By Amber Buening, Security Outreach Director at Huntington Bank
Key takeaways
- Passwords have long been the cornerstone of digital authentication, but their susceptibility to breaches, phishing attacks, and human error have highlighted limitations.
- Authentication methods are evolving beyond traditional passwords to enhance security and user convenience.
- Leveraging strong password management practices, embracing biometrics and MFA, and transitioning to passkeys are critical to protecting your organization.
Most of us have been guilty of using the same password to secure multiple accounts. Though the risk of password compromise is well known, it can be a challenge to memorize dozens of complicated, unique credentials – a set of unique identifiers such as a username and password – across multiple accounts.
Unfortunately, threat actors are well aware of this fact, which makes passwords a weak link in an organization’s security approach. According to a 2024 report on data breaches, 31% of breaches in the past 10 years have involved stolen credentials†. Using compromised credentials is a more common data breach strategy than either phishing or exploiting vulnerabilities, making them a core component of infiltrating organizations.
The susceptibility to breaches, phishing attacks, and human error have highlighted the limitations of using passwords for digital authentication. In this article, we’ll discuss evolving authentication methods, password management best practices, and strategies to help protect your organization.
How threat actors steal passwords
Cybercriminals steal accounts, financial information, and sensitive data because they can profit from using or selling this information. Targeting passwords is an easy way to gain access. It’s for this reason that organizations in sectors that deal with sensitive data, such as healthcare or financial services, face higher levels of credentials compromise†.
“Passwords are your first line of defense against unauthorized access. If someone in your organization reuses passwords and a cybercriminal compromises one, it could put your entire organization at risk. Protect your data by using unique, strong passwords and enable multi-factor authentication (MFA) whenever possible.”
Todd Piche
Information Security Manager at Huntington Bank
There are several common techniques threat actors use to steal to passwords:
- Exploiting human error or gaining their victim’s trust through social engineering.
- Guessing answers to security questions with information shared through social media.
- Identifying passwords that are routinely reused across multiple accounts.
- Using password recovery toolkit (PRTK) software that automatically uses familiar words in password fields, including substituting characters for letters (e.g., p@$$w0rd).
Implementing practices to strengthen passwords and enhancing protections, which we’ll cover in this article, can help combat these tactics. However, transitioning to passkeys as an authentication method – and doing away with passwords altogether – could be the safest strategy.
The rise of passkeys
Passkeys are an alternative authentication method that does not require passwords or usernames. With a passkey, users can log into websites, accounts, and applications using their device’s authentication method to verify identity, such as a PIN or biometric features, including fingerprints and facial recognition. Using a passkey that leverages these more secure and convenient methods of authentication allows users to bypass usernames and passwords entirely.
This form of passwordless authentication is gaining momentum, a move supported by major tech companies, including Apple, Google, and Microsoft. As of early 2025, more than 90% of iOS and Android devices have passkey functionality enabled‡. This availability and adoption signals a significant shift away from traditional passwords to reduce the risk of phishing and credential stuffing attacks.
Organizations should consider transitioning to passkeys to reduce or eliminate the number of credentials employees manage. The risk of relying solely on password authentication is just too high: In 2024, one report found compromised credential attacks accounted for an average of $4.81 million USD per breach§. Transitioning to passkeys can take time; leveraging strong password management practices and embracing MFA in the meantime can further help protect your organization.
Create a strong password policy
Every organization should have set requirements for passwords to ensure they are secure, unique, and complex enough. We recommend following the National Institute for Standards and Technology (NIST) guidelines to inform your policy. All passwords used at your organization should consider the following:
- Long: NIST recommends passwords be 15 characters long at a minimum with a maximum length of at least 64 characters. The longer, the better.
- Unpredictable: Avoid using obvious adjacent key patterns or movements (e.g., qwerty, fdsf.)
- Unique: Never reuse passwords or use the same word or phrase for all accounts.
- Exclusive: No work credentials should be used for any personal accounts.
- Secure: Employees should be instructed not to save passwords in web browsers, applications, shared drives, or network files.
- Checked against “known bad” passwords: New and changed passwords should be checked against a list of common or compromised passwords to reduce risk.
Use these principles to develop or update your organization’s password policy. Be sure to enforce this policy and regularly communicate about it with employees.
Expand Multi-Factor Authorization (MFA)
Multi-factor authentication (MFA), also known as two-factor authentication, requires users to provide multiple forms of verification to access an account. This layered approach significantly enhances security, so it’s recommended to use MFA across all apps, services, and sites used at your organization.
MFA verification include any combination of the following:
- Something you know, like a password.
- Something you have, such as a hard token, security key, or smartcard.
- Something you are, meaning a biometric method.
To gain unauthorized access to an account secured with MFA, a threat actor would need to have access to a user’s mobile device and be able to authenticate with one of the three methods above. This added verification is so secure that Microsoft research found that MFA can block more than 99.2% of account compromise attacks≠.
Organizations can combine biometric methods with something an employee physically possesses, such as an authorized smartphone, for a highly secure passwordless authentication experience. Not only does this layered approach help mitigate phishing attempts and similar attacks, but it’s also more convenient for employees than memorizing credentials. Ease of use can help cut back on bad password habits, such as reusing passwords or keeping physical copies of credentials.
Five password security best practices
In addition to enforcing strict password requirements and implementing tools such as passkeys and MFA, there are a few other ways your organization can help avoid breaches related to stolen credentials.
- Create a strong culture of security by implementing routine cybersecurity awareness training for all employees, regardless of their role’s access to company systems.
- If you haven’t transitioned to using passkeys, require employees to use a longer password or passphrase.
- Remain vigilant against phishing attacks and educate employees on how to recognize suspicious emails attempting to get them to reveal sensitive information.
- Review account activity where possible and report any suspicious activity. For example, if you receive a prompt to complete an MFA activity you did not initiate, change your password immediately.
- Stay on top of software and device vulnerabilities. Running older versions of software and operating systems opens you up to vulnerabilities that could compromise sensitive data – like your passwords.
By implementing a strong password policy, offering awareness training, and alternative, passwordless authentication methods, you can help protect your organization and its employees. Huntington can support you with the insights, resources, and expertise you need to help keep your organization safe.
Financial & industry insights delivered to your inbox.
Subscribe to Huntington Insights
Sign up to receive emails about our latest articles, case studies, and events on topics that matter most to your business.
Subscribe
† Verizon Business. 2025. “2024 Data Breach Investigations Report.” Accessed March 12, 2025.
‡ Delita, Vincent. 2025. “State of Passkeys 2025: Passkeys Move to Mainstream.” Biometric Update, January 15, 2025. Accessed March 12, 2025.
§ IBM. 2025. “Cost of a Data Breach Report 2024.” Accessed March 12, 2025.
≠ Microsoft Research. 2023. “How Effective is Multifactor Authentication at Deterring Cyberattacks?” Accessed March 12, 2024.
The information provided in this document is intended solely for general informational purposes and is provided with the understanding that neither Huntington, its affiliates nor any other party is engaging in rendering tax, financial, legal, technical or other professional advice or services or endorsing any third-party product or service. Any use of this information should be done only in consultation with a qualified and licensed professional who can take into account all relevant factors and desired outcomes in the context of the facts surrounding your particular circumstances. The information in this document was developed with reasonable care and attention. However, it is possible that some of the information is incomplete, incorrect, or inapplicable to particular circumstances or conditions. NEITHER HUNTINGTON NOR ITS AFFILIATES SHALL BE LIABLE FOR ANY DAMAGES, LOSSES, COSTS OR EXPENSES (DIRECT, CONSEQUENTIAL, SPECIAL, INDIRECT OR OTHERWISE) RESULTING FROM USING, RELYING ON OR ACTING UPON INFORMATION IN THIS DOCUMENT OR THIRD-PARTY RESOURCES IDENTIFIED IN THIS DOCUMENT EVEN IF HUNTINGTON AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF OR FORESEEN THE POSSIBILITY OF SUCH DAMAGES, LOSSES, COSTS OR EXPENSES.
Lending and leasing products and services, as well as certain other banking products and services, may require credit application approval.
Third-party product, service and business names are trademarks/service marks of their respective owners.