Each year on the first Thursday of May, cyber security professionals urge the public to strengthen their password hygiene. But in 2025, this tradition may be past its expiry date. Why? Because our over-reliance on passwords is becoming the very risk we seek to avoid.
Experts from Check Point Software analyse the threats, and propose some solutions.
According to Verizon’s Data Breach Investigations Report (2024), 81% of breaches still involve weak or stolen passwords. As threat actors evolve and AI becomes part of their toolkit, even the strongest passwords can be broken in minutes, not months. It’s time we ask — are we clinging to an outdated security method that’s holding us back?
The Problem with Passwords Today
The data is damning. According to Nordpass, the weak password of “123456” persists in being used as a password, easily cracked within 1 second by hackers. An online security survey by Google and Harris Poll in February 2019 found that at least 65% of people reuse passwords across multiple, if not all, sites, exposing them to credential-stuffing attacks at scale.
Newer threats are only accelerating this risk. Brute-force attacks have moved from CPUs to high-speed GPUs — some capable of guessing over a million password combinations per second meaning what once took years to crack can now be done in minutes using AI-enhanced tools.
The Dark Side of Passwords: A Cybercrime Economy
The underground market for stolen credentials is vast and lucrative. It’s estimated that over 24,6-billion username-password combinations are currently circulating across cybercriminal marketplaces — although the true scale is difficult to verify due to repeated resale of stolen data.
In bulk, these credentials are even cheaper — as seen in the Booking.com scam, where thousands were sold for just $2 000 with new credentials offered every month, depending on breaches and leaks.
The most valuable logins include banking, email, cloud, crypto, corporate VPNs and social media accounts, which are commonly reused for phishing, identity theft, malware campaigns, and business email compromise.
Behind these thefts are some of the world’s most sophisticated threat groups, including Kimsuky (North Korea), MuddyWater (Iran), and APT28/29 (Russia) — often using malware like Lumma and MaaS platforms, targeting MFA tokens and crypto wallets, spreading over Telegram bots, that make infostealing scalable and profitable. It was reported that in 2024 alone, 3,9-billion credentials were compromised via malware infections across 4,3-million devices.
Even multi-factor authentication (MFA), while crucial, is being challenged by tools like EvilProxy, which can intercept MFA tokens. This growing cybercrime economy is not just a technical threat — it’s a geopolitical and economic ecosystem as these threats now can come from anywhere at all thanks to MaaS and Phishing-as-a-Service (PhaaS) platforms. Together with infostealer-as-a-service and phishing kits for hire, these attacks are no longer limited to state actors — they’re available to anyone with a Bitcoin wallet.
The Rise of Passwordless Authentication
In contrast, passwordless security is becoming not only possible — it’s practical. Companies like Google, Microsoft, and Shopify are rolling out Passkeys — encrypted cryptographic keys tied to biometric or device-based authentication.
Microsoft wants its more than one billion users to stop using passwords to log into their Microsoft accounts while Gartner predicts that 60% of enterprises will eliminate passwords for most use cases by 2025.
In sectors like finance, healthcare, and government, hardware tokens, multi-factor logins, and biometric identification are taking over. Even in countries like Singapore and India, government-backed digital identity systems are accelerating passwordless adoption for banking, insurance, and healthcare access. This is driven by a desire to enhance security, improve user experience, and streamline digital interactions.
In Singapore for instance, Singapore’s National Digital Identity (NDI) system built on Singpass, connects over 700 government agencies and private businesses. Options like facial recognition, digital ID cards, and QR codes confirm user identities quickly and are more secure than traditional passwords. India’s Aadhaar, the world’s largest biometric system supports secure digital identity verification via OTPs and biometrics, while Australia’s Digital ID roadmap is investing in federated, passwordless frameworks.
Behavioral Resistance: Why We Still Cling to Passwords
Despite security advances, people still trust what they know — and passwords feel familiar. But that familiarity comes at a price. Passwords are easily guessed, forgotten, shared, or stolen.
Check Point notes that poor password hygiene — such as reusing passwords, writing them down, or using personal data — continues to be a major weak link in corporate and personal security.
Even worse, phishing attacks — many AI-generated — continue to steal login credentials at scale, despite the presence of two-factor authentication (2FA). The rise in AI-powered phishing and deepfake attacks only makes password-based systems more vulnerable.
Risks of Staying with Passwords in a Post-AI World
The evolution of AI is making password-based authentication obsolete:
- Deep learning models are trained on billions of leaked passwords and can predict common patterns faster than ever.
- Voice- and video-based impersonation attacks using deepfakes can bypass even multi-factor authentication if based on weak identity layers.
Cloud-based GPUs are democratising the power to break passwords at scale, enabling ransomware groups and script kiddies alike to compromise systems rapidly.
In short: the longer we wait to go passwordless, the more we expose ourselves.
What Organisations Should Do Now
- Pilot passwordless systems using biometrics, tokens, or Passkeys.
- Use tools to prevent password reuse and phishing.
- Enforce Privileged Access Management (PAM) solutions and Zero Trust architectures.
- Educate teams not just on stronger passwords — but on phasing them out altogether.
Check Point emphasises password length, diversity, and uniqueness but is also aligned with the need to explore post-password approaches.