The UK’s cyber agency has already signalled a shift, The National Cyber Security Centre (NCSC), an arm of GCHQ, has warned that passwords are too vulnerable to modern day attacks, no matter how complex and consequently forgettable they are. They said they are “overhauling decades of practice” by advising the public to stop relying on them for protection. By contrast, India’s Computer Literacy Emergency Response Team (CERT-In) continues to emphasize stronger password hygiene and multi-factor authentication, noting that the majority of unauthorised access incidents stem from poor password management. This divergence highlights a broader reality – while improving passwords remains important, many leading authorities now recognize that passwords alone are no longer sufficient. If that is the direction of travel for individuals, businesses should be asking why they are still so dependent on them.
Passwords are no longer fit for purpose in a high-risk digital environment. As critical systems and sensitive data move online, organizations continue to rely on credentials that are routinely reused, weak, or easily compromised. Approximately 42% of people who have been hacked have passwords that use a combination of letters and numbers, but these passwords have a personal significance to them, making them easier to guess. In theory, passwords can be secure but only, for example, if they’re 100 characters long, unique, complex and changed every day. In practice, this is simply not realistic.
Security has always been a balance between risk and convenience. Like a door, where a rural home may have a single lock, a city property using the same door, requires multiple layers of protection. Today, our digital “doors” protect far more but are too often secured with outdated methods.
For businesses, password dependency is now both a security risk and an operational burden. It remains one of the most common entry points for attackers, while also driving inefficiencies through resets, lockouts and user friction. The shift towards biometrics, passkeys and modern identity systems is no longer optional, it is necessary. By moving from what users know to who they are, organisations can strengthen security while improving usability.
Incremental fixes to passwords are not enough. Businesses must prioritise more robust, user-centric approaches to identity and access that reflect the realities of today’s threat landscape and support best practices like Zero Trust methodologies.”
Author: Marcus Lauren, CPO NEXT Biometrics