Each year on the first Thursday of May, cyber security professionals urge the public to strengthen their password hygiene. But in 2025, this tradition may be past its expiry date. Why? Because our over-reliance on passwords is becoming the very risk we seek to avoid.

According to Verizon's Data Breach Investigations Report (2024), 81% of breaches still involve weak or stolen passwords. As threat actors evolve and AI becomes part of their toolkit, even the strongest passwords can be broken in minutes, not months. It's time we ask — are we clinging to an outdated security method that's holding us back?

The Problem with Passwords Today

The data is damning. According to Nordpass, the weak password of "123456" persists in being used as a password, easily cracked within 1 second by hackers. An online security survey by Google and Harris Poll in February 2019 found that at least 65% of people reuse passwords across multiple, if not all, sites, exposing them to credential-stuffing attacks at scale.

Newer threats are only accelerating this risk. Brute-force attacks have moved from CPUs to high-speed GPUs — some capable of guessing over a million password combinations per second meaning what once took years to crack can now be done in minutes using AI-enhanced tools.

The Dark Side of Passwords: A Cybercrime Economy

The underground market for stolen credentials is vast and lucrative. It's estimated that over 24.6 billion username-password combinations are currently circulating across cybercriminal marketplaces — although the true scale is difficult to verify due to repeated resale of stolen data. In bulk, these credentials are even cheaper — as seen in the Booking.com scam, where thousands were sold for just $2,000 with new credentials offered every month, depending on breaches and leaks. The most valuable logins include banking, email, cloud, crypto, corporate VPNs and social media accounts, which are commonly reused for phishing, identity theft, malware campaigns, and business email compromise.

Behind these thefts are some of the world's most sophisticated threat groups, including Kimsuky (North Korea), MuddyWater (Iran), and APT28/29 (Russia) — often using malware like Lumma and MaaS platforms, targeting MFA tokens and crypto wallets, spreading over Telegram bots, that make infostealing scalable and profitable. It was reported that in 2024 alone, 3.9 billion credentials were compromised via malware infections across 4.3 million devices.

Even multi-factor authentication (MFA), while crucial, is being challenged by tools like EvilProxy, which can intercept MFA tokens. This growing cybercrime economy is not just a technical threat — it's a geopolitical and economic ecosystem as these threats now can come from anywhere at all thanks to MaaS and Phishing-as-a-Service (PhaaS) platforms. Together with infostealer-as-a-service and phishing kits for hire, these attacks are no longer limited to state actors — they're available to anyone with a Bitcoin wallet.

The Rise of Passwordless Authentication

In contrast, passwordless security is becoming not only possible — it's practical. Companies like Google, Microsoft, and Shopify are rolling out Passkeys — encrypted cryptographic keys tied to biometric or device-based authentication.

Microsoft wants its more than one billion users to stop using passwords to log into their Microsoft accounts while Gartner predicts that 60% of enterprises will eliminate passwords for most use cases by 2025.

In sectors like finance, healthcare, and government, hardware tokens, multi-factor logins, and biometric identification are taking over. Even in countries like Singapore and India, government-backed digital identity systems are accelerating passwordless adoption for banking, insurance, and healthcare access. This is driven by a desire to enhance security, improve user experience, and streamline digital interactions.

In Singapore for instance, Singapore's National Digital Identity (NDI) system built on Singpass, connects over 700 government agencies and private businesses. Options like facial recognition, digital ID cards, and QR codes confirm user identities quickly and are more secure than traditional passwords. India's Aadhaar, the world's largest biometric system supports secure digital identity verification via OTPs and biometrics, while Australia's Digital ID roadmap is investing in federated, passwordless frameworks

Behavioral Resistance: Why We Still Cling to Passwords

Despite security advances, people still trust what they know — and passwords feel familiar. But that familiarity comes at a price. Passwords are easily guessed, forgotten, shared, or stolen.

Check Point notes that poor password hygiene — such as reusing passwords, writing them down, or using personal data — continues to be a major weak link in corporate and personal security.

Even worse, phishing attacks — many AI-generated — continue to steal login credentials at scale, despite the presence of two-factor authentication (2FA). The rise in AI-powered phishing and deepfake attacks only makes password-based systems more vulnerable.

 

Risks of Staying with Passwords in a Post-AI World

The evolution of AI is making password-based authentication obsolete:

    Deep learning models are trained on billions of leaked passwords and can predict common patterns faster than ever.

    Voice- and video-based impersonation attacks using deepfakes can bypass even multi-factor authentication if based on weak identity layers.

    Cloud-based GPUs are democratising the power to break passwords at scale, enabling ransomware groups and script kiddies alike to compromise systems rapidly.

In short: the longer we wait to go passwordless, the more we expose ourselves.

What Organisations Should Do Now

    Pilot passwordless systems using biometrics, tokens, or Passkeys.

    Use tools like Check Point Harmony to prevent password reuse and phishing.

    Enforce Privileged Access Management (PAM) solutions and Zero Trust architectures.

    Educate teams not just on stronger passwords — but on phasing them out altogether.

Check Point emphasises password length, diversity, and uniqueness but is also aligned with the need to explore post-password approaches.

World Password Day shouldn't just be about creating stronger passwords. It should be a prompt to imagine a future without them. The tools exist. The threats demand it. The only thing missing is our willingness to let go.

Follow Check Point via:

LinkedIn: https://www.linkedin.com/company/check-point-software-technologies

Twitter: https://www.twitter.com/checkpointsw

Facebook: https://www.facebook.com/checkpointsoftware

Blog: https://blog.checkpoint.com

YouTube: https://www.youtube.com/user/CPGlobal

About Check Point Software Technologies Ltd.  

Check Point Software Technologies Ltd. (www.checkpoint.com) is a leading AI-powered, cloud-delivered cyber security platform provider protecting over 100,000 organisations worldwide. Check Point leverages the power of AI everywhere to enhance cyber security efficiency and accuracy through its Infinity Platform, with industry-leading catch rates enabling proactive threat anticipation and smarter, faster response times. The comprehensive platform includes cloud-delivered technologies consisting of Check Point Harmony to secure the workspace, Check Point CloudGuard to secure the cloud, Check Point Quantum to secure the network, and Check Point Infinity Platform Services for collaborative security operations and services.

Legal Notice Regarding Forward-Looking Statements  

This press release contains forward-looking statements. Forward-looking statements generally relate to future events or our future financial or operating performance. Forward-looking statements in this press release include, but are not limited to, statements related to our expectations regarding future growth, the expansion of Check Point's industry leadership, the enhancement of shareholder value and the delivery of an industry-leading cyber security platform to customers worldwide. Our expectations and beliefs regarding these matters may not materialise, and actual results or events in the future are subject to risks and uncertainties that could cause actual results or events to differ materially from those projected. The forward-looking statements contained in this press release are also subject to other risks and uncertainties, including those more fully described in our filings with the Securities and Exchange Commission, including our Annual Report on Form 20-F filed with the Securities and Exchange Commission on April 2, 2024. The forward-looking statements in this press release are based on information available to Check Point as of the date hereof, and eck Point disclaims any obligation to update any forward-looking statements, except as required by law.