By Garrett Kohlrusch | GK Data LLC
Password security has been a staple of security awareness training for decades. Use long passwords. Don’t reuse them. Change them regularly. Don’t write them down.
Most people have heard this. Many follow it. And breaches tied to credential compromise are still among the most common causes of serious incidents — not because the advice is wrong, but because the advice addresses only one part of a much larger problem.
The password itself is rarely where identity security breaks down. The breakdown happens in everything built around it: how authentication is enforced, what access a compromised credential grants, how sessions are managed, and whether there’s any mechanism to detect that a credential is being abused.
How Credentials Actually Get Compromised
Understanding the attack surfaces helps clarify where the real controls need to be.
Credential stuffing is the dominant attack pattern against login endpoints right now. Billions of username/password pairs from past breaches are publicly available. Attackers automate login attempts against every major service using these pairs, because a significant percentage of users reuse passwords across accounts. The credentials being tested aren’t guessed — they’re real credentials from real users that happen to still work somewhere.
Phishing remains the most reliable way to steal credentials that aren’t in a breach database yet. A convincing login page served from a lookalike domain, paired with a pretextual email, captures credentials directly — including, increasingly, the MFA code entered immediately afterward, which is relayed to the real site in real time before it expires.
Password spraying targets organizations where account lockout policies are active. Rather than trying many passwords against one account (which triggers lockout), an attacker tries one common password against many accounts. “Spring2025!” against every account in a company’s directory will find a match more often than it should.
Credential exposure in code and configuration is less glamorous but highly effective. API keys, service account credentials, and database connection strings committed to source code repositories — including private ones — represent one of the most common findings in web application assessments. Once exposed, these credentials are often valid indefinitely because there’s no rotation process and no monitoring for their use.
Where the Trust Model Breaks
Most authentication systems make a binary determination: valid credential, access granted. The problems start there.
A valid credential presented from an unusual country at 3am after months of normal business-hours activity is treated the same as a normal login — because the credential is valid. The context is different, but the system isn’t checking context.
A valid credential with no MFA enrolled on a privileged account is one phished email away from full account takeover. MFA doesn’t prevent phishing — it requires the attacker to capture and replay the second factor in real time, which is harder but not impossible. What MFA does is raise the cost of credential abuse significantly, which filters out most opportunistic attacks.
A valid credential that grants access to everything the user might ever conceivably need — because access was never scoped to what the user actually requires — means a compromised account has a much larger blast radius than it should.
Session tokens that don’t expire, that can be reused after password changes, or that aren’t invalidated on logout create a parallel credential that persists after the password is rotated. An attacker who captures a session token may retain access long after the compromised password is changed.
What Actually Reduces Identity Risk
MFA on every account that touches sensitive data or systems. Not optional, not for most accounts — for all of them. Phishing-resistant MFA (hardware keys, passkeys) is significantly stronger than TOTP codes or SMS, which can be intercepted or socially engineered. The right choice depends on the threat model, but something is better than nothing, and not all MFA implementations are equivalent.
Privileged accounts separated from daily-use accounts. Administrative credentials that are used for regular browsing, email, and general work are exposed to the full attack surface of daily computing. Separate accounts for administrative functions — used only for administrative purposes — limit the exposure window.
Credential rotation with monitoring, not rotation on a schedule. Periodic forced password changes without detection capability produces churn without security improvement. Monitoring for anomalous credential use — unusual authentication locations, unexpected access patterns, off-hours logins — with alerts and response procedures is substantially more effective.
Scope access to what’s actually needed. The principle of least privilege is straightforward: a compromised account should be able to reach what that user needs, not the entire environment. This requires knowing what access each account actually has — which most organizations don’t have a complete picture of — and trimming accordingly.
Test authentication flows, not just configuration. Account lockout policies that look correct in documentation sometimes don’t behave correctly under testing. Password reset flows that appear secure sometimes have logic vulnerabilities an attacker can exploit. MFA implementations have known bypass techniques. Knowing your authentication is configured correctly is different from knowing it works the way you expect under adversarial conditions.
How GK Data LLC Can Help
Identity and authentication testing is a core component of every web application engagement we conduct. We test login flows for brute-force protections, MFA bypass techniques, session management issues, and account enumeration. We look for credentials exposed in code, configuration, and HTTP responses.
If your authentication hasn’t been tested against an adversarial set of assumptions, the controls you have may not perform the way you expect.
[email protected] | gkdata.io
GK Data LLC — Minneapolis, MN. Web application security, and managed IT services.