Love them or hate them, forget them and reset them—passwords have been around for as long as the digital networks and devices we seek to protect.

Author: Johnty Mongan


But with biometrics and Multi-Factor Authentication now widely used, some cybersecurity experts are suggesting passwords should be scrapped altogether.

Many organisations are still using passwords to protect their networks, either as one of several layers of security or, in some cases, the only protection. However, with passwords doubling in frequency in the last 12 months, and 921 password attacks now occurring every second,1 it’s a security method that’s all too easily compromised.

According to the National Cyber Security Centre (NCSC) UK Cyber Survey 2022, 25% of businesses and 43% of charities do not have password policies to help ensure their employees set strong passwords.2 When you look at the above breach statistics, the risk of using passwords alone is plain to see.

The problem with passwords

Coming up with a password that’s difficult for others to guess but easy for you to remember can be a challenge and many of us will be all too familiar with our old friend, the password reset link. The likelihood of forgetting passwords is often the reason people choose easily discoverable personal information such as their name, the names of their spouse, children or pets, or important birth dates. It’s also why many people reuse their passwords across multiple logins—in fact, it is estimated that 92% of people know that using the same or a variation of a password is a risk but 50% of people do it anyway.3 The problem with doing this is that if a hacker gains access to one account they could wreak havoc on all of them.

In addition, many people still choose easy keyboard-pattern passwords such as ‘123456’ and ‘qwerty’, as well as the even less original ‘password’. All of these feature in the top 104 most commonly used (and, unsurprisingly, hacked) passwords.

921 password attacks happen every second.1

50% of people use the same or a variation of a password across multiple logins.2

There are several ways for users to create stronger passwords, for example:

  • Using ‘complex passwords’ which consist of a combination of numbers, symbols, lowercase and uppercase letters, and are more than eight characters long.
  • Creating a unique passphrase made up of three or four completely random words.
  • Using a secure password manager that can store all encrypted passwords, generate new complex passwords, and access it all using just one login.

The latter, however, requires one master password which, if compromised, could put all of your accounts at risk, and, if forgotten, would mean you would have to reset all of your passwords individually.

Taking all of this into account, it may seem reasonable to ask why we are still using passwords at all—and whether the additional layers of security such as biometrics and Multi-Factor Authentication negate the need for the password as we know it.

Did you know?

It would take a hacker…

31 seconds to crack a seven-character complex password.*

39 minutes to crack an eight-character complex password.*

3,000 years to crack a 12-character complex password.*

Biometric authentication

Biometrics is the measurement of people’s biological and physiological characteristics as a form of identification. The most common examples are fingerprint mapping, facial recognition, voice recognition and retina scanning. Unlike passwords, biometrics are difficult to fake or steal, are non-transferable, and will generally stay the same during the course of a user’s lifetime. Biometrics is already a common method for authenticating users, and its use is becoming more widespread.

Two-Factor Authentication and Multi-Factor Authentication (MFA)

Two-Factor Authentication uses two characteristics to verify a user’s identity, and Multi-Factor Authentication uses at least two, if not more. These characteristics will typically be ‘something you know’ (e.g. a password or the answer to a security question), ‘something you have’ (e.g. a mobile phone), or ‘something you are’—this being the biometrics factor such as a fingerprint or facial recognition.

A recent survey showed that just over a third of businesses (37%) and just under a third of charities (31%), have a requirement for their people to use at least two-factor authentication when accessing their network, or for applications they use.5 This is typically the authentication used by most online banking apps, requiring the user to log in with a password as well as another factor that isn’t easy to hack—usually a fingerprint or a security code sent by text message.

Multi-Factor Authentication (MFA) can also require just two characteristics but often goes a step further, requiring a third factor. Most insurers who underwrite cyber insurance are now requesting that businesses have MFA for all remote access of their systems. At Gallagher, we are seeing an increase in the number of businesses that are being refused cyber insurance cover due to a lack of MFA, leaving them exposed to significant losses.

Will passwords be forgotten forever?

Tech giants, Apple, Google and Microsoft have all announced that over the course of the coming year they plan to implement passwordless FIDO (Fast Identity Online) across all their major platforms.6 As well as being more convenient, this approach will make the sign-in process more secure and protect users from online dangers such as phishing scams which can extract user names and passwords. Implementing the system will be a huge task, involving site and app developers as well as the big three tech firms, so while passwords will still be around for some time yet, it may not be too long before we finally say a fond farewell to the password reset link.

How Gallagher can support you

We understand how quickly things change and offer up-to-date cybersecurity awareness training as well as assistance in implementing information security management standards such as Cyber Essentials, IASME Governance and the internationally renowned ISO 27001.

Our Cyber Risk Management team can work alongside you to help protect your organisation in the constantly changing cyber risk landscape. We can review your cybersecurity, help you improve your strategy and defences, and enhance your ability to recover from a cyber-attack. Please get in touch with the team to see how we can help you.

Author Information


The sole purpose of this article is to provide guidance on the issues covered. This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Arthur J. Gallagher Insurance Brokers Limited accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.