Passwords have been the standard way to log in since the beginning of computing, and even in 2025, they are still the most common choice. Today, when I was signing into one of my Google accounts, I used passkeys, which I prefer since they are easier and more seamless. However, I noticed that even though I made passkeys my default option, Google still gives the choice to sign in with a password. This reminded me that passwords will be here much longer than we thought.
Even though passkeys are more secure and biometrics are more convenient, passwords are still widely used. Today, I want to explain why passwords are still the most popular way to log in, despite their security flaws and the emergence of more secure and user-friendly authentication methods. I will also share some tips on how to improve your account security, especially on platforms that only support passwords.
The Promise of Passwordless Authentication
Passwordless authentication refers to methods of verifying a user’s identity without requiring them to use a traditional password. The idea behind passwordless authentication is to make the login process more seamless and secure. The two main types of passwordless authentication that are gaining popularity are passkeys and biometric authentication. Here’s a breakdown of each:
Passkeys
These are cryptographic keys that aim to replace passwords. Passkeys work by pairing a device you own (like a phone or laptop) with a unique key stored on a server. This means you don’t need to remember or enter a password; instead, your device handles the authentication automatically, often with the help of biometric data (like facial recognition or fingerprints).
Passkeys are typically used in conjunction with a service like Google or Apple’s iCloud ecosystem, which can sync and manage these keys across your devices. For instance, if you have an Apple account, your passkeys will seamlessly be available on all your Apple devices, including your iPhone, Mac, or iPad, as long as they are signed in to the same account.
Biometric Authentication
This refers to verifying identity using physical characteristics, such as fingerprints, facial recognition, or iris scans. Instead of entering a password, you can use your face or a fingerprint to unlock your device or access your accounts. Biometrics offer a high level of security because these traits are unique to each individual and difficult to replicate or steal.
Benefits of Passwordless Authentication
Here are the major reasons many (including me) think passwordless authentication is the future:
- Convenience: Passwordless authentication simplifies the login process. Users don’t need to remember multiple passwords, reducing the frustration of forgotten or complex passwords. For instance, with passkeys, you can access your accounts quickly by using something simple like a fingerprint scan or facial recognition on your device.
- Security: Passwords can be stolen via phishing attacks (e.g., fake login pages tricking you into entering your password). Passkeys and biometrics are far more resistant to this because attackers can’t easily replicate or steal your biometric data or access keys.
- Stronger Encryption: Passkeys use advanced encryption, making it much harder for hackers to gain unauthorized access to your account. Even if a hacker steals a key from your device, it’s still encrypted and cannot be used without the proper matching device.
- Eliminates Weak Passwords: Many people use weak or reused passwords, which makes accounts vulnerable. With passwordless authentication, users don’t need to stress about creating a password, eliminating the risks of using a weak one.
The Reality: Passwords Are Still Everywhere
While passwordless methods like passkeys and biometrics are gaining popularity, passwords are still widely used for several important reasons:
Compatibility: Many Systems and Legacy Applications Rely on Passwords
Many systems, applications, and websites especially older or legacy software, were built around traditional password-based authentication. These systems haven’t necessarily been updated to support modern alternatives like passkeys or biometric login. As a result, they still rely on passwords for user authentication.
Since passwords have been in use for decades, almost every online platform, websites, and applications are designed with passwords in mind. As these platforms update to support new methods of authentication, passwords will continue to be the fallback option, especially in cases where compatibility is an issue. A recent study revealed that passkeys are used by only 20% of the top 100 websites.
Passwords Give Users More Control
With passwords, users have full control over their login credentials. They can create, update, and reset their passwords without depending on a third-party service like Apple, Google, or Microsoft. This means you don’t have to worry about whether an external authentication provider is available or experiencing downtime.
No Need for Extra Devices
Unlike biometric authentication, which may require specialized hardware (like a fingerprint scanner or facial recognition camera), passwords can be used on virtually any device with minimal setup, allowing for more universal access.
For example, attempting to use passkeys on a different device will require you to scan a QR code with a trusted device, such as your phone, to complete the authentication process. This kind of experience can make passkeys less ideal and undermine the great user experience they are intended to provide. With passwords, all you need is internet access and knowledge of your correct passwords.
Biometric Data Can Be Compromised and Aren’t Changeable Like Passwords
Once someone’s fingerprint or face is compromised, it can’t be changed. If a hacker steals or hacks into your biometric data, it could potentially be used against you indefinitely. This makes biometrics a riskier option in such situations, as there’s no way to reset your fingerprint or facial scan like you can with a password.
Hackers can also spoof biometric data using advanced techniques (e.g., using 3D models to simulate someone’s face). While these attacks are still harder to pull off than stealing passwords, the risk is not zero.
How to Make Passwords Work in 2025
Despite the rise of passwordless methods, passwords will continue to play a role in authentication for the foreseeable future. Here’s how to make passwords safer and more effective in 2025:
Follow the Best Practices for Creating Strong Passwords
For creating strong passwords, aim for at least 12 characters. Your passwords should also include a mix of uppercase and lowercase letters, numbers, and special characters to enhance security. Finally, ensure each account uses a unique password to prevent potential risks if one site is compromised. Check out my article about password best practices to learn more.
Use a Password Manager
Password managers help you store and manage all your passwords securely. Instead of remembering each password, you can use a single, strong password to access your password manager, which will handle the rest. Many password managers can also generate strong, random passwords for you, so you don’t have to create them yourself.
Password managers also encrypt your stored passwords, making them much more secure than keeping them in a text file or writing them down. Most password managers also alert users if the login credentials (including your password) for any of their accounts have been leaked and recommend an immediate change to keep their accounts secure.
Most mainstream platforms, including those by Apple (iOS and macOS), Google (Android), and Microsoft (Windows), have built-in password managers. You can use these if you don’t have the budget to invest in third-party alternatives, which typically offer more features.
Enable 2FA/MFA Wherever Possible.
Always enable Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) wherever possible. With MFA or 2FA enabled, hackers won’t be able to access your account without the second factor, such as a code sent to your phone or an authentication app, even if they manage to steal your password. Many popular services offer 2FA/MFA options. Always opt for them to greatly enhance the security of your accounts.
Key Takeaway
I am a strong believer in passwordless authentication due to its ease of use for signing into accounts without compromising security. In fact, passwordless methods like passkeys are even more secure, which is why they are being promoted by platform providers like Apple, Google, and Microsoft.
However, in 2025, the reality is that passwords remain the most popular method and are likely to stay that way for the next few years. The main reason for this is the compatibility of newer methods. Website and application developers have not yet appreciated the need to move away from passwords. Many feel that passwords with MFA/2FA are sufficient.
However, for anyone who needs maximum security for their accounts, using passkeys and other passwordless authentication is the way to go. For platforms that still use passwords, I recommend following best practices, such as having a complex and long password, using MFA, and employing a password manager, which should be good enough.