AI‑assisted cyberattacks jumped 72% year‑over‑year, and phishing—supercharged by generative AI—skyrocketed by over 1,200%. Those aren’t abstract numbers. They mark a fundamental shift in the tempo and sophistication of threats aimed squarely at the credentials we use every day.

According to TotalAssure’s analysis, the average AI‑powered breach now costs $5.72 million—13% more than a non‑AI incident. Meanwhile, the 2025 Verizon DBIR confirms that credential abuse remains the #1 initial access pathway, responsible for 22% of all breaches, and third‑party involvement has increased.

The message for supply chain teams is stark. Your vendor passwords are no longer a low‑level IT concern; they’re the front door attackers keep walking through. Supply chain compromise now ranks as a frequent attack vector and the second costliest, with an average price tag of $4.91 million, according to the IBM Cost of a Data Breach Report 2025. 

It also takes the longest to detect and contain—246 days. The playbook you’ve relied on to manage vendor credentials was built for a slower, less automated era. It’s time to burn that playbook and write a new one.

The Escalating AI‑Driven Credential Threat (You Can’t Afford to Ignore)

If you still think password cracking is a slow, brute‑force grind, the numbers will jolt you awake. Every month, Akamai logs 26 billion credential stuffing attempts—a nearly 50% surge in just 18 months. Cheap combo lists, residential proxy networks, and CAPTCHA‑solving APIs have turned credential abuse into an industrial‑scale operation.

And the raw material for these attacks? It’s practically unlimited. The RockYou2024 leak dumped nearly 10 billion unique plaintext passwords into the criminal underground, creating a dictionary that fuels everything from stuffing to AI‑augmented cracking.

How fast can AI crack a password? Frighteningly fast. Research by Messente that tested 14.2 million real‑world passwords found that 85.6% of common passwords fell in under 10 seconds. Anything shorter than 8 characters is toast instantly, no matter how many symbols you sprinkle in.

AI‑powered tools find more passwords than traditional methods, turning brute‑force attacks that once took weeks into seconds‑long affairs. When you add Fortinet FortiGuard Labs’ observation that automated scans now hit 36,000 per second—a 16.7% rise year‑over‑year—you get a threat landscape where every weak or reused credential is a ticking bomb.

And we’re all reusing passwords more than we admit. SpyCloud’s 2025 Identity Exposure Report reveals that people reuse passwords across sites, and a small percentage of stolen credentials meet even basic complexity rules.

Corporate users, in particular, are drowning in exposure. The average employee now has stolen identity records floating around underground markets. 

Infostealer malware adds fuel: credentials were siphoned in 2024 alone, along with session cookies that let attackers bypass MFA entirely. Nearly half of corporate users have already been infected with infostealers on a personal or work device, leaking autofill data and login tokens for business applications.

That’s not a future risk; it’s the soiled network your vendors are operating in right now.

Why Supply Chains Are the Weakest Link Right Now

The same Verizon DBIR report highlighted that third‑party breaches now make up a significant percentage of all incidents. When those breaches involve compromised credentials, the cost per incident climbs, and containment drags on for a long time.

Supply chain compromise is eating a bigger slice of the problem because vendors create a sprawling, interconnected attack surface that’s devilishly hard to police. 

As Black Kite’s analysis shows, a significant percentage of third‑party breaches in 2024 started with unauthorized access—most often from stolen vendor credentials, excessive permissions, and poor network segmentation.

What’s worse, some of those breaches originated with a trusted vendor whose security posture had quietly degraded over time. The supply chain doesn’t stop at your direct partners. Fourth‑party relationships—your suppliers’ suppliers—are frequently exploited and rarely monitored. 

Ransomware groups have caught on, using weak vendor passwords and shared authentication mechanisms to push ransomware through software updates or direct connections; a significant percentage of known third‑party attack methods in 2024 involved ransomware.

The now‑infamous Snowflake breach from 2024 provides a textbook example. MFA wasn’t enforced, and compromised accounts had prior credential exposure, likely harvested by infostealers. 

The impact cascaded through AT&T, Ticketmaster, and Santander. This wasn’t an exotic zero‑day; it was a failure to manage vendor credentials with even basic hygiene.

The broader trend is just as dire. Supply chain cyberattacks surged between 2021 and 2023, and experts expect the growth to continue as cloud, IoT, and remote work tools multiply the number of digital handshakes between organisations. 

Legacy Password Practices That Are Now a Critical Liability

The NIST guidelines that many internal policies still reference are officially obsolete. In August 2025, NIST SP 800‑63B Rev. 4 turned conventional wisdom on its head: minimum password length jumps to 15 characters, forced periodic rotation is banned, and arbitrary composition rules (you know, “must include one uppercase, one number, one curse word”) are explicitly rejected. 

Yet most vendor password policies still cling to the 2017 playbook, demanding exactly the kinds of weak, predictable patterns AI cracks in seconds.

The data backs up how badly those old habits fail. Passwork’s enterprise research found that common passwords can be cracked using AI tools, and leaked passwords are duplicates—showing rampant reuse. 

In 2025, enterprise environments had at least one password hash cracked, up from the year before, while billions of passwords were leaked across datasets. 

With exposed users reusing previously compromised passwords, and nearly half of corporate employees already infected by infostealer malware, the circle of blame connects personal behaviour to enterprise catastrophe.

Generative AI tightens the noose further. AI‑crafted phishing emails now achieve high open rates and click‑through rates, as they mimic legitimate communications with eerie accuracy. 

That means the credentials of your most diligent vendor employee are one convincing email away from being harvested—and from there, the path to your supply chain is often a single reused password.

What a Modern Credential Management Posture Looks Like (for Supply Chain Teams)

Let’s stop pretending we can manage vendor credentials with spreadsheets and the occasional “strong password” memo. The solution is a layered, managed credential posture that treats every vendor identity as a potential breach point and removes the shared secrets attackers crave.

First, kill the password wherever possible. Adopt passkeys and configure SSO with SCIM provisioning for vendor access. 

If you can eliminate a static credential entirely, you eliminate the thing that gets stolen. Where passwords remain unavoidable, lock them inside a zero‑knowledge vault that enforces NIST’s 15‑character minimum and blocks known compromised passwords.

Second, assume your vendors’ passwords are already floating around the dark web. Continuous exposure monitoring—checking vendor credentials against breach databases and infostealer dumps—must become as routine as verifying a supplier’s insurance certificate. 

Without it, you’re flying blind, and organisations admit they have no way to know when a third‑party security issue arises, as BlueVoyant’s research underscores.

Third, combine credential management with least‑privilege and just‑in‑time access. A stolen password shouldn’t hand an attacker the keys to your entire ecosystem. Segment vendor access so that even a successful takeover is contained.

A modern enterprise password manager like Proton Pass—which is end‑to‑end encrypted, zero‑knowledge, includes built‑in dark web monitoring, supports passkeys and SSO/SCIM, and has undergone independent open‑source audits—shows what’s possible when credential management aligns with the latest NIST guidelines. 

Tools like this let supply chain teams enforce strong, centralised policies across dozens or hundreds of vendors, without relying on each partner’s individual security maturity. 

For broader protection, it’s worth exploring how to protect your digital supply chain from third‑party breaches, which covers vendor risk assessments and network segmentation—the complementary controls no credential strategy can live without.

Remember, firms have already been negatively impacted by a supply chain breach. Monitoring can’t be periodic or reactive; it must be embedded into how you onboard and maintain every vendor relationship.

Caveats & Counterpoints: Acknowledging the Real‑World Friction

No password manager—no matter how well‑architected—fixes human behaviour or organisational inertia on its own. You still need to train staff and vendors, enforce MFA everywhere (and acknowledge that infostealers can bypass it by stealing session cookies), and run continuous audits. 

Proton Pass itself draws praise on Reddit for its privacy‑first design and clean interface, but users note occasional autofill hiccups and feature gaps compared to 1Password or Bitwarden that might frustrate power users in technically demanding environments.

NIST’s 2025 password guidance sets a high bar, but it’s a US federal standard. Global supply chains must navigate a patchwork of regional regulations and legacy vendor systems that can’t swallow 15‑character minimums or passwordless authentication overnight. 

The biggest blind spot, however, isn’t your direct partners—it’s the unmanaged fourth‑party relationships and AI‑model supply chains that silently multiply risk.

The IBM Cost of a Data Breach Report 2025 notes that AI‑related incidents involve supply chain compromise, and organisations lack proper AI access controls, adding to breach costs. No credential vault can plug that gap without a broader zero‑trust framework.

And let’s be real: onboarding hundreds of vendors onto a new credential management system is heavy lifting. Phased rollouts, clear supplier security clauses in contracts, and dedicated change management are non‑negotiable. 

Technology gives you the levers, but pulling them requires sustained operational commitment.

Conclusion: The Speed of AI Demands a Fundamentally Different Password Playbook

The game has changed. AI compressed attack timelines from weeks to seconds, just as supply chain credential exposure ballooned to industrial proportions. Short passwords, shared secrets, periodic forced resets—these aren’t minor inconveniences anymore; they’re active enablers of the breaches costing organisations millions and eroding trust.

The path forward isn’t mysterious, but it is urgent. Adopt NIST‑aligned password policies and insist your vendors do the same. 

Put every vendor credential inside a managed, monitored vault that can flag exposure before it’s exploited. Then wrap that vault in a zero‑trust supply chain architecture that assumes compromise and limits blast radius.

Return to the Verizon DBIR’s most chilling finding: attacks on basic web applications now use stolen credentials, and brute‑force attempts against those apps increased in a single year. 

Supply chain security leaders can no longer treat vendor passwords as an IT triviality. They are a significant attack vector of the AI era, and the time to act isn’t after your next third‑party breach—it’s right now.