Token Theft vs Password Theft: Why Changing Your Password Isn’t Enough Anymore
For years, security advice was simple:
“Change your password.
”However, this advice is no longer sufficient in today’s security landscape.
Modern attacks don’t always steal passwords.
Attackers now target tokens, which significantly alters the threat landscape.
This overview explains the differences and highlights why token theft poses a greater risk than many realize.
What Is Password Theft?
Password theft is a well-known and traditional attack method.
Attackers steal credentials using:
- Phishing emails
- Fake login pages
- Keyloggers
- Password reuse from data breaches
Once a password is compromised, attackers can access the account as the user.
Why password theft is less effective today
- MFA blocks many login attempts
- Conditional Access can stop logins from risky locations
- Password resets immediately lock attackers out
In summary, password theft is easier to detect and easier to contain.
What Is Token Theft?
Token theft represents a fundamentally different threat.
When you sign in successfully, your identity provider (like Entra ID) issues a session token.
This token confirms that you have already authenticated, including completion of MFA. (Harlin et al., n.d.)If an attacker steals that token:
- They don’t need your password
- They don’t trigger MFA
- They look like a trusted, logged-in user
This method allows attackers to bypass MFA entirely.
How Tokens Get Stolen
Token theft typically occurs after a successful login rather than a failed attempt. (Token Theft: Compromised Cloud Sessions, 2025)Common methods include:
- Evilginx-style phishing (real-time proxy attacks)
- Malicious browser extensions
- Compromised endpoints
- Session hijacking via malware (Tyler & Nunes, 2024)
The user completes a standard sign-in.
The attacker then copies the session token without detection. (Diallo et al., 2022)There are no alerts, warnings, or failed login attempts. (Notifications about failed authentication attempts, n.d.)
Why Token Theft Is More Dangerous Than Password Theft
| MFA can block access | MFA already satisfied |
| Password reset stops attacker | Token remains valid |
| Login often flagged as risky | Appears legitimate |
| Short-lived access | Persistent session access |
This explains why many breaches persist even after password resets. (Bhagavatula et al., 2020, pp. 1895-1912)
The attacker isn’t using the password anymore.
They continue to use the active session.
Signs You’re Dealing With Token Theft
Token theft is hard to detect, but there are red flags:
- Inbox rules created without user knowledge
- MFA-enabled accounts still compromised
- Logins from “normal” locations, but odd behavior
- Password reset doesn’t stop suspicious activity (Investigate risk with Microsoft Entra ID Protection, 2023)
If these signs are present, the issue likely extends beyond basic credential theft.
How to Reduce Token Theft Risk
While token theft cannot be completely eliminated, you can significantly reduce the risk. (Galluzzo & Regenscheid, n.d.)Key controls include:
- Phishing-resistant MFA (FIDO2, passkeys)
- Conditional Access with device compliance
- Sign-in frequency limits
- Token binding to compliant devices
- Endpoint security and browser extension control
- Continuous access evaluation (Entra ID phishing-resistant MFA staged rollout with Authentication Strengths, 2025)
Modern security is not only about verifying who logged in.
It also requires ongoing evaluation of whether the session remains trustworthy. (Harlin et al., n.d.)
Password theft is a longstanding issue that modern defenses have not fully resolved.
Token theft is a modern attack exploiting how authentication actually works today.
If your security strategy still assumes:
“MFA means we’re safe.”
Your security posture may already be at risk.
Identity security now extends beyond the initial login and must be maintained throughout the session.
Written by Jaspreet Singh
Author @ ITBlogs.ca
Engineering labs & identity security research @ f11.ca
References
Harlin, J., Cigna, J., Gallo, M., Malkapuram, S. & Deshpande, A. (n.d.). White Paper: FIDO and the Shared Signals Framework. https://fidoalliance.org/white-paper-fido-and-the-shared-signals-framework/
(2025). Token Theft: Compromised Cloud Sessions. CyberShade. https://cyberdefens.com/insights/token-theft
Tyler, L. & Nunes, I. D. (2024). Towards Browser Controls to Protect Cookies from Malicious Extensions. arXiv:2405.06830. https://doi.org/10.48550/arXiv.2405.06830
Diallo, M., Peel, T. & Winterford, B. (2022). Defending against Session Hijacking. Okta Security. https://sec.okta.com/articles/sessioncookietheft/
(n.d.). Notifications about failed authentication attempts. Kaspersky Support. https://support.kaspersky.com/kata/7.1/en-US/296427.htm
Bhagavatula, S., Bauer, L. & Kapadia, A. (2020). (How) Do People Change Their Passwords After a Breach?. Proceedings of the 2020 ACM Conference on Computer and Communications Security, pp. 1895-1912. https://doi.org/10.1145/3372297.3417230
(2023). Investigate risk with Microsoft Entra ID Protection. Microsoft Learn. https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk
(September 22, 2025). Entra ID phishing-resistant MFA staged rollout with Authentication Strengths. Microsoft Entra. https://controlaltdeletetechbits.co.uk/entra-id-phishing-resistant-mfa/
Harlin, J., Cigna, J., Gallo, M., Malkapuram, S. & Deshpande, A. (n.d.). White Paper: FIDO and the Shared Signals Framework. https://fidoalliance.org/white-paper-fido-and-the-shared-signals-framework/
Galluzzo, R. & Regenscheid, A. (n.d.). Protecting Tokens and Assertions from Forgery, Theft, and Misuse: Implementation Recommendations for Agencies and Cloud Service Providers. https://doi.org/10.6028/NIST.IR.8587.ipd