World Password Day, observed on the first Thursday of May, is a global reminder of just how critical strong password habits are in today’s digital world. With cyber threats continuing to evolve, this day encourages everyone, from individuals to large organizations, to take a closer look at how they protect their online identities.
To mark the occasion, several cybersecurity experts shared their insights on the current state of password security, the challenges we face, and what steps we can all take to stay safer online.
Tony Ball, President, Payment & Identity, at Entrust
For decades, passwords have been the weak link in cybersecurity – outdated, overused, and increasingly ineffective. But now, organizations are making a clear shift. Multi-factor authentication and sign-in links have emerged as the primary methods for user authentication across the US, UK, and globally, overtaking passwords.
This step change comes as over half of business and IT decision-makers report higher fraud attempts with username and password alone compared to other methods. We’re at a cybersecurity inflexion point: passwords are no longer sufficient. Modern, layered authentication methods, such as facial biometrics, device recognition, or generated codes, are stepping in.
Rather than forcing users to create longer, more complex passwords, organizations should embrace a passwordless future—one where customers and employees can prove their identity conveniently and securely using their biometrics. This approach reduces risk, streamlines access, and meets the expectations of today’s digital-first users.
Dray Agha, Senior Manager of Security Operations at Huntress
World Password Day is a good time to ask how your teams are really managing their passwords. Believe it or not, we still see people saving passwords in plain text files on their desktops, often with filenames like My Passwords. It might sound laughable, but it’s surprisingly common. Sometimes it comes down to a lack of awareness, but often it’s just people feeling overwhelmed by the sheer number of passwords they’re expected to remember. We understand.
Employees juggle dozens, sometimes hundreds, of logins. But these shortcuts create serious vulnerabilities. The recent trend of emoji-based passwords might seem like a clever fix, but they’re more novelty than solution. Many systems don’t support them, and they don’t actually improve security. For real protection, businesses should start by implementing password managers, enabling multi-factor authentication (MFA), and conducting engaging security awareness training. However, even those aren’t foolproof, as hackers are using infostealers to grab credentials, session cookies, and access tokens in seconds, allowing them to bypass endpoint security and weak multi-factor authentication (MFA).
As a result, businesses need an identity threat detection and response (ITDR) solution that shuts down identity-based threats like account takeover, Adversary-in-the-Middle (AitM) attacks, and business email compromise (BEC). With identity-based attacks becoming one of the most common and damaging threats, strong password management is no longer optional. Weak or poorly managed passwords give attackers an easy entry point, undermining even the most robust security measures. By prioritizing smarter password habits and pairing them with security solutions like ITDR, businesses can take control of their identity security before hackers do.
Thomas Richards, Infrastructure Security Practice Director at Black Duck
Using passwords to authenticate users will continue to be the main way to authenticate for the foreseeable future. Authentication mechanisms are further strengthened by the use of multi-factor authentication to validate that the intended user, and not an imposter, is trying to access the system. What we’re seeing lately is organizations shifting to identity management systems to reduce the instances where a user needs to re-enter their password, as long as they are authenticated properly.
Password managers offer a convenient and secure way for people to store their passwords. Following good password hygiene, it is best to use a different and complex password whenever possible. It’s just not feasible for most people to remember all these passwords, so the password manager is a great resource. However, now password managers are becoming the target for malicious actors since they store all the sensitive information needed to compromise an account. Password manager developers should perform targeted penetration tests and red team activities against the software, along with any supporting infrastructure. Threat modeling activities should also be performed so that these developers can get an understanding of how their platform or software can be attacked. Users should also enable MFA whenever and wherever possible to add an additional layer of security to their accounts.
Kelvin Lim, Senior Director, Head of Security Engineering at Black Duck
Passwords have changed significantly throughout the years. In past years, we have seen an increased adoption of Password Managers and Multi-Factor Authentication (MFA). Password Managers are becoming increasingly popular, enabling users to create and save complicated passwords for several accounts. MFA adds additional verification processes to passwords and can take the form of one-time pins, authentication applications, or biometric data. In addition to the increased use of the techniques mentioned above, password storage and hashing have become more secure through the use of advanced hashing algorithms to counter more capable cracking tools.
Phishing-resistant authentication will become the standard. Most major operating systems currently support passkey authentication. Apple has supported passkeys since iOS 16 for iPhones and macOS Ventura for Macs. Google rolled out a passkey functionality for Chrome on Android, Windows, and macOS. We expect to see greater passkey adoption in the coming years as Microsoft, Apple, and Google continue to encourage user adoption as we progress towards a passwordless future.
In the US Federal Government Zero Trust strategy, agencies are encouraged to pursue greater use of passwordless multi-factor authentication as they modernise their authentication systems.
The key benefits of passkey over passwords include:
Improved Security: Passkeys offer a strong defence against phishing vulnerabilities. Unlike passwords or passphrases, they cannot be guessed, reused, or stolen, making them highly resistant to phishing attacks.
Simplified Accessibility: Logging in with a passkey is quick and user-friendly. Methods like facial recognition, fingerprint scanning, or PIN ensure a hassle-free experience.
Enhanced Protection from Breaches: Passkeys eliminate risks associated with server-stored passwords. Even during a data breach, hackers cannot access passkeys.
Advancing a Password-Free Digital World: Passkeys support the vision of a future without passwords, paving the way for a more seamless and secure online experience.
Having stated the above, passwords are not going away soon, as it will take time for websites and applications to support passkey authentication. In the interim, we will continue to see passwords increasingly supplemented by other forms of authentication, such as biometrics and MFA.
Boris Cipot, senior security engineer at Black Duck
There have been several advancements in the field of authentication in recent years. However, passwords remain the most widely used solution. The reason is that passwords are the simplest and most cost-effective authentication solution to implement. It is also one of the easiest methods for end users to use. It is, however, also the one security method that is most often misused and insecure if used incorrectly. In the password bucket, I would also add PINs. Even though the safeguards around PINs (locking the system if entered wrong 3 times, for example) are stricter than with passwords.
There is a sea of possibilities, including biometrics and various other trendy MFA options available in the market. The key to it all is that it must be affordable, easily adopted, and user-friendly technology. It may take some time before we see actual changes to how we use passwords; however, we are already seeing a push to use MFA. Banks, for example, are enforcing the use of alternative methods of authentication, like external tokens or authenticator apps. Service providers like Microsoft and Google are also on the path to making passwords extinct. Many gaming platforms are also requesting the use of MFA. These are all organizations and markets that have already suffered from weak security implementations and are now enforcing a higher level of security.
Other organizations that have yet to experience a catastrophe may take time to change their mindsets about enforcing alternative methods of authentication, or hopefully, the new trend of using alternatives will take the upper hand. Time will tell. Unfortunately, there are still too many services that rely only on passwords. Some platforms that propose using MFA may not enforce it. This means that many accounts are still vulnerable to exploitation due to the wrong use of passwords (such as reuse or easy-to-crack passwords).
Unfortunately, there have not been any significant changes to passwords in the last year. One main difference we see is increased awareness of password managers. Google, for example, even promoted this functionality on TV to get more people to use Chrome to create and save their passwords. Although this was a good marketing promotion for Chrome, it was also a good way to communicate awareness that there is a solution that can help with safer password creation and usage.
Javvad Malik, Lead Security Awareness Advocate at KnowBe4
World Password Day is a timely reminder that, while they’re just the starting point, strong password practices remain critical for individuals and organizations that still rely on them as a frontline defence. Despite advancements in MFA and biometrics, passwords play a central role in digital security. When weak or reused passwords are in use, they create serious vulnerabilities, allowing attackers to compromise accounts, steal data or funds, and move laterally across networks with potentially devastating consequences. Therefore, when it comes to passwords, it is more important than ever to leverage smarter, more proactive habits that genuinely reduce risk and improve overall security hygiene.
Martin Kraemer, Security Awareness Advocate at KnowBe4
Encourage passphrases or random, long passwords: Longer is stronger. Simple yet lengthy passphrases are often more secure and easier to remember than short, complex passwords.
Use password managers: These tools reduce the burden on users and help ensure every account has a unique, secure password.
Enable Multi-Factor Authentication (MFA): Adding a second layer of verification, like a code, biometric scan, or hardware token, can prevent credential-based attacks.
While password best practices are foundational, they’re just one part of a much bigger picture. Security isn’t just a technical issue—it’s a shared responsibility. Days like World Password Day are a great opportunity for organizations to re-engage employees, revisit policies, and remind everyone that strong authentication habits protect not just individual accounts but the organization.
Darren Guccione, CEO and Co-Founder at Keeper Security
In an era where data breaches are more frequent and sophisticated than ever, password sharing remains one of the most underestimated threats to cybersecurity. Whether colleagues pass around login credentials for convenience or teams use a single shared password for a tool or platform, this practice creates serious blind spots. Recent research reveals that 52% of enterprise IT teams struggle with frequently stolen passwords, while additional research shows that three in four consumers risk being hacked due to poor password practices. When credentials are shared insecurely, accountability is lost, audit trails disappear, and organizations are left vulnerable to accidental and malicious misuse.
The issue becomes even more critical in hybrid and remote work environments, where distributed teams often fall into the trap of ‘quick fixes’ for access, like emailing passwords or storing them in unsecured documents. These shortcuts increase the risk of external breaches and open the door to insider threats. Without strict controls and visibility, businesses may never know who accessed sensitive systems, or when.
A password manager is essential for upholding robust password policies across an organization. It helps ensure that employees generate and use strong, unique passwords for every system, application, and website they access. It also facilitates the use of secure two-factor authentication methods, like authenticator apps, to better defend against remote attacks and data breaches. With a password manager, teams can share passwords securely through shared folders, time-limited access, and self-destructing records, promoting safe and secure cybersecurity without compromising productivity.
Beyond technical safeguards, companies must also invest in building a culture of cybersecurity awareness. This means regularly educating employees about password-related risks, such as choosing weak passwords or reusing the same credentials across platforms. Ongoing training sessions explaining the dangers of password sharing, combined with phishing simulations, can reinforce good habits and highlight potential vulnerabilities before they become serious threats.
This World Password Day let’s move beyond convenience and commit to a safer, more responsible way to manage access.
Catarina Santos, Data Protection Expert at Data Protection People
Passwords are like toothbrushes – you use them every day, and you shouldn’t share them. On World Password Day, it’s a good reminder that while giving a loved one your login might feel harmless, it can actually open the door to serious security risks. Even someone you trust might reuse passwords, fall for phishing scams, or have malware on their device, and suddenly, your accounts are at risk too.
Of course, there are times when sharing is necessary, like in emergencies or for family streaming accounts, but even then, it’s best to use a password manager rather than sending details over text or email. Think of passwords as the keys to your digital life. You wouldn’t hand your house keys to just anyone, so treat your online security the same way. Using strong, unique passwords and enabling multi-factor authentication are small habits that make a big difference in protecting your data.
Jon Fielding, Managing Director for EMEA at Apricorn
Poor password management can allow attackers to guess or steal user credentials before putting them up for sale on the black market. Those login details can then be used for credential stuffing attacks to access and take over online accounts and to carry out fraud. Yet despite the risks, more than a quarter of businesses (27%) still don’t have a password policy compelling users to set a strong password, according to the Cyber Security Breaches Survey 2025, even though this is considered basic cyber hygiene.
For those businesses that do have a password policy in place, it’s imperative that the user is required to set a complex password, i.e., of a sufficient length and containing a variety of characters and a mix of upper and lowercase letters. However, it’s no longer the case that this should be changed on a regular basis, and this can even be counterproductive. Making frequent password resets can frustrate users and lead to them making small changes to the original password or making it easier to remember and therefore brute-force.
Thankfully, password managers that can generate unique passwords for us are now much more widespread and are integrated into numerous browsers. These have also driven down the problem of password reuse, whereby the same password is used for multiple accounts. But our dependency on these password managers does, of course, run the risk of them being attacked, so it’s important to safeguard access. In addition to a strong master password, the password manager should also be protected using a secondary measure such as two-factor authentication (2FA).
Many businesses neglect the password protection afforded to their peripherals, instead focusing on the usual endpoints, i.e., desktop, laptop, and mobile phone. External hard disk drives or even USB sticks should be encrypted and password protected, and where users are allowed to use their own personal peripheral devices, these requirements should be specified in the acceptable use policy. Protecting these devices in this way ensures that if they do get lost or fall into the wrong hands, they will remain unreadable.
Numerous occasions have predicted the imminent death of the password, with passkeys and biometrics attempting to usurp it. However, the humble password continues to be the primary way many of us protect our data and is likely to remain so for years to come, bolstered by additional security such as multi-factor authentication and zero trust.
Nadir Merchant, General Manager, IT Operations Suite at Kaseya
Make passwords more secure: Instead of frequently rotating shorter passwords, it is actually more secure to use much longer passwords, for example, phrases of 50-70 characters with numbers and special characters incorporated, too. The problem with rotation is that it causes people to forget their passwords, which means they tend to write them down, creating security holes. Phrases are much easier to remember. And a long, simple password is harder for attackers to brute force than a short, complex password.
Embrace multi-factor authentication: Authenticators are becoming commonplace, and many vendors require MFA. Using a push MFA through an authenticator is a more secure way of doing 2FA as it requires the user to verify their identity by receiving a push notification to a separate device, usually their registered mobile phone. On the other hand, 2FA tools that are built into the browser defeat the purpose of 2FA; if somebody has access to your computer or compromises your computer, they’re going to get access to your temporary one-time passcode (TOTP) the same way. Authentication needs to be kept separate on different devices.
Use password managers: It is critical for companies to have a properly secured password manager application with two-way encryption. This helps users securely generate and store strong, unique passwords. Having a mechanism to share passwords safely is also essential – passwords should never be shared with others via messaging services or email.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.