TL;DR: Password reuse, weak password selection and phishing remain the main paths to account compromise, and GlobalSign cites NordPass data showing 123456 is still common while Microsoft estimates MFA can block 99.9% of account compromise attacks. The real lesson is that password policy alone is not a security model; identity programmes need layered controls, user education and MFA as baseline governance.
NHIMG editorial — based on content published by GlobalSign: password security, hashing, salting and MFA guidance
By the numbers:
- The most common password remains 123456, according to NordPass, and it can be cracked in less than one second.
- The 13% of users reuse the same password for all accounts, and the 52% reuse a password for some accounts.
- Half of UK companies reported suffering some form of cyber breach in 2023.
Questions worth separating out
Q: How should security teams reduce account takeover risk without relying on passwords alone?
A: Security teams should treat passwords as a baseline, not the primary control.
Q: Why do reused passwords create such a large identity risk?
A: Reused passwords turn one compromise into a chain reaction.
Q: What do organisations get wrong about hashing and salting?
A: They often assume hashing and salting solve password risk on their own.
Practitioner guidance
- Enforce long, blocklisted passwords first Set minimum lengths that make brute force impractical, and reject common passwords such as those found in public breach corpora.
- Harden password storage with salted hashes Confirm that production systems store passwords only as salted hashes, with unique salts per secret and modern adaptive hashing where appropriate.
- Make MFA mandatory for all remote access Require MFA for employee, contractor and administrative access, with special priority for internet-facing logins and privileged pathways.
What's in the full article
GlobalSign's full article covers the practical password hygiene details this post intentionally leaves at the strategic level:
- Step-by-step explanation of brute force, phishing and credential stuffing as compromise paths
- Detailed guidance on hashing and salting for password storage and verification
- Practical discussion of MFA as a compensating control for account compromise
- Plain-language reminders on password handling habits for end users and administrators
👉 Read GlobalSign's guide to password hygiene, hashing and MFA →
Password hygiene, hashing and MFA: are your controls enough?
Explore further
Password policy is necessary, but it is not an identity strategy. Length, complexity and uniqueness reduce guessability, yet the article itself shows that weak passwords still coexist with widespread reuse and phishing exposure. Human IAM fails when organisations mistake a secret-quality rule for a complete account governance model. The practitioner conclusion is that password hygiene must be treated as one control inside a broader access programme.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
A question worth separating out:
Q: Who is accountable when password-only authentication leads to account compromise?
A: Accountability sits with the identity and access programme, not just the end user. Security teams are responsible for MFA coverage, secure password storage, recovery policy and reuse monitoring, while business owners must accept the residual risk of any accounts left on password-only access.
👉 Read our full editorial: Password security still fails without stronger identity controls