Every year, security researchers publish the same list. Every year, the same passwords top it. In 2025, NordPass confirmed that "123456" claimed the number one spot globally for the sixth time in seven years. Comparitech's leak analysis found it appearing 7.6 million times in breached datasets. Nearly 39% of the top 1,000 passwords contain the sequence "123." We live in an era of passkeys, biometric authentication, hardware security keys, and AI-powered threat detection. And yet the most popular credential on the internet is six digits that a toddler could guess. This isn't a technology problem. It's a human one.

The gap between available and adopted

The tools to eliminate passwords already exist. Passkeys, the FIDO Alliance's password replacement standard, have gone mainstream. According to FIDO Alliance data from 2025, more than one billion people have activated at least one passkey. Over 15 billion online accounts now support passkey authentication. 48% of the top 100 websites offer passkeys, more than double the figure from 2022. The performance difference is staggering. Passkeys achieve a 93% login success rate compared to 63% for traditional passwords. Google reports that passkey sign-ins are four times more successful than password-based ones. TikTok saw a 97% success rate with passkey authentication. And yet, here we are. "123456" still reigns. The gap between what's available and what's adopted is the real security story. The technology moved. Humans didn't.

Convenience always wins

Researchers at Miami University published a study in Behaviour & Information Technology examining the psychology of password management. Their findings were unsurprising but important: users know what constitutes a good password. They know which practices are risky. They do it anyway. The reason is the convenience-security tradeoff. People don't see immediate negative consequences from weak passwords. The breach feels abstract and distant. The friction of a strong, unique password feels immediate and real. When forced to choose between a 20-character random string and "password123," the limbic system wins every time. This pattern extends beyond passwords. Every security feature that adds friction gets circumvented. Two-factor authentication? Users disable it the moment it's optional. Password managers? Only about 30% of people use one. VPNs on public wifi? Almost nobody bothers. The pattern is consistent: if security requires an extra step, most people skip it. 47% of consumers will abandon a purchase entirely if they forget their password. That's not a security statistic, that's a revenue statistic. And it tells you exactly how much friction people are willing to tolerate: almost none.

The enterprise illusion

Companies spend enormous sums on cybersecurity. The global market is projected to surpass $200 billion in 2026. Enterprises deploy firewalls, endpoint detection, SIEM platforms, zero-trust architectures, and dedicated security operations centers. Then an employee clicks a phishing link. According to a widely cited figure from multiple cybersecurity analyses, 90% of all cyber incidents are the result of human error or behavior, whether that's weak passwords, falling for phishing, or misconfiguring a system. Hoxhunt's 2026 Phishing Trends Report found a 14x end-of-year surge in AI-generated phishing attacks. The Anti-Phishing Working Group tracked 3.8 million phishing attacks in 2025 alone. The weakest link is always the person clicking. You can build a vault with walls of titanium, but if someone props the door open with a shoe, it doesn't matter how thick the walls are.

AI vs. AI, an arms race with no finish line

Gartner identified preemptive cybersecurity as one of its top strategic technology trends for 2026. The idea: instead of detecting and responding to breaches after they happen, use AI and machine learning to anticipate and neutralize threats before they materialize. Gartner predicts that by 2030, preemptive cybersecurity will account for 50% of IT security spending, up from less than 5% in 2024. It sounds compelling. But there's a catch. AI isn't just defending, it's also attacking. AI-crafted phishing lures show markedly higher user engagement in tests, according to Microsoft's threat data. Phishing-as-a-service operations like Tycoon 2FA generated over 60% of Microsoft-blocked phishing in mid-2025, pumping out more than 30 million malicious emails in a single month. This is an arms race where both sides have the same weapon. AI defending against AI-powered attacks creates an escalation cycle with no natural equilibrium. Every improvement in detection gets matched by an improvement in evasion. The sophistication ceiling keeps rising, but the human at the keyboard remains the same. Meanwhile, Gartner also warns about the rise of "rogue" AI automations. No-code and low-code tools are enabling autonomous AI agents that organizations can't fully monitor. The attack surface isn't just growing, it's becoming harder to see.

Preemptive security still needs humans

The preemptive cybersecurity narrative is seductive. Why detect breaches when you can prevent them? Predictive threat intelligence, automated moving target defense, advanced deception technologies, all designed to stop attacks before they start. But prevention systems still need humans to configure them correctly. They need humans to maintain them. They need humans to interpret their outputs and make judgment calls. And those humans still pick "123456" as their password. Proton's 2026 Data Breach Observatory has already tracked 59 breaches exposing 97.7 million records in just the first months of the year. Since 2025, hundreds of millions of records have been found trading on the dark web for as little as $10. The breaches keep coming, not because the technology failed, but because somewhere in the chain, a human made it easy.

We don't actually want security

Here's the uncomfortable truth: we don't want security. We want the feeling of security with the convenience of no security. We want the padlock icon in the browser without having to remember a complex password. We want the notification that our account is "protected" without enabling the protection. We want the illusion of safety without any of the cost. This isn't laziness, exactly. It's rational behavior in an irrational system. The cost of good security (friction, time, cognitive load) is paid immediately and personally. The cost of bad security (a breach, identity theft, financial loss) is paid later, maybe, and feels like someone else's problem until it isn't. Psychologists call this temporal discounting, the tendency to prefer smaller, immediate rewards over larger, delayed ones. Security is the ultimate delayed reward. Nothing bad happens today when you reuse your password. The breach might come in six months, or never. The brain isn't built to optimize for threats that abstract.

The only security that works is the kind you don't notice

If humans consistently choose convenience over security when given the choice, the answer might be to remove the choice. Nudge theory, popularized by Richard Thaler and Cass Sunstein, has proven this in domains far from cybersecurity. Countries with opt-out organ donation policies have dramatically higher donation rates than opt-in countries. Companies that auto-enroll employees in retirement savings plans see participation rates above 90%, compared to around 60% for opt-in plans. The default matters more than the option. Apply this to security: passkeys that just work without requiring users to understand cryptographic key pairs. Browsers that auto-generate and store passwords without asking. Operating systems that enable full-disk encryption by default. Two-factor authentication that's on unless you actively dig through settings to turn it off. Apple's approach to iMessage encryption is instructive. End-to-end encryption is simply on. Users don't choose it, configure it, or even think about it. The result is that billions of messages are encrypted every day by people who couldn't define "end-to-end encryption" if you asked them. That's what successful security looks like.

Make the secure choice the default choice

The pattern is clear. When security is opt-in, people opt out. When security requires effort, people skip it. When security adds friction, people find workarounds. The most effective security improvement of the next decade won't be a new algorithm or a better AI model. It will be making the secure option the default and removing the need to choose at all. Auto-enroll users in passkeys. Pre-configure devices with encryption enabled. Make phishing-resistant authentication the path of least resistance, not the path of most effort. The password "123456" isn't a failure of awareness. Everyone knows it's a bad password. It's a failure of design. We keep building systems that let people choose the worst option, then act surprised when they do. The best security feature ever invented might just be the one that removes the choice entirely.

References