafe-password rates rose between 2024 and 2025

👉 Read Enzoic's analysis of rising Active Directory credential compromise risk →

Active Directory password risk is rising. Are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10520
 

Exposed-password risk is now a lifecycle problem, not a hygiene issue. Password exposure does not end when a user changes behaviour once or when a scan is run. Breach datasets keep expanding, and that means the same identity can move from safe to compromised without any local change in the environment. The implication is that credential governance must be continuous across joiner, mover, and leaver states, not periodic and reactive.

A few things that frame the scale:

A question worth separating out:

Q: How do IAM teams reduce account takeover risk from compromised credentials?

A: They reduce risk by combining exposure detection, access review, and rapid remediation. That means identifying compromised passwords, removing stale accounts, tightening privileged access, and proving that each account still has a business purpose. The control succeeds when exposed credentials stop being usable fast enough to matter.

👉 Read our full editorial: Active Directory credential risk is rising as exposed passwords spread



   
ReplyQuote
Share: