The Security Industry’s Most Profitable Product: Why Nobody Wants to Kill the Password

The Unspoken Truth About Passwords and Friction

Let’s be honest. We’re all exhausted by passwords. They’re clunky, you forget them at the worst possible moment, and they're the single biggest point of failure in 90% of breaches. Every security vendor, including us, pays lip service to "eliminating the password" with Passkeys, biometrics, or whatever the latest shiny object is.

But here’s the uncomfortable truth (the one that will get me uninvited from every CISO golf outing): The password is the security industry’s most profitable feature. It’s not a bug. It’s the engine of a multi-billion-dollar economy (2.74B in 2024 and growing at a 15.8% CAGR).

It functions as a scarcity model.

If you want to learn more about this topic, join our 30-minute webinar on November 5th, 10am eastern: https://www.blastwave.com/webinar/passwordless-industrial-mfa 

How Scarcity Justifies Complexity

Think about it:

1. The Password Creates the Limited Resource: A password, by its nature, creates an exclusive, "secret" resource: access. Because that secret is inherently weak (users write it down, reuse it, or choose "password123"), it introduces measurable, undeniable risk into the system.
2. The Risk Justifies Complexity: This single point of failure (the password) is the foundation upon which every subsequent, layered security control is built. Why do you need expensive solutions? Because the password failed!
   
   • Password Managers? Necessary because people suck at remembering passwords.
   • MFA/2FA? Necessary because passwords are easily stolen.
   • Identity Governance? Necessary because the password grants too much access initially.
   • SIEM/SOAR/Breach Response? Necessary because, eventually, the password will fail, and you need cleanup.

The entire "complexity budget" of IT security (the one that generates huge enterprise contracts) is a direct response to the inherent, non-solvable failure of the password.

If you could eliminate the password and replace it with a truly uncrackable, non-phishable identity protocol that just works, the complexity budget shrinks to zero.

Zero Trust Doesn't Need Passwords (And That's the Problem)

The industry talks about Zero Trust as a goal, but what does Zero Trust really mean? It's about moving from implicit trust (trusting the password/network) to explicit verification (trusting nothing, verifying everything).

In a truly frictionless, passwordless world, access is simplified, cheap, and easy to manage because identity proofing is cryptographically verifiable and tied to the user's device/biometrics.

The paradox? An effective, cheap, true Zero Trust solution that eliminates the password removes the need for all the expensive layers built to mitigate the password's shortcomings.

The security industry, therefore, is subtly incentivized to keep the password alive, even in its "passkey-enhanced" form. They'll solve the front-door problem just enough to look good on the quarterly earnings call, but they need the "lateral movement" problem (the complexity that stems from poor initial access controls) to remain confusing and expensive.

My Takeaway: Buy Simplicity, Not Scarcity

At BlastWave, our job isn't to sell complexity; it's to sell simplicity. We believe the real security win is reducing the attack surface by reducing the number of moving parts that can fail.

Until the industry is ready to admit the password is its greatest financial asset, the only way to break the cycle is to deploy solutions that simply refuse to participate in the scarcity model. Look for solutions that are identity-centric, cryptographically robust, and, most importantly, reduce your need for five other tools.

Don't buy the complexity they're selling. Buy the simplicity that actually keeps you safe.

‍

— Cam Cullen, CMO, BlastWave