Why passwords alone are dead

Passwords used to feel like common sense – a secret word, a little ceremony, a gate between you and trouble. Those days are over. If you still treat passwords as the primary defence for your accounts, you’re trusting a century-old idea to stop modern, automated crime. That rarely ends well.

I used to think stronger passwords and a strict rotation policy would do the trick. Over the last few years I changed my mind – and if you care about protecting your work, money, or identity, you should too. This article explains why passwords fail at scale, which modern tools actually work, and how you can move from fragile secrets to resilient identity.

Cybercrime today is an identity problem. Attackers don’t need to break your server if they can borrow your credentials. The Verizon Data Breach Investigations Report (DBIR) makes this clear – credential abuse remains the dominant initial access vector in breaches – stolen, guessed, or leaked credentials are a leading cause of compromises. That focus on credentials is consistent year after year.¹

The market for stolen passwords is huge. Surveys and incident reports in 2024–2025 found billions of leaked or exposed credentials circulating on cybercriminal forums – a single research aggregation counted many billions of passwords exposed across hundreds of incidents. When criminals can buy or automate credentials at that scale, relying on passwords alone is like leaving your front door unlocked and advertising the key’s location.²

Password reuse and weak choices multiply the danger. Large, representative studies show a large fraction of people reuse passwords across multiple accounts and often choose short, guessable strings or personal details. Reuse turns a single breach into a domino effect: one leak provides an attacker with credentials they can try everywhere.³

It’s tempting to blame users. That’s both unfair and unhelpful. The root problem is the model – passwords are secrets humans must create, store, recall, and keep unique for dozens – sometimes hundreds – of accounts. That expectation collides with how humans actually behave.

Here’s why the model is incorrect:

• Human memory vs. scale: You can’t reasonably remember unique, high-entropy passwords for every account. The cognitive load pushes people to reuse or simplify,
• Phishing and social engineering: Passwords are easy to ask for. Modern phishing pages and social-engineering attacks harvest credentials at scale, then use them immediately,
• Credential stuffing and automation: Once breached credentials leak, scripts test them across thousands of sites. A reused password becomes an immediate vulnerability,
• Device theft and infostealers: Malware that grabs saved credentials or intercepts form input makes passwords irrelevant if an attacker can extract them from your device,
• Database breaches: Companies holding password databases are high-value targets. Even hashed passwords can sometimes be cracked or re-used when weak,

Sourced from ⁴

The security industry recognizes this. Organizations and standard bodies are pushing alternatives that remove the “tell me your secret” step.

Passkeys (FIDO/WebAuthn) replace passwords with cryptographic keys bound to your device and, when synced, to your trusted device set. They’re phishing-resistant by design because a passkey won’t authenticate to a fake site. Adoption has accelerated. By late 2024 more than 15 billion accounts could use passkeys for sign-in, and the FIDO Alliance reports strong uptake across major providers. That’s not hype – it’s an industry shift.⁵

Multi-factor authentication (MFA) adoption is rising too, especially in larger organizations. While not perfect (SMS OTPs can be phished or intercepted), MFA that relies on possession or platform authenticators raises the bar substantially compared with passwords alone. Many enterprises now require MFA for key resources.⁶

If the big vendors and standards bodies are moving, the practical lesson is clear – the safest path is to stop treating passwords as the default fortress and start layering or replacing them with stronger, phishing-resistant mechanisms.

If passwords are dead as the only defence, what should you do instead? There’s no single silver bullet, but a sensible approach mixes immediate steps you can take as an individual with organizational changes for teams.

1. Use a password manager. Let software create and store long, unique passwords for every account. This removes the reuse problem and reduces reliance on human memory.
2. Enable passkeys where possible. If a service offers passkeys, choose them. They eliminate phishing in most real-world attacks and are easier to use once set up.
3. Turn on strong MFA. Prefer app-based authenticators, hardware security keys, or platform authenticators over SMS. These methods are harder for attackers to intercept or social-engineer.
4. Watch for credential re-use signals. If a service notifies you of a breach or if a password appears in a leak, change it immediately – but ideally you won’t be reusing it elsewhere if you use a manager.
5. Protect your devices. Passkeys and authenticators rely on device security. Keep OS and apps updated, use full-disk encryption where available, and secure your lock screen.

1. Prioritize passwordless and phishing-resistant flows. For customer-facing and internal systems, plan a migration path to passkeys and hardware-backed authentication. The FIDO movement shows this is both practical and measurable.
2. Apply adaptive, risk-based access controls. Don’t treat every login the same. Wherever possible evaluate device posture, geolocation, and session risk before granting full access.
3. Default to MFA for every privileged action. Enforce MFA for admin consoles, VPNs, cloud consoles, and any high-risk actions. JumpCloud and other industry reports show large organizations increasingly require MFA.
4. Make recovery safe. Password resets are an attack vector. Build robust account recovery that’s resistant to social engineering and ties to verified, secure channels or secondary authenticators.
5. Invest in user experience and education. People will resist change if it’s clumsy. Smooth onboarding for passkeys or authenticators and short, practical training reduces friction and support tickets.

Moving beyond passwords is partly technical and partly organizational. You don’t rip out passwords overnight. The pragmatic path I recommend looks like below.

No technology is risk-free. Passkeys and authenticators depend on device security and reliable recovery. Syncing passkeys across devices must be handled by reputable providers and with clear mechanism for lost-device recovery. Regulators and standards bodies are already circling these questions, and guidance (for example NIST) is evolving to recognize properly implemented passkeys under certain assurance levels.

Be careful with incremental fixes that create a false sense of safety – SMS-based MFA, static knowledge questions, and poorly implemented “device fingerprints” can still be bypassed. Invest where attacks actually succeed – phishing-resistant, possession-based, or hardware-backed methods.

You’ll know you’re heading in the right direction when:

• Password resets and help-desk calls drop.
• Phishing-driven compromises fall even as overall phishing volume remains stable.
• Account takeover fraud declines and sign-in success improves.
• You can point to measurable reductions in credential-based incidents tied to your identity changes.

Organizations that have piloted passkeys report fewer resets and smoother UX; standards groups and vendor reports consistently tie passkeys to improved anti-phishing outcomes and better conversion in e-commerce flows.

Passwords aren’t a horror story because people are careless, they’re a poor fit for modern scale and adversaries. Replace the mindset of “stronger password rules” with a plan to remove passwords where you can and to harden the remaining password-based systems with phishing-resistant MFA and good device hygiene.

Start by choosing a password manager for yourself and enabling passkeys where available. For teams, pilot passwordless for a few services and measure the ROI in reduced support and fraud. Change won’t happen overnight, but every step away from passwords lowers your risk and makes the internet a little less fragile.

Sources

1. Verizon, “2025 Data Breach 2025 Data Breach Investigations Report” ↩︎
2. Tomsguide, “19 billion passwords compromised — here’s how to protect yourself right now” ↩︎
3. Bitwarden, “Security habits around the world: A closer look at password statistics” ↩︎
4. Demandsage, “35 Password Statistics 2025 – Data Breaches & Industry Report” ↩︎
5. Fidoalliance, “Passkey Adoption Doubles in 2024: More than 15 Billion Online Accounts Can Leverage Passkeys for Faster, Safer Sign-ins” ↩︎
6. Expertinsights, “Multi-Factor Authentication (MFA) Statistics You Need To Know In 2025” ↩︎
7. Nordpass, “Passwordless future: Interview with FIDO CEO on passkeys and business cybersecurity outlook” ↩︎