Verizon 2025 DBIR: Credential Attacks Still Dominate – A Nok Nok Perspective

The Verizon 2025 Data Breach Investigations Report (DBIR) paints a clear, urgent, and yet familiar picture: password-related attacks remain the number one threat to organizations worldwide. As a leader in passwordless authentication, here at Nok Nok, we see the findings as both a wake-up call and a validation of our mission to move everyone beyond passwords.

Key Findings: Passwords and Credential Abuse Remain Top Risks

The report highlights several critical points regarding the persistence of credential-based attacks:

• Stolen Credentials Are the Primary Entry Point: Credential abuse was the initial vector in 22% of breaches globally, making it the single most common way attackers get in. Attackers aren’t hacking their way in-they’re logging in through the front door using stolen, guessed, or leaked passwords.
• Web Application Attacks Rely on Credentials: A staggering 88% of basic web application attacks involved stolen credentials. This highlights how password reuse and weak password policies continue to undermine security.
• Phishing and Social Engineering Fuel Credential Theft: Phishing accounted for nearly 25% of breaches, and social engineering remains a top tactic for stealing login information. The median time for a user to click a phishing link was just 21 minutes-far faster than most organizations can detect and respond. Yikes!
• Infostealers Target Devices and Credentials: 30% of infostealer-compromised systems were enterprise-managed, but 46% were unmanaged, often personal devices used for work (BYOD). This exposes organizations to credential theft outside their direct control.
• Ransomware and Credentials: Ransomware was present in 44% of breaches, and infostealer logs containing corporate credentials were found in over half of ransomware victims. Credentials are often the first step to a much larger compromise.

Other Notable Trends from the 2025 DBIR

Beyond credential attacks, the DBIR also highlights other significant trends:

• Exploitation of Vulnerabilities: Exploits targeting unpatched edge devices (like VPNs and firewalls) surged by 34%, now accounting for 20% of breaches. Attackers are increasingly automating the exploitation of known and zero-day vulnerabilities.
• Third-Party Breaches: The share of breaches involving third parties doubled to 30%, highlighting the risks in supply chains and partner ecosystems.
• Human Error: Human involvement remains a factor in 60% of breaches, reinforcing the need for user training and better security design.
• Remediation Gaps: Only 54% of vulnerable edge devices were patched, with a median fix time of 32 days-leaving a wide window for attackers.

Why Passwords Remain the Weak Link

The DBIR’s findings confirm what we at Nok Nok have long argued: passwords are fundamentally flawed as a security mechanism. Attackers exploit them because:

• They are easily stolen via phishing, malware, or leaks.
• Users often reuse passwords, at work and at home, across multiple sites.
• Passwords can be guessed, brute-forced, or found in breached databases.
• Device and BYOD risks mean credentials can be compromised outside IT’s visibility.

As the report states, “Credential theft continues to be the key to the kingdom in the majority of breaches. And it’s not slowing down”.

The Path Forward: Passwordless Authentication

For organizations looking to break the cycle, the DBIR offers a clear mandate: move beyond passwords. Here’s how Nok Nok recommends responding:

• Adopt Passwordless, Phishing-Resistant Authentication: FIDO-based authentication(aka passkeys) eliminate the risks of credential theft, phishing, and reuse by removing passwords from the equation.
• Enforce Strong Access Controls for Devices: Ensure only managed, secure devices can access sensitive systems-especially in BYOD environments.
• Accelerate Patch Management: Reduce the window for vulnerability exploitation by patching edge devices and VPNs rapidly.
• Invest in User Training and Real-Time Detection: While technology is critical, user awareness and rapid response to phishing remain essential.

Conclusion: The Time to Act Is Now

The 2025 Verizon DBIR makes it clear: attackers are evolving, but they still rely on the same old trick – stealing passwords. Why? Because it’s the least path of resistance. Why spend time hacking when you can just log in instead? As long as organizations depend on passwords, breaches will continue. At Nok Nok, we believe the solution is simple: eliminate passwords, embrace modern authentication, and close the door on credential-based attacks for good. This gets us out of the arms-race and leap-frogs credential based attacks. If you’re attending Kuppinger Cole EIC 2025, our very own Rolf Lindemann, Vice President, Products, will be speaking to this very topic!  

The future of security is passwordless. Let’s make 2025 the year we finally leave passwords behind.

Another Step Towards a Passwordless Future

Microsoft’s announcement that it will be replacing passwords with passkeys for over a billion users by 2025 is huge news for the entire digital security landscape. At Nok Nok, we’re not just excited – we see this as the right approach, and another step on the long-overdue journey toward a passwordless future.

Why Microsoft’s Move Matters
Microsoft’s decision to make passkeys the default sign-in method across its platforms (including Outlook, Xbox, and Microsoft 365) is a powerful endorsement of passwordless authentication.

Here’s why we think it’s so important:

Reach: Microsoft can bring passwordless authentication to a massive audience. Educating their users about the benefits and ease of use of passkeys will accelerate adoption across the board.

Security: Passkeys, built on FIDO standards, offer significantly stronger security than passwords. They are resistant to phishing, keylogging, social engineering, and other common attacks that passwords are vulnerable to. With cyberattacks targeting login credentials on the rise, this enhanced security is purpose-built to meet security needs.

User Experience: Microsoft is focusing on a streamlined sign-up and sign-in process, making passkeys easy to adopt and use. By making the user experience simple and intuitive, they are removing a major barrier to adoption.

Another Nail in the Password Coffin
For years, passwords have been the weakest link in online security. They are hard to remember, easy to guess, and constantly targeted by attackers. The industry has known this for a long time, and we’ve been working towards a better solution. Microsoft’s move is another big step in getting rid of passwords once and for all, leading us closer to a more secure online world.

What This Means for the Industry
Microsoft’s commitment to passkeys will likely have a ripple effect across the industry. As more and more users experience the benefits of passwordless authentication, other companies will be compelled to follow suit. This increased adoption will drive further innovation and standardization in the passkey space, making it easier for everyone to implement and use passwordless solutions.

Why We’re Thrilled Here at Nok Nok
We here at Nok Nok have been a pioneer in passwordless authentication, and we’re excited to see a tech giant like Microsoft championing passkeys. We know that passkeys are the future of authentication. Microsoft’s initiative validates our vision and demonstrates the growing momentum behind passwordless technology. We have been building and deploying FIDO-based passwordless solutions for over a decade and our FIDO-certified solutions are deployed at internet scale to hundreds of millions of global end users. We are ready to support businesses in implementing passkeys and are excited about helping make the internet safer for everyone!