How stored passwords became the most expensive problem in cybersecurity

For centuries, identity has hinged on a simple idea: prove who you say you are. Roman commanders passed watchwords through their ranks to separate a friend from a foe. In the 1960s, MIT borrowed the same logic to allow users to share a computer, creating the first digital password. It worked for a world with fewer users, fewer systems, and far fewer threats.

What began as an elegant solution is now one of cybersecurity’s most persistent weaknesses. The problem isn’t that passwords exist; it’s that the modern digital landscape has pushed them far beyond what they were designed to handle. Today, a single user may manage dozens of accounts across critical and non-critical systems. Passwords are saved in browsers, reused across services, and reset through channels that are easily exploited by attackers. Even in highly regulated sectors where security is paramount, passwords remain a central dependency that attackers understand better than anyone.

The data reflects this. Verizon’s 2025 Data Breach Investigations Report attributes 88 percent of web application breaches to stolen credentials. IBM’s regional breach report places the average cost of an incident in the Middle East at more than 8 million dollars. And attackers are not relying on sophisticated zero-days. A decade-old typosquatting domain impersonating Microsoft continues to lure users into clicking password reset links using visually deceptive domains that replace the letter “m” with “rn” to mimic Microsoft’s name. Malware-harvested password databases containing more than 183 million stolen credentials were recently added to “Have I Been Pwned”, fueling credential-stuffing campaigns that automate account takeover at scale.

The burden is not only security-related but operational. Enterprises spend enormous resources resetting passwords, unlocking accounts, and handling access issues. Gartner estimates that up to half of all helpdesk calls are password related. Forrester puts the cost of each reset at roughly $70. What was once a security mechanism, is now a material drag on efficiency.

Some of our attempts to improve the situation have introduced new risks. Password managers simplified the user experience but concentrated all credentials in a single vault: an appealing target for attackers. Several leading managers remain vulnerable to unpatched clickjacking flaws that could expose sensitive stored data. Multi-factor authentication strengthened defenses, but remains susceptible to SIM swaps, push fatigue, and reverse-proxy phishing kits capable of intercepting credentials and MFA tokens in real time. Even biometrics have limitations: if compromised, they cannot be changed.

At the core of all these failures is one simple truth: traditional authentication relies on shared secrets that must be stored, transmitted, or retrieved. Anything that must be stored can be stolen, and anything that must be transmitted can be intercepted. This model made sense decades ago. It no longer matches the threat landscape.

A more resilient approach begins by separating identity verification from stored secrets altogether. Instead of proving who you are by typing a password or submitting a reusable code, modern authentication can rely on cryptographic proof that never exposes an underlying secret. These methods use derived identity, generating one-time cryptographic keys that are verified but never stored or revealed. Using protocols such as Oblivious Pseudorandom Functions, the raw password or secret never exists in a retrievable form, not even to the authentication provider. With no password escrow and no centralized vault, the risk of mass credential theft is fundamentally reduced.

This model also supports environments that still depend on legacy, password-bound systems. While newer applications can move to fully passwordless authentication using hardware-backed credentials, older systems can be made password-free. In practice, this means passwords may still exist at the system level, but they are never typed, handled, or exposed to users. Automation generates, rotates, and secures these credentials, abstracting them from the user experience and closing security gaps without requiring enterprises to rebuild everything at once. When combined with phishing-resistant MFA, such as FIDO2, WebAuthn, or certificate-based methods, and Zero Trust access controls that continuously verify user, device, and context, the result is an identity layer designed to resist theft, replay, and lateral movement by default.

In the UAE, this direction aligns with national digital transformation goals. The government’s mandate for UAE Pass for instance as the secure platform for digital identification, signing, and document exchange signals a clear shift: identity is moving beyond passwords, not as a convenience feature but as a national security priority.

The goal is not to build ever-stronger locks around the same mechanism. It is to reduce reliance on that mechanism over time. After six decades of reinforcing a model that was never designed for modern scale or modern adversaries, the industry has reached a turning point. Passwordless identity is not a passing trend; it represents a structural shift in how authentication is evolving.

- The writer is CTO at QuantumGate