PayPal says crooks poked around 35,000 accounts in credential stuffing attack

This report says “That passwordless option is looking really good right about now” — Well, they seem to have forgotten that WHAT IS REMOVED CANNOT SERVE.

“What is removed can never be attacked” is true, and “what is removed can never serve” is also true. The latter is often forgotten. Soldiers and passwords, that are not there and therefore can never be attacked, would never be able to serve.


You are invited to spend several minutes on “How to not see our weak digital identity further weakened”



We have published a one-stop reference paper on the security effects of removing the password from digital identity

Besides our most comprehensive dissection of the ‘passwordless’ misperception, also taken up are such related topics as

- Unable to Serve

- Pseudo-MFA

- False Sense of Security

- Cybersecurity Professionals

- Digital Dystopia

- Quasi-Passwordless Schemes

- Where ‘Passwordless’ schemes could be supported

- FIDO Initiative

“How to not see our weak digital identity further weakened”



We often hear ‘xxxx-fatigue’ these days. ‘Password Fatigue’ is one of them.

Well, there could be two approaches to cope with this fatigue problem.

One is to throw away the password and give up the security somehow provided by the password. This is what ‘passwordless’ and ‘biometrics’ authentication schemes are supposed to be achieving, well, to the delight of criminals.

Another is to promote ‘Fatigue-free’ Password System. This is what we are achieving with Expanded Password System powered by citizens’ non-volatile episodic memory. Say, from ‘Password Fatigue’ to ‘Fatigue-free Password’

Ref: “Power of Citizens’ Episodic Memory”

Thanks Jim Angleton for inspiring me.



Hitoshi Kokumai

Advocate of ‘Identity Assurance by Our Own Volition and Memory’, Inventor of Expanded Password System and Founder of Mnemonic Identity Solutions Limited in UK.