Microsoft’s systems are still porous in the face of hacking despite the company’s investments to bolster its cybersecurity, according to a new survey from Thycotic, a network security firm.

The message is not a surprise. Half of participants in a survey of hackers at the Black Hat conference in Las Vegas this August said they had easily compromised Windows 8 and Windows 10 systems in the past year.

In 2016, the Department of Defense directed its agencies to deploy the Windows 10 system within a year. At least 200 million devices are thought to run Windows 10.

But despite the seemingly easy access to Windows systems, the hackers still said it is not their preferred method of attack.

Sixty percent of hackers in the Thycotic survey said that social engineering was the fastest way to compromise users.

“While much attention is given to application and operating system vulnerabilities, zero-day attacks, and malware, hackers still find it much easier to trick users into simply handling over their corporate credentials,” the report said.

Hackers said they have a favorite tool for social engineering as well. Forty-seven percent of participants said that exploiting re-used passwords was their preferred way to exploit victims.

The report suggested that network administrators adopt a “least privilege strategy,” to mitigate hacks, which is the concept that users should be given only the minimal amount of access to complete their jobs.

The U.S. computer emergency readiness team says that “only the minimum necessary rights should be assigned to a subject that requests access to a resource and should be in effect for the shortest duration necessary.”

Justin Lynch is the Associate Editor at Fifth Domain. He has written for the New Yorker, the Associated Press, Foreign Policy, the Atlantic, and others. Follow him on Twitter @just1nlynch.