THE days of relying on passwords to protect online accounts may be numbered, cybersecurity experts warn, as criminals increasingly exploit outdated login systems with new tools powered by artificial intelligence.
A growing number of tech leaders and security analysts are calling for a shift toward passwordless authentication, pointing to rising breaches and an underground economy that trades in billions of stolen credentials.
“Even the strongest passwords can now be broken in minutes, not months,” said a cybersecurity analyst familiar with the latest AI-driven hacking techniques. “We’re holding onto a habit that has outlived its usefulness.”
Verizon’s 2024 Data Breach Investigations Report found that 81 percent of security breaches still involve weak or stolen passwords. And while many companies have urged employees and consumers to adopt stronger login practices, criminals are increasingly bypassing those efforts with high-speed brute-force attacks, phishing kits and malware-as-a-service (MaaS) tools.
A report by NordPass revealed that “123456” remains one of the most commonly used passwords — crackable in less than a second. Meanwhile, a 2019 Google survey found that 65 percent of people reuse the same password across multiple websites.
“It’s not just about bad habits. The threat landscape has evolved,” said a cybercrime researcher. “Threat groups like APT28 and Kimsuky are deploying malware that can harvest credentials, bypass multi-factor authentication and even intercept crypto wallets.”
In 2024 alone, some 3.9 billion login credentials were stolen through malware infections affecting more than 4 million devices, according to industry estimates.
While multi-factor authentication (MFA) has added a layer of protection, it too is being targeted. Tools like EvilProxy, which can hijack MFA tokens, are making it harder for traditional security measures to keep up.
At the same time, companies including Google and Microsoft are expanding the use of “passkeys” — encrypted digital credentials tied to users’ devices or biometrics like facial recognition or fingerprints.
“Passwords are a legacy tool,” said a Microsoft executive familiar with the company’s passwordless strategy. “We want our users to log in more securely and more easily — and that means letting go of passwords.”
Governments in Singapore, India and Australia are also moving forward with national digital identity frameworks that rely on facial recognition, biometric data or one-time passwords rather than static logins.
Singapore’s National Digital Identity system, which links over 700 agencies and businesses through the Singpass platform, offers QR codes and facial scans for secure access. India’s Aadhaar database, the largest biometric ID system in the world, allows identity verification through fingerprints and mobile codes.
Still, password resistance remains high, especially among users who find familiarity comforting.
“People trust what they know, even when it doesn’t work anymore,” said a security consultant. “We’ve been told for years to make passwords longer, stronger, more complex — but the real answer is moving beyond them altogether.”
Experts say organizations should start phasing in passwordless options such as biometrics, hardware tokens or cryptographic passkeys, while adopting zero-trust models and educating users on emerging threats.
“The tools to move on already exist,” said the consultant. “Now it’s about whether we’re ready to use them.”
The shift away from passwords isn’t just about convenience, analysts say — it’s about keeping pace with attackers who no longer need sophisticated tools to break in. The faster businesses and consumers adapt, they argue, the better protected everyone will be in an AI-driven future.