Blog
/
Fresh Takes

Enough is Enough: 4 Reasons Passwords Will Be Flushed This Year

Michael Thelander
Sr. Director Product Marketing
July 8, 2025

Four Reasons Workforce Passwords Will Get Flushed This Year

It was twenty-one years ago that Bill Gates famously predicted the death of passwords at the RSA conference in San Francisco. Passwords, he sagely noted, could not “meet the challenge of keeping critical information secure.”  

Here we are, two decades later.

21 years ago. In human terms, this prediction is now old enough to drive, vote and buy a drink anywhere in the United States.

My only shock upon realizing this? My only shock is that I’m not nearly as shocked as I thought I’d be. This has been the longest, slowest, most painful death in all of cybersecurity, if not in all of technology.

News from 2024

But that’s finally changing. This year, passwords are on their way out. Not because of a prediction — but because of four converging forces that are forcing organizations to rethink how they manage trust. Here’s why I am so optimistic:

  1. Dark web data
  2. The rise of AI
  3. New authentication technologies
  4. New operational efficiencies

Reason #1: Dark Web Data, Everywhere You Go

Five years ago we were buying a new car. After a little bit of driving around my then-16-year-old asked, “Why can’t we just get it on Amazon?” My honest answer was that while Amazon was ready for that, we were not ready for that.

Amazon of course offers legit marketplaces and doesn’t knowingly sell stolen or illegal artifacts like passwords and credentials, but there are at least a half dozen dark web marketplaces that might. These are businesses that don’t have the same moral code as Amazon, but have the same technology, drive and desire to be Number One:

  • Abacus Market: Abacus Market has over 40,000 product listings and is valued at around $15 million, a sprawling dark web marketplace and go-to source for drugs, counterfeit items and cybercrime tools.
  • Brian’s Club: Over ten years old, this site is a widely used shop for stolen credit card information such as dumps and CVVs. It has bidding features, with new batches of stolen data frequently added.
  • Russian Market: This market operates primarily in English and specializes in the sale of stolen data relating to credit card data, remote desktop protocol access credentials, stealer logs, personal information, BIN checkers, PayPal cookie converters, and cybercrime tools and utilities.
  • STYX Market: A newcomer, STYX focuses on financial crime, providing stolen credit card data, hacked bank accounts, and access to various cryptocurrency laundering tools. It maintains a very strict level of user verification and integration with an official Telegram account to provide real-time updates to users.
  • Torzon Market: This market operates on the Tor network and features over 11,600 illegal products, including drugs and hacking tools. It enhances buyer transparency by importing vendor feedback with PGP proof.
  • WeTheNorth: This Canadian market was established in 2021 and serves North American and international users. It offers counterfeit documents, financial fraud tools, hacking, and malware services.

These sites exist to sell things like usernames and passwords. What are they providing? Where does their product come from? Breaches, breaches and breaches…twenty years of breaches. The fruit of data breaches and other campaigns, large and small, works its way through the dark web ecosystem and results in some truly massive data troves:

  • Last week, Cybernews shouted a long headline: “16 billion passwords exposed in record-breaking data breach, opening access to Facebook, Google, Apple, and any other service imaginable.” These represented login credentials from social media and corporate platforms, VPNs and developer portals, and enterprise applications and services.
  • This is on the heels of last year’s biggest password-related headline, from July 4: “RockYou2024: 10 billion passwords leaked in the largest compilation of all time.” The article noted that RockYou 24 was, “In its essence …. a compilation of real-world passwords used by individuals all over the world.” It went on to say, “Revealing that many passwords for threat actors substantially heightens the risk of credential stuffing attacks…”

Either way: does it matter? There are just over 8 billion people on the planet, so there’s somewhere between one and two credentials for every human currently alive. Or put another way: if there are about 1 billion viable targets for phishing and attacks scattered in enterprises throughout the world, then bad guys have between eight and sixteen unique credentials to automate into password spraying, credential stuffing, or phishing attacks.

We are awash in passwords and credentials.

Reason #2: The Incredible Rise of AI Usage

We can’t open a newsfeed these days without hearing about the impact of AI on legitimate business. A recent video featured the former CEO of Google saying, "If you're not using AI, you're not going to make it."

And it’s not really hyperbole: according to Motley fool, 9% of businesses are already using AI. An article from Forbes said, last December, “Your business runs on AI now. Over 80% of businesses use AI as core tech, 35% across multiple departments. And 65% regularly use generative AI in at least one business function…”.

If that’s what legit businesses are doing with AI, what can we expect from attackers that combine it with dark web data? A few examples:

  1. Hyper-Personalization and Improved Credibility in phishing messages:
    Gen AI can leverage vast amounts of publicly available data, including social media profiles and online communication patterns, to create highly personalized phishing messages tailored to specific individuals or organizations. These personalized messages can reference personal details, interests, or even work-related topics, making them appear more legitimate and increasing the likelihood of the recipient falling for the scam. Gen AI also eliminates the common grammatical errors and awkward phrasing that previously served as indicators of phishing emails, allowing cybercriminals to generate professionally written and grammatically correct messages.

  2. Sophisticated Social Engineering Tactics:
    Three examples should be enough to show how potent this combination is on social engineering attacks.
    1. Deepfakes: Gen AI facilitates the creation of highly realistic deepfake audio and video content, enabling attackers to impersonate trusted individuals like CEOs or colleagues, lending significant credibility to their fraudulent requests.
    2. Context-Aware Phishing: Gen AI allows attackers to incorporate real-time information from news outlets and corporate websites into phishing emails, making the messages more relevant and urgent and prompting victims to act quickly.
    3. Mimicking Internal Communications: By analyzing publicly available content, including corporate press releases or LinkedIn posts, AI can generate emails that mimic the writing style and tone of internal communications, making them more convincing.

  3. Automation and Scalability:
    There is no limit to the way AI can improve the automation of adversary attacks. It can automate the process of generating and sending phishing emails, enabling cybercriminals to launch large-scale campaigns with minimal effort. It allows them to target a wider range of potential victims. It increases the overall efficiency and potential success rate of all manner of phishing attacks. These two factors––automating existing tactics and an explosion of new weaponry and resources––have occurred before (History loves lessons). Notably, these two factors aligned before and during World War II, which resulted in nearly double the death toll of any previous conflict, modern or ancient.

So why am I still optimistic that passwords will finally die out for workforce usage? Because of Reasons #3 and #4 on my list.

Reason #3: Newer Authentication Technologies

Multi factor authentication (MFA) has been around almost 10 years, but it’s really a catch-all phrase for a process. This process asks us to use multiple“factors” to authenticate into business networks, systems and applications, naming them knowledge factors, possession factors and inherence factors.

Knowledge factors, like passwords, have been the default not because they were strong, but because they were relatively easy to manage. Possession factors––especially those that combine digital and physical credentials, like hardware keys and certificates––are far more robust and auditable than knowledge factors.    

Three Knowledge Factors

CISA, the United States’ Cybersecurity and Infrastructure Security Agency, is bullish on the use of possession factors in fighting phishing attacks. In fact, their guidance site makes it clear that only two kinds of MFA factors––FIDO and PKI––are suitable to prevent the broad range of phishing attacks we face today.  

For what it’s worth, CISA is far from being alone in this recommendation. Domestically, Executive Order 14028 & OMB Memo M-22-09, FISMA/NIST, CMMC 2.0, HIPAA, GLB/FTC Safeguards, PCI 4.0, and several NERC-CIP mandates––to name a few––require the kind of phishing-resistant authentication that strong credentials provide. Internationally, ISO/IEC 27001/27002, GDPR, NIS2, ACSC Essential Eight, Germany’s BSI IT-Grundschutz and Singapore’s “Cybersecurity Code of Practice” (CCoP) all call for phishing resistant authentication in defined use cases.

But are we using these stronger factors for workforce authentication? It seems not.

An SC Magazine article from late 2024 “The rise of phishing-resistant MFA and what it means for a passwordless future” showed that strong, phishing-resistant authentication using methods like FIDO passkeys and TLS certificates were still overwhelmingly a minority.

With all this data pointing towards the need for stronger authentication, why is credential-based authentication still so rare in the workforce?

The short answer is, it’s perceived to be “expensive and hard.” At least, relative to more ubiquitous but weaker authentication forms, like passwords.

But what if it was not only stronger... but also neither expensive nor hard?

Reason #4: Operational Efficiency Comes of Age

Politics, personalities and dubious decisions aside, 2025’s non-stop focus on “operational efficiency” has been a good thing. It has washed over all industries, including cybersecurity, and shined a light on every organization's ability to “reduce waste of time, effort and material while still producing a high-quality service or product.”

Gartner’s 2025 report, Guidance for Workforce Access Management by Paul Rabinovich[1], pointed out that while there were more robust authentication methods available than ever before to identity architects––typically combining hardware and digital credentials––the challenge was making their inherent complexity "efficient to use":

Organizations that offer their users hardware tokens of any kind (X.509, FIDO, OTP and sometimes all three in a single token) also need to contend with additional processes, such as inventory management, timely token replacement, token initialization (including FIDO preregistration) and PIN resets.

These “additional processes” all need to be managed and scaled. For companies whose workforce number in the many thousands this can seem like a nightmare. But fortunately for us all, the industry already has a system that does this: the credential management system, or CMS.

The CMS is an established form of software that is used for issuing and managing credentials as part of public key infrastructure (PKI). CMS software is used by governments and enterprises issuing strong two-factor authentication (2FA) to employees and citizens. The CMS integrates with the components of PKI to provide one joined-up solution for IT departments to issue and manage credentials to a wide selection of devices, including smart cards, USB keys, smartphones, laptops and desktop computers.[2]

A properly implemented CMS takes the last two decades of experience, new standards, and insights and flips the script. Instead of managing “password credentials” it manages the workflows of strong credentials––PKI, FIDO passkeys, TLS certificates––that can replace password-based systems. These credentials can then be flexibly used in hardware keys, special chips like TPMs, smartcards, and even phone-as-token applications delivered by smartphones.    

But how do we know this technology has really “come of age”? How do we know that it really scales, in all the complex scenarios modern businesses face?

At the Gartner IAM Summit in Grapevine, Texas last December I had the great fortune to sit down with a cybersecurity leader for a large transportation company that operates in the western United States. For reference, this freight hauler is a perennial member of the Fortune 500 and has annual revenues of over $20 billion.

It is also, by almost any standard, a pretty old company. As this cybersecurity head said when I met him, “Our company is over a hundred years old, so we can be set in our ways.”

This leader and his company had recently completed an MFA project that deployed strong authentication––in the form of hardware authenticators and digital credentials––to their entire workforce. 32,000 devices were deployed across all of their offices and digital estates, with 5,000 of those deployed centrally in their global headquarters. It took just six months to roll out all of them.

We’re over one hundred years old, and we completely revamped authentication for every employee.” This guy is a quiet talker but he has a big grin and a big beard. “If we can do it, what’s your excuse?”  

Reference

[1] https://www.gartner.com/en/documents/6387343

[2] https://en.wikipedia.org/wiki/Credential_Management

AXIAD DEMO
See How Axiad Works

See a comprehensive demo of Axiad and envision how it will revolutionize authentication for you!

Request Now
NEWSLETTER
Axiad's Monthly Newsletter