Each year on the first Thursday of May, cyber security professionals urged the public to strengthen their password hygiene. But in 2025, this tradition seemed past its expiry date. Why? Because our over-reliance on passwords was becoming the very risk we sought to avoid. According to Verizon’s Data Breach Investigations Report (2024), 81% of breaches still involved weak or stolen passwords. As threat actors evolved and AI became part of their toolkit, even the strongest passwords could be broken in minutes, not months. It was time we asked — were we clinging to an outdated security method that was holding us back?
The Problem with Passwords Today
The data was damning. According to Nordpass, the weak password of “123456” persisted in being used as a password, easily cracked within 1 second by hackers. An online security survey by Google and Harris Poll in February 2019 found that at least 65% of people reused passwords across multiple, if not all, sites, exposing them to credential-stuffing attacks at scale.
Newer threats only accelerated this risk. Brute-force attacks had moved from CPUs to high-speed GPUs — some capable of guessing over a million password combinations per second — meaning what once took years to crack could now be done in minutes using AI-enhanced tools.
The Dark Side of Passwords: A Cybercrime Economy
The underground market for stolen credentials is vast and lucrative. It’s estimated that over 24.6 billion username-password combinations are currently circulating across cybercriminal marketplaces — although the true scale is difficult to verify due to repeated resale of stolen data. In bulk, these credentials are even cheaper — as seen in the Booking.com scam, where thousands were sold for just $2,000 with new credentials offered every month, depending on breaches and leaks. The most valuable logins include banking, email, cloud, crypto, corporate VPNs and social media accounts, which are commonly reused for phishing, identity theft, malware campaigns, and business email compromise.
Behind these thefts are some of the world’s most sophisticated threat groups, including Kimsuky (North Korea), MuddyWater (Iran), and APT28/29 (Russia) — often using malware like Lumma and MaaS platforms, targeting MFA tokens and crypto wallets, spreading over Telegram bots, that make infostealing scalable and profitable. It was reported that in 2024 alone, 3.9 billion credentials were compromised via malware infections across 4.3 million devices.
Even multi-factor authentication (MFA), while crucial, is being challenged by tools like EvilProxy, which can intercept MFA tokens. This growing cybercrime economy is not just a technical threat — it’s a geopolitical and economic ecosystem as these threats now can come from anywhere at all thanks to MaaS and Phishing-as-a-Service (PhaaS) platforms. Together with infostealer-as-a-service and phishing kits for hire, these attacks are no longer limited to state actors — they’re available to anyone with a Bitcoin wallet.
The Rise of Passwordless Authentication
In contrast, passwordless security became not only possible — it became practical. Companies like Google, Microsoft, and Shopify rolled out Passkeys — encrypted cryptographic keys tied to biometric or device-based authentication.Microsoft wanted its more than one billion users to stop using passwords to log into their Microsoft accounts, while Gartner predicted that 60% of enterprises would eliminate passwords for most use cases by 2025.
In sectors like finance, healthcare, and government, hardware tokens, multi-factor logins, and biometric identification were taking over. Even in countries like Singapore and India, government-backed digital identity systems accelerated passwordless adoption for banking, insurance, and healthcare access. This was driven by a desire to enhance security, improve user experience, and streamline digital interactions. In Singapore for instance, Singapore’s National Digital Identity (NDI) system built on Singpass, connects over 700 government agencies and private businesses. Options like facial recognition, digital ID cards, and QR codes confirm user identities quickly and are more secure than traditional passwords. India’s Aadhaar, the world’s largest biometric system supports secure digital identity verification via OTPs and biometrics, while Australia’s Digital ID roadmap is investing in federated, passwordless frameworks.
Behavioral Resistance: Why We Still Cling to Passwords
Despite security advances, people still trusted what they knew — and passwords felt familiar. But that familiarity came at a price. Passwords were easily guessed, forgotten, shared, or stolen.
Check Point noted that poor password hygiene — such as reusing passwords, writing them down, or using personal data — continued to be a major weak link in corporate and personal security.
Even worse, phishing attacks — many AI-generated — continued to steal login credentials at scale, despite the presence of two-factor authentication (2FA). The rise in AI-powered phishing and deepfake attacks only made password-based systems more vulnerable.
Risks of Staying with Passwords in a Post-AI World
The evolution of AI made password-based authentication obsolete:
- Deep learning models were trained on billions of leaked passwords and could predict common patterns faster than ever.
- Voice- and video-based impersonation attacks using deepfakes could bypass even multi-factor authentication if based on weak identity layers.
- Cloud-based GPUs democratized the power to break passwords at scale, enabling ransomware groups and script kiddies alike to compromise systems rapidly.
In short: the longer we waited to go passwordless, the more we exposed ourselves.
What Organizations Should Do Now
- Pilot passwordless systems using biometrics, tokens, or Passkeys.
- Use tools like Check Point Harmony to prevent password reuse and phishing.
- Enforce Privileged Access Management (PAM) solutions and Zero Trust architectures.
- Educate teams not just on stronger passwords — but on phasing them out altogether.
Check Point emphasized password length, diversity, and uniqueness but was also aligned with the need to explore post-password approaches.
World Password Day shouldn’t just have been about creating stronger passwords. It should have been a prompt to imagine a future without them. The tools existed. The threats demanded it. The only thing missing was our willingness to let go.
While World Password Day served as a reminder of the role passwords play in cyber security, it also highlighted how the landscape has evolved. Over the past six months, organizations in India faced an average of 3,278 cyberattacks per week — far exceeding the global average of 1,878. This stark contrast underscored the urgency for stronger identity and access management practices.
“As threat actors grow more sophisticated, the weakest link often remains poor password hygiene. Strengthening this foundational layer is not just about compliance — it’s about ensuring resilience in an environment where attacks are constant and evolving,” said Sundar Balasubramanian, Managing Director, India and South Asia, Check Point Software Technologies.
