Password: password - why 22% of breaches start with stolen credentials

In November 2023, the CyberAv3ngers group affiliated with the Iranian IRGC seized control of Unitronics PLC controllers at several American water treatment facilities. The attack vector did not require advanced exploits or zero-days. The default password “1111,” which no one had changed since installation, was all it took. CISA issued an urgent advisory, but the problem ran far deeper than a single controller manufacturer.

This story perfectly illustrates the password security paradox: we know that weak passwords are dangerous, and yet organizations - in both IT and OT - continue to make the same mistakes. The Verizon DBIR 2025 report confirms that stolen or cracked credentials are the initial vector in 22% of security breaches. In the world of web applications, that number is even more alarming - 88% of attacks on basic web applications exploit stolen credentials.

What has changed since 2019

Back in 2019, the main advice from experts at SANS Anaheim training was: “password length matters more than complexity.” That remains true, but the threat landscape has changed dramatically.

A few facts that define today’s context:

• In 2024, 2.8 billion passwords were put up for sale on criminal forums and the dark web
• Infostealer malware stole 1.8 billion credentials globally in 2025
• Have I Been Pwned added 1.96 billion unique email addresses from a single breach (Synthient Credential Stuffing) in 2025 alone
• Brute force attacks on web applications tripled year-over-year - from 20% to 60% in the Basic Web Application Attacks category

Sources: Verizon DBIR 2025, Deepstrike Credential Statistics 2025, FIDO Alliance Passkey Index 2025

NIST SP 800-63B Revision 4 - new rules of the game

In August 2024, NIST published the fourth revision of standard SP 800-63B, which fundamentally changes the approach to passwords. The previous version was officially retired in August 2025, meaning the new guidelines are the current federal standard.

What has changed

Rule	Old approach	NIST 800-63B Rev 4
Minimum length	8 characters	15 characters (when password is the sole authenticator)
Complexity (uppercase, digits, special characters)	Required	Prohibited - organizations “shall not” impose composition rules
Periodic password changes	Every 60-90 days	Prohibited - change only after confirmed compromise
Password pasting	Often blocked	Required - facilitates use of password managers
Checking against breach lists	Optional	Mandatory - continuous monitoring of compromised password databases
Passkeys/syncable authentication	No guidelines	Supported at AAL2 and AAL3 levels

Why length wins over complexity

The physics of password cracking is unforgiving. An NVIDIA RTX 5090 graphics card - available for approximately $2,000 - can crack an 8-character numeric password in just 3 hours. Twelve such cards working in parallel do it in 15 minutes.

But the math works the other way too. Each additional character extends cracking time exponentially:

Password	Length	Cracking time (MD5, RTX 5090)
123456	6 characters	< 1 second
qwerty	6 characters	< 1 second
P@ssw0rd	8 characters	several hours
qwertyqwerty	12 characters	weeks
qwertyqwertyqwerty	18 characters	centuries
Random 4-word sentence	~25 characters	millions of years

The hashing algorithm also matters. Bcrypt with cost 10 extends the cracking time of an 8-character alphanumeric password to approximately 17,000 years even on an RTX 5090. This is why OWASP and NIST recommend using strong hashing algorithms on the server side.

Passwords in OT environments - the default credentials problem

In IT environments, we can enforce password policies, deploy MFA, and monitor logins. In OT environments, the situation is far more challenging.

Why OT is a different world

Many PLC controllers, HMI panels, and network devices in industrial environments:

• Do not support complex passwords - some manufacturers limit passwords to 4-8 digits
• Use shared accounts - one “operator” login for the entire shift team
• Do not log login attempts - no ability to detect brute force
• Run on protocols without authentication - Modbus RTU, for example, has no authentication mechanism whatsoever (more on this in our Modbus protocol analysis)

The Unitronics case - anatomy of an attack

In November 2023, CISA issued an urgent advisory AA23-335A regarding attacks on Unitronics Vision Series controllers. The attack progression:

1. Scanning TCP port 20256 (PCOM/TCP port associated with Unitronics)
2. Identifying PLC/HMI devices accessible from the internet
3. Logging in with the default password “1111”
4. Changing HMI settings, disabling alarms, restarting devices
5. Displaying a political message on HMI panels

This case is strikingly similar to the Oldsmar incident, where an attacker exploited remote access via TeamViewer with shared passwords to attempt changing the sodium hydroxide concentration in a water treatment system.

Passkeys and FIDO2 - a passwordless future

Passkeys are cryptographic credentials based on the FIDO2/WebAuthn standard that eliminate passwords in favor of public and private keys. In practice, login is accomplished via biometrics (fingerprint, Face ID) or a device PIN - without transmitting any secret data over the network.

Adoption in numbers (FIDO Alliance Passkey Index 2025)

• 69% of consumers have at least one passkey (up from 39% two years earlier)
• 87% of organizations have deployed or are deploying passkeys in an enterprise environment
• 48% of the top 100 websites offer passkeys as a login method
• 90% of organizations report moderate to strong security improvement after deployment
• 77% of organizations noted a decrease in help desk tickets

NIST SP 800-63B Rev 4 officially supports passkeys at AAL2 and AAL3 levels, meaning they can be used even in environments with elevated security requirements.

How to effectively protect passwords - practical checklist

For individual users

• Use a password manager (e.g., Bitwarden, 1Password, KeePassXC)
• Enable MFA on all accounts - priority: email and banking
• Check your data at Have I Been Pwned
• Switch to passkeys where possible (Google, Microsoft, Apple)
• Use unique passwords - minimum 15 characters or phrases consisting of 4+ random words
• Never use the same password for more than one service

For IT organizations

• Implement a password policy compliant with NIST 800-63B Rev 4 (minimum 15 characters, no complexity enforcement)
• Eliminate periodic password changes - replace with breach database monitoring
• Deploy phishing-resistant MFA (FIDO2/passkeys) for access to critical systems
• Integrate password checking with breach databases (e.g., Have I Been Pwned API)
• Conduct regular penetration tests including password attacks
• Implement credential stuffing monitoring on SSO systems

For OT environments

• Inventory all default passwords on PLC controllers, HMIs, industrial switches, and routers
• Change every default password to a unique one, as complex as device limitations allow
• Disconnect OT devices from direct internet access
• Implement network segmentation with zones and conduits in accordance with IEC 62443
• Use jump hosts with MFA for remote access to OT systems
• Log and monitor all access attempts to devices - even if the device does not support native logging, network traffic can be monitored at the network level

Credential stuffing - the most common password attack in 2025

Credential stuffing is the automated use of login-password pairs from breaches in other services. Attackers assume that users reuse the same passwords across multiple sites - and they are often right.

The Verizon DBIR 2025 analysis of SSO provider logs showed that a median of 19% of all authentication attempts are credential stuffing attempts. At the same time, only 49% of user passwords were unique across different services.

Defense against credential stuffing requires a multi-layered approach:

1. Unique passwords - a password manager is the only realistic solution when managing dozens of accounts
2. MFA - even if the password is stolen, a second factor blocks the attack
3. Anomaly monitoring - unusual locations, devices, login times
4. Rate limiting - restricting the number of login attempts from a single IP/session
5. Checking passwords against breach lists - at registration and login

Summary

Password security is not a technology problem - it is a habits problem. NIST SP 800-63B Rev 4 officially confirms what experts have been saying for years: length wins over complexity, periodic password changes are harmful, and the future belongs to passwordless authentication.

In IT environments, the transition to passkeys and MFA is realistic today. In OT environments, the road is longer - but it starts with the basics: inventory of default passwords, network segmentation, and access monitoring.

One thing is certain: “1111” on a PLC controller connected to the internet is not a password. It is an invitation.

---

Sources

• NIST SP 800-63B Revision 4 - Digital Identity Guidelines: Authentication and Lifecycle Management
• Verizon 2025 Data Breach Investigations Report - breach statistics and credential stuffing
• CISA Advisory AA23-335A - IRGC-Affiliated Cyber Actors Exploit PLCs
• FIDO Alliance Passkey Index 2025 - passkey adoption in enterprise and among consumers
• Have I Been Pwned - breach database and verification tool
• Hashcat RTX 5090 Benchmark - password cracking performance tests
• Tom’s Hardware - RTX 5090 Password Cracking - password cracking benchmarks
• Deepstrike - Compromised Credential Statistics 2025