SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

K final
#
Encryption
#
Biometrics
#
Advanced Persistent Threat Protection

Exclusive: LastPass CEO warns password industry must evolve

Wed, 17th Sep 2025
Author image
By Melania Watson, Interview Editor

The password is dying, and the security industry is racing to keep up.

In an exclusive interview during his visit to Australia, LastPass Chief Executive Officer Karim Toubba said the entire industry is being forced to rethink how it protects users.

"The password management space has always been critical, but the industry has had to evolve," he told TechDay. "Seventy-five per cent of credentials are actually reused because it's the easiest way to remember them, and attackers know it."

That reuse, he warned, is what fuels many of today's breaches.

"Attackers are savvy now. They'll go to the path of least resistance, take usernames and passwords from one site, and run them against banks. They get a pretty big hit rate," Toubba said. "This is why we have to fundamentally change the model."

From vaults to passwordless

For years, password managers were the frontline defence - storing long, unique passwords inside secure vaults.

But Toubba said simply managing passwords is no longer enough in an era of automation, credential stuffing and AI-powered attacks.

"The industry started with password managers to give users a way to have strong, unique passwords, but the next evolution is passwordless," he said.

"With passkeys, you don't have to remember anything, the authentication is cryptographically tied to you and protected by your device and biometrics. Once you get the flow right, it allows the user to never have to remember a password."

This pivot, he said, isn't optional.

"A vast majority of attacks start with the identity," he explained. "That requires us to rethink how we view the user, not just at the business level but at the consumer level. It's a huge opportunity to strengthen authentication while making the experience seamless."

Shadow IT Is the new frontline

Industry change is being accelerated by another force: the explosion of shadow IT and shadow AI.

Employees are bringing unsanctioned applications into organisations faster than IT teams can keep up.

"We saw that we were already storing usernames and passwords in the vault, but organisations had no visibility into what those apps were," Toubba said. "Somebody in marketing might swipe a credit card to bring in a new AI tool to run campaigns, and suddenly your data is in a system you didn't approve."

LastPass's answer is a new SaaS Monitoring capability, launching this month, and SaaS Protect, which went live in August. Together, they give businesses a real-time view of every app being used, how staff are logging in, and whether those logins are secure.

"For the first time, we can give organisations the full picture - what apps they're using, who's using them, and how they're authenticating," Toubba said.

"That visibility is what lets security teams get ahead of the problem, not just react to breaches."

Lowering the barrier for businesses

The pressure to evolve is hitting businesses of every size, not just big banks with deep security budgets. "We met with a customer yesterday that had 3,000 people and only five in security," Toubba said.

He argues that security must be made as frictionless as possible. "It's not just about building technology - it's about pricing and packaging it so businesses can afford it, and making it simple to implement," he said. "The only thing an administrator has to do is configure the policy, which literally takes about three minutes."

User experience is just as crucial. "The reason people reuse passwords is because it's easy," Toubba said.

"Our challenge as vendors is to build security that's both stronger and easier to use."

The Australian opportunity

Australia, he said, is positioned to lead the shift to passwordless authentication.

LastPass has been investing in its local presence for seven years and is now expanding its commitment to the region. "Ninety-two per cent of IT leaders say passkeys will improve their security posture," Toubba said.

"That level of awareness is critical to driving adoption."

The future of identity

Toubba believes the industry is at an inflection point - one where the lines between password management, authentication, and identity security are blurring.

"There are quite a few password managers in the market, but we recognised a couple of years ago that the world has changed drastically," he said.

"The future of identity is about tying the user to the application, strengthening authentication, and providing visibility and control - all delivered seamlessly."

He also warns that attackers are not slowing down, and neither can the industry.

"With enough time and pressure, you can solve a problem," Toubba said. "The more random and complex your password or passphrase is, the more likely attackers will give up and go somewhere else."

Related stories
Bitdefender warns of surge in fake job recruitment scams
CrowdStrike study touts 273% ROI on modern endpoint security
Rapid7 unveils MDR service built for Microsoft users
Gallagher Security to host Tasmania forum in Hobart
Check Point unveils AI-ready Exposure Management suite

Top stories

Legacy PKI blamed for outages & rising security risk
Keeper adds instant account switching & passkey upgrades
LOTUSLITE backdoor targets US policy bodies with lures
AI reshapes data privacy risk across Australia, NZ
Gigamon honours global partners for deep observability