In today’s fast-paced digital world, passwords are still the most common way we log in to systems but they’re also one of the biggest security weak spots. According to Verizon’s 2023 Data Breach Investigations Report, around 86% of breaches involved the use of stolen credentials or other forms of identity compromise, highlighting just how often attackers target passwords to gain access.
Through our work helping clients respond to cyber incidents across a range of industries, we’ve seen time and again how just one compromised password can lead to serious consequences. From financial loss and data breaches to damage to a company’s reputation, weak or stolen credentials are still one of the most common ways attackers get in. In this article, we’ll explain how cybercriminals take advantage of poor password practices, walk through a real-world example, and share practical steps your business can take to stay protected using the latest, top-tier cybersecurity tools and strategies.
You might think, “We’ve never been hacked, we’re probably safe.” But here’s the hard truth: most breaches don’t make headlines, and the majority of businesses don’t even realise they’ve been compromised until the damage is done.
According to the Australian Cyber Security Centre (ACSC), compromised credentials are among the top attack vectors hackers use against Australian businesses. Weak passwords can lead to:
• Identity theft
• Ransomware attacks
• Data leaks
• Financial fraud
• Compliance violations (especially under the Privacy Act & Essential Eight framework)
In today’s environment, filled with VPN’s, remote work and Zoom calls, cybercriminals don’t need to be inside your network physically, they just need valid credentials. Here’s some of the ways they get them and the impact they can cause:
This technique uses bots to test large volumes of leaked username/password combinations from previous data breaches on different websites and systems. Since many people reuse passwords across multiple platforms, attackers can often gain access quickly. In 2024, Australia reported 12,000 data leaks that exposed username and password pairs. This represents a significant increase of 30% compared to the previous year. Most breaches originated from popular online shopping sites, social media platforms, and entertainment websites that attract millions of Aussies every day. Recent surveys reveal that more than 60% of Australians admit they reuse their work email and password when signing up for these services.
This common habit creates an ideal opportunity for cybercriminals. Attackers often scan these leaked credentials to find valid logins for corporate networks. With just one successful login, they may access sensitive data, disrupt business operations, or even launch further attacks within an organisation.
As our digital lives become increasingly interconnected, one message stands out. Creating unique passwords for each service is not just good practice. It is essential protection for both individuals and businesses across the country.
Tools commonly used:
• Sentry MBA
• Snipr
• OpenBullet
Targets:
Attackers often use these credentials to gain entry into your VPN portals, remote access gateways, email servers, and web applications, which can result in unauthorised access to critical systems and the sensitive information they contain.
Brute force attacks involve cybercriminals systematically attempting every possible password and username combination in an effort to gain access to an account. With automated tools, attackers can try thousands of combinations per minute. Sometimes even more, depending on the speed of their hardware and the defences in place. This approach becomes particularly effective when accounts use short or simple passwords, lack account lockout thresholds, or do not implement login throttling or CAPTCHA to slow down repeated attempts.
The effectiveness of brute force attacks highlights the importance of strong password complexity. For example, a simple six-character lowercase password can often be cracked in seconds, while a complex twelve-character password that includes numbers and symbols may take years or even centuries to break. The relationship between password complexity and the time needed to breach an account can be seen in the graph below, which demonstrates how quickly weak passwords fall to brute force methods compared to their stronger counterparts.
This illustrates why enforcing strong password policies and protective measures is essential for safeguarding your systems against brute force attacks.
Modern brute force tools:
• Hydra
• Medusa
• Burp Suite Intruder (custom scripts)
A refined version of brute force, dictionary attacks use precompiled lists of commonly used passwords, variations, and cultural references (for example, Melbourne2024!, admin123, Welcome@Work).
How it works:
• Tools use curated password lists such as RockYou.txt and SecLists.
• Attackers combine dictionary terms with common suffixes or substitutions.
• Passwords are tested rapidly against login portals.
Dictionary attacks have become increasingly sophisticated, with attackers using automated tools to scrape web applications and public websites for information related to the target. This can include company names, project titles, or even internal code names, which are then added to custom password lists for a more targeted approach. In some cases, attackers may scour social media platforms like Facebook for personal details such as children’s names, pet names, or significant dates, using these to construct password guesses that are highly relevant to the individual or organisation.
This targeted method greatly increases the chance of success, especially when users create passwords based on personal or work-related information that can be easily discovered online.
Phishing is a common and highly effective cyberattack method where attackers attempt to deceive employees into revealing sensitive information, such as passwords, by posing as trusted contacts or organisations. This is often accomplished through fake emails, fraudulent login pages, urgent texts, or even phone calls designed to create a sense of urgency or authority. Once a user enters their credentials into a spoofed site or responds to a deceptive message, their login details are instantly sent to the attacker, who can then access corporate systems and sensitive data.
Phishing remains one of the leading causes of data breaches worldwide. According to the Australian Cyber Security Centre, a significant portion of reported cyber incidents involve phishing, and global studies estimate that over 80% of security breaches begin with a phishing attack. Attackers employ a variety of techniques, including email impersonation (such as CEO fraud), fake Office 365 or bank login pages, SMS phishing (known as smishing), and voice phishing (vishing). Social engineering tactics frequently involve gathering information from publicly available sources like LinkedIn or company websites to make attacks more convincing. The effectiveness of phishing highlights the importance of ongoing staff awareness training and the need for robust technical controls to detect and block these attempts before they reach users.
Keyloggers are a type of malicious software designed to covertly record every keystroke made on a compromised device, including passwords and other sensitive information. Once installed—often without the user’s knowledge these tools silently capture login details and transmit them directly to the attacker, putting both personal and corporate data at risk.
Malware, including keyloggers, can be delivered through a variety of methods. Common infection vectors include malicious email attachments, compromised USB drives, and drive-by downloads from unsafe or hacked websites. In some cases, simply visiting a compromised web page is enough to trigger a silent malware download. Once a device is infected, attackers can harvest credentials, monitor activity, and potentially gain further access to connected systems. This underscores the importance of maintaining up-to-date antivirus protection, being cautious with email attachments and external devices, and ensuring all software remains patched against known vulnerabilities.
Password spraying is a technique where attackers try a small number of common passwords across a large list of usernames, rather than targeting a single account with many guesses. This approach is stealthier than traditional brute force attacks and helps attackers avoid triggering account lockouts or detection systems. Typical passwords used in these attacks include options like "Spring2024!", "Welcome1", or "CompanyName123".
As with brute force attacks, cybercriminals leverage significant computing power and automated tools, allowing them to test thousands of usernames against these common passwords in just a few minutes. Because password spraying targets many accounts with only a handful of widely used credentials, even organisations with strict lockout policies are at risk if users rely on predictable passwords. This highlights the need for strong, unique passwords across all accounts and the importance of monitoring for unusual login patterns across your environments.
In 2022, a midsized Australian engineering company found itself in the headlines for all the wrong reasons. The culprit? Not a sophisticated zero-day exploit, but a single reused, weak password that gave cybercriminals the keys to the kingdom and left the business facing a multi-million-dollar ransom.
1. Initial Access : Everything started when attackers uncovered an employee’s credentials on a dark web breach database. Unfortunately, the staff member had used the same simple password for their work VPN as they had for other online accounts, including social media, e commerce sites, and entertainment blogs. This risky habit gave the attackers an easy way in, and they quickly took advantage.
2. No MFA Enabled : To make matters worse, the company’s VPN was not set up with multi factor authentication. With just a username and password, the attackers were able to access the company’s internal network without any extra security checks or alerts.
3. Lateral Movement : Once inside, the hackers moved quickly. They used well known tools like Mimikatz to collect admin credentials from memory, then hopped between systems, quietly increasing their privileges and exploring the network. Sensitive shared drives and important company information were soon under their control.
4. Payload Deployment : Within 48 hours of the initial breach, the attackers deployed a REvil ransomware variant. Suddenly, every major server, backup, and computer across the business was locked up, encrypted, and completely out of reach.
5. Ransom Note : Finally came the demand. The attackers asked for nine and a half million dollars in cryptocurrency. The message was clear. Pay up or risk losing access to your data forever and face the public release of stolen customer and project information.
This was not a high-tech Hollywood hack. It was a preventable incident caused by poor password habits and a lack of basic security controls. For Australian organisations, it is a wakeup call. One weak password really can bring an entire company to a standstill. Make sure yours is not the one that lets attackers in.
• The business was unable to operate for almost three weeks
• Three major clients walked away
• Incident response costs climbed over $600,000
• Forensic investigators confirmed the breach started with one user’s simple password. This was the result of password re use, poor password management, and no multi factor authentication in place
While password-related attacks are among the most common cyber threats, the good news is that they’re also among the most preventable. Protecting your business starts with a layered approach one that combines technology, policy, and people.
Here’s how you can build a defence that holds strong against real-world threats.
One of the most effective ways to stop credential-based attacks is to implement multi-factor authentication (MFA). When properly configured, MFA adds a critical second layer of security such as a code sent to a mobile device, a fingerprint scan, or a hardware token.
This must be rolled out across:
• All remote access points (VPNs, RDP, etc.)
• Cloud services and email platforms (e.g. Microsoft 365, Google Workspace)
• Internal administrative tools and dashboards
Most importantly, MFA should be mandatory for executives, IT administrators, and users with elevated privileges these accounts are prime targets for attackers and must be protected with the strongest access controls.
Recommended solutions: To protect against these types of attacks, it is essential to put strong security measures in place. Multi factor authentication (MFA) should be enabled for all remote access and critical systems. Solutions like Microsoft Authenticator, Duo Security, Authy, and hardware tokens such as YubiKey can provide an extra layer of protection, making it much harder for attackers to access accounts even if passwords are compromised.
In addition to MFA, organisations should make use of Conditional Access Policies. These policies allow you to control access based on factors such as user location, device health, and risk levels. For example, you can block logins from overseas locations, require extra verification for high risk activities, or limit access to sensitive data from trusted devices only. By combining MFA with well designed Conditional Access Policies, businesses can significantly reduce the risk of unauthorised access and better protect their systems and data.
Weak, reused, or predictable passwords are still one of the biggest threats to business security. Your organisation needs a clear password policy that defines what’s acceptable and what’s not.
A strong policy should include:
• Minimum of 12 characters per password
• A mix of uppercase, lowercase, numbers, and special characters
• Blocking of known breached or common passwords, using services like HaveIBeenPwned
• No password reuse across systems
• Automatic password expiration or rotation every 90–120 days (depending on system sensitivity)
Encourage the use of passphrases where appropriate long, memorable, and hard to crack. For example: BlueWombat#Surfs@Sunrise.
A password manager is one of the simplest ways to eliminate poor password habits across your business. These tools generate, store, and autofill strong, unique passwords so your team doesn’t have to remember them or write them down.
Benefits include:
• Centralised password management and sharing
• Secure vaults for teams and departments
• Audit logs for compliance and monitoring
• Breach alerts if stored passwords are compromised
Top solutions: 1Password Business, Bitwarden Teams, LastPass Enterprise, Keeper Security.
Even with the best tools, your people must know how to use them and how to spot threats. Cybersecurity awareness training is essential to help staff recognise phishing emails, avoid credential theft, and understand the importance of MFA and password hygiene.
Training should be:
• Part of employee onboarding
• Refreshed quarterly (or more in high-risk roles)
• Interactive and scenario-based
• Backed by simulated phishing campaigns to test real-world readiness
Tools like KnowBe4, Ninjio, and Curricula make it easy to deliver engaging, trackable training programs.
Assumptions don’t stop hackers testing does. Penetration testing helps you find and fix security gaps before attackers can exploit them.
Our offensive security team simulates real-world attacks to identify:
• Weak or reused credentials
• MFA misconfigurations and bypasses
• VPN and RDP exposures
• Privilege escalation paths
• Password spraying and brute force vulnerabilities
Combine this with Red Teaming for a full-spectrum, adversary-style assessment of your digital and physical defences.
Cybercriminals don’t need to hack your systems they just need one weak password.
By enforcing strong password practices, deploying MFA, using password managers, educating your staff, and testing your defences, you can dramatically reduce your risk of a data breach or ransomware attack.
These aren’t just IT concerns they’re business-critical strategies that protect your operations, your customers, and your future.
Let’s Secure Your Business Starting with Passwords
At SpartansSec, we help Australian businesses lock down their environments with:
• Penetration Testing & Red Teaming
• Offensive Security Services
• Cybersecurity Awareness Training
• MFA Deployment & IAM Consulting
• Password Policy Development and much morssse.
Book your Cyber Risk Consultation today. We’ll assess your current defences and show you how to improve them without the jargon.
.png)
