Passwords in businesses – often an underestimated vulnerability
Passwords have been a key security measure in businesses for decades – yet they are also one of the most common causes of successful cyberattacks. Despite modern security technologies, cloud services and increasing automation, password practices remain problematic in many organisations. Passwords that are too short, reused or easy to guess often leave the door wide open to attackers.
Well-known examples of poor passwords, such as “12345”, “password”, “qwertz”, “admin” or simple variations using years, are not uncommon even in a corporate environment. Such passwords can be guessed automatically within seconds or may already have been compromised in known data breaches. Combined with a lack of multi-factor authentication or insufficient staff awareness, this creates a significant risk to business processes, sensitive data and the availability of critical systems.
Passwords as a risk in businesses
Many successful cyberattacks begin with the compromise of login credentials. According to cross-sector analyses, over 80% of data breaches are attributable to weak or compromised passwords, as well as a lack of additional security measures.
Common causes:
- Reusing passwords across multiple systems.
- Passwords that are easy to guess (e.g. ‘password’, ‘123456’) – even in a professional environment.
- Missing or outdated guidelines in corporate password policies.
- Insufficient awareness of risks among employees.
These vulnerabilities provide attackers with easy entry points: systems can be compromised with minimal effort through credential stuffing, brute-force or social engineering attacks.
| A brute-force attack is a method of attack in which automated programmes systematically try every possible password combination until the correct one is found. The shorter and simpler a password is, the quicker such an attack can succeed. Long, unique passwords with a wide range of characters greatly increase the number of possible combinations, making brute-force attacks practically uneconomical or impossible. | Credential stuffing refers to an attack method in which attackers automatically try out known, stolen login credentials from previous data breaches on other services and systems. As many users reuse passwords, such attacks are often successful – even if the actual target system is technically well secured. Unique passwords and multi-factor authentication significantly reduce this risk. | A social engineering attack is an attack that exploits human behaviour rather than technical vulnerabilities. Attackers manipulate employees, for example, through phishing emails, fake phone calls or messages that appear genuine, in order to obtain login credentials or sensitive information. Technical safeguards alone are not enough here – awareness, clear processes and trained staff are crucial. |
Current BSI recommendations on password security
The Federal Office for Information Security (BSI) has revised its guidelines on password security, emphasising that:
1. Strong passwords rather than frequent changes
Routine, mandatory password changes without good reason are no longer generally recommended, as they can lead to weaker passwords or systematic variations. Security is instead achieved through strong, unique passwords and additional protective measures.
2. Password complexity and length
Passwords should be sufficiently long; length often matters more than rigidly enforcing the use of special characters. A combination of length and uniqueness increases entropy and significantly reduces the risk of brute-force attacks.
3. Use password managers
The use of password managers for the secure management of different login credentials is recommended to ensure the uniqueness and strength of passwords.
4. Supplementary authentication
The integration of multi-factor authentication (MFA) is an essential safeguard, as it requires a second, independent security factor even in the event of password theft.
Why password complexity works – and where its limits lie
Security guidelines often stipulate that passwords must consist of upper- and lower-case letters, numbers and special characters. This is fundamentally correct – though not because these characters are ‘more complicated’ for software. To systems, all characters are ultimately just sequences of bits. The real security benefit stems from the mathematics behind it: the larger the permitted character set and the longer the password, the greater the so-called search space that attackers would have to try through in the event of an attack.
An example illustrates the effect:
If a password consists of eight characters, using only lower-case letters results in around 26⁸ combinations – roughly 208 billion possibilities. If upper-case letters and numbers are also allowed, the search space increases to 62⁸ combinations (over 218 trillion). With special characters, this space expands further to several quadrillion possible variations. The increase is not linear, but exponential – even powerful attack computers quickly reach their physical limits here.
In practice, however, attackers rarely use pure brute-force methods. More common are dictionary and pattern attacks, in which known terms, typical password structures (“Summer2024”, “Password!”) or predictable combinations of special characters are tested. This is precisely where the weakness of many seemingly “complex” passwords lies: if special characters or numbers are used according to known patterns, the security benefit drops dramatically.
A key insight into modern IT security is therefore crucial: in many cases, password length is more important than simply using a variety of characters.
A long, random passphrase often offers more protection than a short password containing special characters. Artificial intelligence does not fundamentally change this – it merely helps attackers to recognise human patterns more quickly, but cannot circumvent the mathematical reality of a sufficiently large search space.
Best practices: From policy to implementation
Effective password management within a company should involve more than just individual security rules. The following recommendations will help IT managers to address risks in a structured manner:
1. Establish a formal password policy
Define binding rules for:
- Minimum length and password format
- One-time use per system
- Handling compromised passwords
- Integration into the identity and access management process
Such policies form the backbone of enforceable security measures.
2. Introduce a password manager within the organisation
A centrally managed password manager reduces the temptation to reuse simple passwords and ensures stronger, automatically generated login credentials. Training on how to use these tools and regular security checks are essential.
3. Make multi-factor authentication (MFA) mandatory
MFA should be the standard for all sensitive accounts. Even if a password is compromised, access remains protected without the second factor.
4. Implement monitoring and audits
Regular checks and automated tools to detect weak or reused passwords enhance security and help identify policy gaps at an early stage.
5. Employee awareness programmes
Technical measures alone are not enough: awareness campaigns, information training and recurring awareness initiatives (e.g. ‘Change Your Password Day’) help to establish a culture of security.
Conclusion: Passwords remain relevant – but they are not the only solution
Even though modern authentication methods such as passkeys or passwordless approaches are gaining in importance, passwords remain a key security measure in a corporate context; however, they are only effective when used in conjunction with structured processes and supplementary controls.
For businesses and their IT departments, this means:
✔ strong, documented password policies
✔ technical safeguards via MFA and password managers
✔ continuous monitoring rather than mandatory changes without proper review.
Smart security starts with awareness
The annual ‘Change-Your-Password Day’ on 1 February offers an excellent opportunity to launch internal campaigns on security basics and raise staff awareness of strong authentication. An awareness training programme – such as the one Securepoint offers specifically for businesses – can effectively impart knowledge, highlight risks and improve behaviour in the long term, without coming across as ‘salesy’.
Companies and IT managers can find out more about practical training and awareness concepts at Securepoint:
👉 https://www.securepoint.de/en/fuer-unternehmen/awareness-training
![[Translate to English:] Kevin Thomas, Ihr PR-Ansprechpartner bei Securepoint.](/fileadmin/securepoint/allgemein/geteilte_inhalte/bilder/securepoint-mitarbeiter/kevin-thomas.jpg "Kevin Thomas")