The contradiction at the heart of modern security

Everyone agrees passwords are insecure.
They’re phished, guessed, reused, harvested, traded, and automated against.
Yet organisations still depend on them for their most critical systems.

It is one of the strangest contradictions in cybersecurity:

We continue to rely on the one security mechanism attackers are specifically trained to steal.

The result is predictable.
Compromised credentials remain the number one cause of breaches across Europe.

But the problem isn’t just phishing.
It’s also the complexity of how passwords behave inside modern hybrid environments, especially as organisations transition from legacy Active Directory to Entra ID.

Hybrid identity made passwords even more confusing

The issue that prompted this article came from a real scenario, a user trying to change their password on a hybrid-joined Windows 11 device.

It should have been simple.
Instead, it exposed a deeper architectural issue:

Where does the password actually live?

In hybrid environments:

• Some systems authenticate against Active Directory
• Others authenticate against Entra ID
• Cloud apps expect modern authentication
• Legacy apps still rely on NTLM or Kerberos

Password changes don’t always propagate instantly, especially when:

• AD Sync is delayed
• Devices are off-network
• Hybrid join is incomplete
• A user is outside the perimeter
• Policies differ across systems

Users don’t know any of this.
They just see inconsistency.

And inconsistency becomes both a helpdesk problem and a security risk.

Passwords survive because phishing survives

Despite years of training and tooling, phishing still works because:

• It imitates trusted login flows
• It exploits human behaviour
• It bypasses technical controls
• MFA fatigue is now common
• Credentials are harvested in real time

Attackers don’t break in.
They log in.

As one of our engineers put it:

“Passwords are a consistent overhead and insecure, especially against phishing attacks.”

Resetting passwords after an incident doesn’t solve anything.
It just resets the clock until the next phishing email lands.

Why organisations haven’t gone passwordless yet

Everyone knows passwordless authentication is safer.
So why isn't adoption universal?

Real constraints:

• Legacy systems still require passwords
• Concern about user adoption
• Misunderstanding of Microsoft’s passwordless features
• Avoiding disruption to existing workflows
• Limited time or expertise to modernise identity
• Hybrid identity adds perceived complexity

So passwords remain not because they are effective, but because they feel familiar.

The case for Windows Hello for Business

For Microsoft environments, Windows Hello for Business is one of the most practical answers.

It:

• Eliminates reusable passwords
• Is built into Windows 11
• Requires no additional licence cost
• Protects against phishing by design
• Uses cryptographic keys instead of secrets
• Reduces helpdesk resets
• Brings consistency to hybrid identity environments

It shifts identity from something the user knows
to something the user has.

And in doing so, it removes the attacker’s favourite entry point.

The real question for leadership

If passwords:

• are phished daily
• create hybrid identity issues
• drive helpdesk overhead
• confuse users
• and remain the root cause of most breaches

Then the real question is:

Why do we still rely on them?

Security has evolved.

Threat actors have evolved.

Identity has evolved.

Passwords haven’t.

They remain the weakest link in modern environments, long after everything around them has modernised.

The shift to passwordless isn’t a trend or a theory. It is the inevitable direction of secure identity. Every organisation will make this transition sooner or later. The only real choice is whether it happens before the next compromise… or after it.

Delaying the move doesn’t reduce risk. It increases it, in ways no amount of policy, training or user awareness can fully mitigate.

Passwordless isn’t convenience.

‍
It’s modern security.

.

‍

‍