Passwords provide a false sense of security for both users and the companies who demand them. The password requirement to protect the user (and ultimately sensitive company data), creates an entirely new frontier, both from a security perspective and for criminal activity.
Passwords are the simplest go-to for system security and are the weakest link in the cybersecurity chain. Criminals know passwords are often the only thing between them and massive amounts of data they can sell for a profit in the underground. Password breaches lead threat actors to a cache of information that generates anywhere from a few dollars to thousands per breach.