Here is an interesting article by Microsoft about passwords as an attack surface.

https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Your-Pa-word-doesn-t-matter/ba-p/731984

TLDR: Make your users use 2FA (this can include Windows Hello/Biometrics).