There is a quiet ritual that plays out in nearly every enterprise IT environment, every day, thousands of times. A user forgets their password. They call the service desk. An agent verifies their identity through a process that ranges from “rigorous” to “what’s your manager’s name”. The password is reset. The user gets back to work. The ticket is closed.
It is so routine that most organisations have stopped measuring its cost.
That is a mistake.
We worked with a UK financial services client recently who, after some careful instrumentation, calculated that password-related service desk activity was consuming the equivalent of 3.4 full-time employees. That number alone is significant. But the deeper number — the one that should worry every CISO — was the credential exposure created by the reset process itself.
Roughly 12% of resets in their environment were issued without strong identity verification. Of those, an unknown but non-zero percentage were issued to attackers.
This is the hidden cost of “just reset their password” culture. Not the budget line. The breach.
The economics most organisations don’t measure
When CFOs see password reset costs at all, they typically see service desk labour. The average enterprise estimates it spends between £15 and £40 per password reset, depending on whether the reset goes through self-service, tier-one support, or escalates further. Multiply that by the volume — and most enterprises do 20 to 60 resets per 1,000 employees per month — and you get a meaningful number.
But that’s the cheap number. It ignores three larger costs.
The first is user productivity loss. A locked-out user is, for the duration of the lockout, unable to do their job. The average lockout duration in enterprises without robust self-service hovers around 30 minutes — combining wait time, verification, and the user’s own context-switching back into their work. That cost compounds when the user is a senior employee, a sales person mid-deal, or a developer mid-deployment.
The second is process degradation under volume. Service desks measured on ticket throughput will, under pressure, simplify their identity verification. We have seen “verification” reduced to “what’s your employee ID” in environments where employee IDs are routinely included in email signatures, Slack handles, and Teams profiles. Volume drives shortcuts. Shortcuts drive risk.
The third is the cost that nobody puts a number to: credential-based intrusion enabled by the reset process itself. The 2024 Verizon DBIR reported that stolen credentials remained the leading initial access vector for the third year running. Many of those credentials weren’t stolen from the user. They were issued, by the service desk, to a social engineer impersonating the user.
Why static password policies have failed
The traditional response to credential risk has been to harden the policy. Force complexity. Force rotation. Force length. Forbid common patterns. Most of this guidance is now actively counterproductive — and even NIST has reversed its long-standing rotation guidance, recognising that periodic forced rotation produces measurably worse password choices because users adapt to the constraint with predictable patterns.
The deeper problem is that static password policies are blind to the only thing that matters: whether a specific password has been compromised.
A 16-character password meeting all complexity requirements is worthless if it appears in a public credential dump. A 9-character password that does not appear in any breach corpus is, statistically, far more secure. Yet most enterprise environments are still configured to accept the former and reject the latter — because their policy logic was written for the threat landscape of 2010, not 2026.
The Have I Been Pwned corpus, the gold standard for breach intelligence, currently contains over 12 billion compromised credential pairs. Modern attackers do not guess passwords. They look them up. The success rate of credential stuffing attacks against enterprises that don’t screen against breach data sits between 0.1% and 2% — which sounds low until you remember it’s measured per attempt, and adversaries make millions of attempts per hour.
What changes when credentials are screened in real time
The architectural shift that mature organisations are making is from policy-based credential security to intelligence-basedcredential security. The distinction matters.
Policy-based security asks: does this password meet our rules?
Intelligence-based security asks: is this specific password — or any close variant — known to be compromised?
The mechanics are straightforward. At every point a password is set or changed (account creation, scheduled change, self-service reset, service desk reset), the candidate password is checked against breach intelligence and configurable policy. If it appears in breach data, it is rejected before it ever becomes the user’s password. If it is reused from another known compromise, it is rejected. If it follows a predictable pattern flagged by behavioural intelligence, it is rejected.
The user never sees the breach corpus. The plaintext password is never transmitted or stored — modern implementations use partial hash matching to preserve secrecy. But the credential is screened against the same intelligence that adversaries are using to attack you.
This is, in practice, the only credential strategy that survives contact with the modern threat landscape.
What this looks like deployed
In environments running real-time credential intelligence — Mellivor deploys Cynox for clients in finance, telecoms, and critical infrastructure for exactly this purpose — three things change quickly.
First, the volume of weak and breach-flagged passwords in Active Directory is measurable for the first time. Most organisations are surprised. We have seen environments where 28% of active accounts were using passwords that appeared in public breach corpora. Those organisations had passed every audit and met every regulatory requirement.
Second, the service desk reset process becomes safer almost as a side effect. Even when a reset is issued without rigorous identity verification, the new password cannot be a known-compromised one. The attack chain that depends on social-engineering a reset and then immediately using a credential-stuffing tool to maintain persistence breaks.
Third — and this is the part executives find most unexpected — user friction goes down. When breach screening replaces complexity-and-rotation theatre, users can choose memorable passphrases that meet length requirements and pass breach checks. They stop writing them on Post-it notes. They stop reusing them across systems. The policy becomes invisible until it actually matters.
The hard part: this is a culture change, not a tool change
The technology to do this is mature, well-supported, and integrates natively with Active Directory. Deployment is measured in days, not months. The hard part is not the deployment.
The hard part is unwinding two decades of cultural assumption.
Service desk teams must be retrained: their job is no longer to “reset the password as quickly as possible” but to “verify identity rigorously, and trust the platform to enforce credential security automatically”. Identity governance must shift from “did we follow our policy” to “did our policy reduce real-world risk”. Risk and audit committees, accustomed to seeing credential security expressed as policy compliance percentages, must learn to read a different metric: the proportion of credentials in the environment that are known to be compromised.
That last metric — the one that actually correlates with credential-related breach risk — is invisible to most organisations today. It is the first thing real-time credential intelligence makes visible.
What to actually do this quarter
If you do nothing else, do this: instrument the cost. Calculate, for your environment, the all-in cost of password resets — labour, productivity, lockout duration. Then calculate the proportion of your active credentials that appear in public breach corpora. You can do the latter with a one-off audit before any platform deployment.
The numbers will tell their own story.
If they tell the story we usually see — a six- or seven-figure annual cost paired with a credential exposure rate that would be unacceptable in any other risk category — your action becomes self-evident. Move from policy-based to intelligence-based credential security. Make every password change, every reset, and every account creation a moment where breach intelligence is consulted and acted on.
Stop treating password resets as service desk overhead. Start treating them as the security control they always were.
Mellivor works with enterprise security teams to deploy credential intelligence and access management capabilities, including Cynox for real-time Active Directory password security and Securden for privileged access management. To assess your current credential exposure, book a consultation with our advisory team.
