Despite decades of security campaigns urging users to create strong, unique passwords, a single weak credential recently toppled a 158-year-old transport company. The breach – triggered by a guessed password – led to a ransomware attack that shut down operations for over 700 employees, forcing the business into administration.
“Passwords have outlived their usefulness,” says Simon McNally, cybersecurity expert at Thales. “They’re frustrating, insecure, and easily compromised. Hygiene can’t fix what’s fundamentally broken. Humans forget, make mistakes, and seek workarounds. As we saw with the recent transport company breach, weak or reused passwords can still topple entire organizations.”
Ev Kontsevoy, CEO at Teleport, explained that our digital infrastructure has become so complex and interconnected that, “a password is all it takes to steal mission-critical data”. The speed at which attackers can move laterally inside a network means that by the time an intrusion is detected, damage is often extensive. “Static credentials like passwords need to be eliminated,” he says. “Not even the strongest password hygiene strategy will protect against human error.”
This isn’t just about brute-force guessing or poor password selection. Phishing remains a low-cost, high-success tactic for cybercriminals, while social engineering schemes – such as calling an IT helpdesk to request a password reset – are simple and effective. Kontsevoy points out that for large organizations, “it is only a matter of time before one of [hundreds of employees] gets tricked into handing over credentials. And that is all it takes for a large-scale attack”.
The reality, experts agree, is that while tools like password managers and browser keychains ease the memory burden, they don’t remove the inherent weaknesses of passwords. In many ways, we’ve just shifted the risk.
Tools help, but adoption is patchy
Password managers, privileged access management (PAM) systems, and multi-factor authentication (MFA) have all played a role in raising the security baseline – when they’re used. “Password hygiene at an organizational level remains problematic,” says Darren Guccione, CEO of Keeper Security. His firm’s research found that nearly one in five organizations still rely on risky practices like storing credentials in spreadsheets, using hard-coded passwords, or operating without a formal credential management system at all.
These habits are not confined to smaller or less tech-savvy businesses. Even large enterprises can fall back on outdated processes when new tools are perceived as disruptive or overly complex. “Only 37% [of organizations] audit privileged accounts monthly or more often,” Guccione explains, “while 13% admitted to auditing accounts annually or less—potentially leaving systems dangerously exposed.”
When implemented well, tools can deliver measurable improvements. PAM, for instance, helps protect sensitive data, reduces incidents tied to privilege misuse, and lightens the IT helpdesk burden from manual credential resets. Similarly, password managers can make it easier to generate and store strong, unique credentials for every account. But Guccione warns that adoption outside enterprise environments is still limited, and employee resistance to new workflows remains a major barrier to effectiveness.
Steven Furnell, IEEE senior member and professor of cybersecurity at the University of Nottingham, tells ITPro that password managers, passkeys, and biometrics “play their part in reducing the burden and improving protection,” but are “far from ubiquitous”. Many websites still require passwords at sign-up and fail to clearly offer alternative authentication options. Without strong adoption and clear user guidance, the same bad habits – weak passwords, reuse, and poor storage – persist.
And even when technology is available, it’s only as good as its configuration. Furnell notes that some organizations deploy password managers or keychains without providing training, leaving users unaware of how to take advantage of features like secure sharing or breach alerts. “They don’t address the underlying bad practice in selecting, sharing, and reusing passwords,” he says.
Passwordless is the future—but it’s slow to arrive
The industry’s strongest push in years is toward passwordless authentication: passkeys, cryptographic identity, and context-aware login that eliminates the need for users to remember passwords. McNally cites Thales’ research showing that 48% of consumers trust brands more when they use passkeys, a figure that rises to 56% among younger users. “Passkeys offer a safer, seamless alternative that removes the burden from users and eliminates common attack vectors altogether, including phishing attacks,” he says.
Teleport’s Kontsevoy agrees that the shift is necessary, particularly in mission-critical environments where the consequences of a breach can be catastrophic. He advocates for zero trust architectures, least privilege access, and just-in-time permissions that grant entry only for the specific task at hand. “Cryptographic identity can replace passwords,” he explains, “leveraging key pairs for secure, verifiable digital signatures… significantly reducing the blast radius even if attackers gain access.”
Doriel Abrahams, principal technologist at Forter, says passwordless adoption is more than a feature upgrade—it’s a strategic transformation. “It takes backend rework, retraining, and cultural change. But the cost of not moving forward—in terms of risk reduction, user experience, and breach mitigation—makes it worth it.”
So why isn’t everyone moving now? Guccione points to multiple barriers: 44% of organizations cite implementation complexity, 38% budget constraints, 34% multi-cloud complications, and 31% lack of personnel. Legacy systems, regulatory constraints, and entrenched habits also slow progress.
For now, passwordless technology is gaining traction in consumer ecosystems like Apple, Google, and Microsoft accounts, but business adoption – especially in sectors reliant on bespoke or outdated software – remains gradual.
Education remains the missing link
If there’s one point on which all experts agree, it’s that technology alone isn’t enough. “True password hygiene requires a holistic approach,” says Richard Cassidy, EMEA CISO at Rubrik. That means combining technology, robust processes, and meaningful education—not just enforcing complexity rules.
Furnell is critical of organizations that treat password training as a tick-box exercise. “With passwords, as with other aspects of cyber hygiene, users need to learn the fundamental principles of strong password practices,” he says. This includes explaining why certain policies exist and supporting them with secure defaults and clear guidance. Without this, even well-intentioned policies can push people toward insecure behaviour, such as reusing passwords across accounts or writing them down.
Abrahams observes that most organizations still focus on compliance over comprehension: “You get the usual password complexity rules… but very little meaningful education. And let’s be honest: most people just add ‘!’ to the end of their usual password and move on.” Worse, these rules often frustrate users into ignoring best practices altogether.
Cassidy stresses that organizations need to move away from blaming individuals for security failures and focus on empowerment. “Identity protection depends on the weakest user,” he says. By giving employees tools they can trust, along with clear, ongoing training, companies can raise the floor for everyone, reducing the chance that one mistake brings down an entire network.
Has password hygiene improved? In isolated pockets, yes, especially where modern tools, strong policy, and continuous education converge. But globally, the fundamentals haven’t changed much. As McNally says: “Those who lead the shift [to passwordless] will be best positioned to earn trust and stay secure in a rapidly evolving digital world”.
Until static credentials are retired altogether, one weak password will remain all it takes to bring down even the most established organization. According to NordPass, ‘password,’ and ‘qwerty123,’ are still commonly used passwords often to access sensitive data.
The path forward is clear: Leaders should move toward passwordless authentication as fast as technical and cultural realities allow. At the same time, organizations must pair technology with education that explains why security policies matter, replace punitive complexity rules with secure-by-default designs, and treat identity as the new perimeter.
In 2025, password hygiene isn’t just about creating better passwords—it’s about building systems that don’t depend on them at all.
-
Google strikes big win with $10 billion Meta cloud dealNews As Meta continues its AI drive, the company is looking outside for the necessary infrastructure
-
Employee distraction is now your biggest cybersecurity riskNews Workplace distraction is the top reason organizations fall victim to cyber attacks, according to new research.
