Complex passwords aren't good enough

There was a wonderful "2024 State of Passwordless Identity Assurance Report" published by HYPR | The Identity Assurance Company recently. Call-outs:

• Almost four in ten (39%) experienced phishing attacks; identity impersonation struck 28% of organizations, while push notification exploits were the fifth most common vector at 26%.
• More than two-thirds (69%) were breached via authentication processes, unsurprising considering most employees use four different types of authentication methods.
• 78% experienced identity fraud, with over half falling victim multiple times, costing an average of $2.78 million.

From the official Certified Information Systems Security Professional (CISSP) Study Guide, 9th Ed, page 703, "Passwords are the weakest form of authentication, and there are many types of password attacks."

NIST SP 800-63B designates that secure passwords:

• should not expire (because we're terrible at selecting new passwords)
• should not contain special characters (because special characters rarely confuse scripts anymore these days, and provides a hint about the password content)
• are at least 8 characters long (but preferably longer, since shorter ones are often easier to crack)
• are not "password" "123456" "11111111" (thank heavens for that)

Unfortunately, most systems still use outdated password policies that are now considered insecure:

• Passwords expire after 60/90 days (and catch us off guard, which is why we hastily select a worse password than the initial one)
• Must be at least 15 characters (which at least helps with complexity, but we should be using multiple word passphrases to achieve this, not passwords)
• Must have one uppercase letter, one lowercase letter, one number, (which make the password more predictable) and one special character of a select list of - _ + ! * ? . , (so as not to upset the scripts that actually handle passwords behind the scenes, which are more fragile than the attackers')

The newer guidelines are an improvement, but provide a false sense of security when using a method of authentication that is still incredibly insecure.

The best solution should be to get rid of the password entirely and use something more secure. There are many better solutions than passwords available from HYPR | The Identity Assurance Company , Yubico , 1Password , and many others that are easier to use and yet harder to crack. "More than two-thirds (69%) were breached via authentication processes" - surely there should be motivation to fix this?