Passwords are always a weak leak in the security chain. Users continue to use passwords like:
These examples come from The Worst 25 Passwords of 2017 (Time). Even with the availability of password managers, users continue to use weak passwords. Similarly, users use the same password for every account. So, when Yahoo’s 3 billion (NY Times) users are hacked including password and recovery question answers, users who use the same credentials for their other accounts have now left all their accounts vulnerable.
Login credentials are commonly sold on the dark web and can easily be automated to try using the same credentials for every major login available. Reusing login credentials becomes as weak as the website with the least amount of security. Which could be a local blog you have an account with that is running an old version of WordPress with openly known security flaws.
Is the solution to eradicate passwords completely?
At RSA a few weeks ago, Google demoed an online purchasing using a fingerprint and PayPal. Microsoft demoed using its Windows Hello feature to make an online purchasing using your face (webcam scan) and PayPal.
Fingerprints and facial recognition are not new but using those physical attributes to pay for website transitions is new. The Fast Identity Online (FIDO) Alliance said 81% of all data breaches in 2016 involved weak or stolen passwords.
These new demos are still not ready for production and FIDO’s 2.0 specification has yet to be adopted. In the meantime, keep improving your password strength, but be prepared for a future including biometric authentication.