World Password Day: Tide turning against common password approaches?

Source: Forescout 2024 Threat Roundup report. Top 10 usernames and top 10 passwords in use globally.

Passwords, once beloved for access and authentication, seem to be falling out of favour. 

"Passwords were once the backbone of digital security, but they have become its Achilles' heel," observed Dominic Forrest, CTO iProov on the occasion of World Password Day. "This World Password Day, it's time to acknowledge that passwords alone are no longer enough. As deepfakes and AI-driven fraud evolve, verifying that a person is who they claim to be, has never been more critical in a digital-first world."

"In Singapore, '123456' remains the most commonly-hacked password, appearing in over 42 million breaches. Organisations responded by demanding longer and more complex passwords, hoping to outpace attackers.
But no matter how strong and complex, passwords are inherently flawed: they can be guessed, phished, or stolen. And when that happens, anyone can use them without absolute assurance of who is accessing the system," Forrest explained.

"Passwords confirm you have the code, not that you are the person behind the screen. And that's the core issue: passwords don't verify identity."

Biometrics could be the answer to the authentication challenge. Forrest suggested replacing passwords with biometrics, particularly facial verification. "Unlike passwords or devices, your face cannot be stolen or forgotten. Biometrics verify identity based on inherence: who a person is. Passive biometric identity verification with liveness detection makes it even more effortless, frictionless, secure and reliable - no cumbersome codes, no extra devices, just a swift confirmation of identity," Forrest said.

Identity was also the theme for a comment from Fabio Fratucello, Field CTO World Wide, CrowdStrike. "Today’s attackers are no longer relying on malware to break through defences. Instead, they’re exploiting stolen credentials and trusted identities to quietly slip into organisations and move laterally across cloud, endpoint and identity environments—often undetected. CrowdStrike’s 2025 Global Threat Report highlights this shift: 79% of initial access attacks are now malware-free, and access broker activity has jumped 50% year over year," he said.

"World Password Day is a timely reminder for organisations to rethink their identity security posture. That means going beyond traditional password hygiene and adopting an identity-first approach—one that applies Zero Trust principles, continuously monitors users and access, strengthens authentication with MFA and passwordless solutions, and removes unnecessary privileges. Layering in AI-driven identity threat detection and unifying visibility across endpoint, identity and cloud domains helps close the gaps attackers count on."

AI can guess your password

Takanori Nishiyama, SVP APAC Sales, Keeper Security, said that 'clever' passwords no longer work. "We’re celebrating this World Password Day (May 1) in the age of generative AI, where traditional password tricks such as substituting 'a' with '@' or adding an exclamation mark at the end don’t offer enough protection," he said. 

"Hackers today use password-cracking tools—many powered by machine learning—that can guess common patterns and character swaps in a matter of seconds, meaning that being clever isn’t secure anymore. The more we rely on predictable behaviour, the easier we make it for attackers to breach our accounts."

Nishiyama shared that Keeper Security’s 2024 Future of Defense report states that 95% of IT leaders say cyberattacks are more sophisticated than ever before, with password-related attacks ranking among the top five fastest-growing threat vectors. "To stay safe, users must practise good password hygiene by using passwords with at least 16 characters with upper and lowercase letters, numbers and special characters, and using a unique password for each account. They should also enable multifactor authentication (MFA) wherever available. 

"For both consumers and businesses, adopting a zero-knowledge, zero-trust password management system is essential in defending against phishing, credential stuffing, and other password-related threats," he said.

Nishiyama also suggested implementing a privileged access management (PAM) solution. "It enforces least-privilege access and empowers IT and security teams to manage sensitive credentials, secrets, and remote access more securely. In the event of a breach, PAM tools help contain the damage by limiting lateral movement within the network," he said.

Darren Guccione, CEO and Co-founder, Keeper Security, said that password-sharing at the workplace can also create vulnerabilities.

"Driven by the need to collaborate efficiently or overcome access bottlenecks, employees default to what seems easiest, resulting in the passing around of credentials via email, chat or spreadsheets. Many are simply unaware that secure, structured alternatives exist."

Guccione said informal password sharing opens the door to serious security breaches. "Weak or shared credentials are among the most common entry points for attackers, with credential theft remaining one of the leading causes of data breaches globally," he said. 

"According to research, 68% of breaches involve the human element; with the majority due to stolen or weak passwords, credentials and secrets. Even when intentions are good – whether to save time or streamline access, the result is often a tangled web of shared credentials that are difficult to track and nearly impossible to secure."

"This behaviour poses a significant security risk, highlighted by 31% of IT leaders indicating that password attacks are becoming increasingly prevalent year-on-year. This risky practice persists largely because businesses often lack formal credential-sharing protocols, dedicated IT oversight and smart cybersecurity solutions to facilitate secure sharing," Guccione added.

Don't forget about machine identities

Chern-Yue Boey, SVP, GM APJ, SailPoint, noted that machine identities also require some form of validation for access. "While human identities are validated via passwords, usernames and biometrics, machine identities require credentials such as API keys, tokens and certificates. When these credentials are poorly managed or go undiscovered, they become potential points of compromise for attackers," he said.

A 2024 global SailPoint survey revealed that nearly 70% of companies now manage more machine identities than human identities, while Gartner estimates that by 2028, a third of enterprise software applications will include agentic AI, which is expected to manage 15% of day-to-day work decisions autonomously, Boey noted. 

"Yet, 57% of organisations surveyed have reported inappropriate access being granted to non-human identities. Breaches tied to these vulnerabilities cause delays in application launches, outages, and reputational damage, demonstrating that the risks are not just security-related but operational and commercial," he said. 

"To mitigate these risks, organisations must implement advanced identity security measures and stronger credential hygiene."

According to Boey: 

- Machine credentials must be regularly rotated and revoked to prevent misuse, especially since stale and exposed credentials are common entry points for attackers. 

- Organisations must also enforce strong, unique cryptographic keys and digital certificates for all machine identities.

- They should adopt automated credential management and real-time monitoring to keep up with the scale and complexity of machine identities. 

"As for AI agents, as they operate autonomously and require access to multiple data sources and systems to function effectively, it is crucial that they are managed with the same degree of visibility, governance and control as human and machine identities," Boey added.

"To protect the digital workforce, organisations should invest in innovative identity security solutions that simplify the lifecycle management of AI agents and machine identities. This includes automated identity governance and enforcing access certifications for AI agents, and being able to track and manage every machine identity from creation to decommissioning, and governing each configured machine identity according to an organisation’s security and compliance policies. With this level of oversight, organisations can proactively address potential security risks and compliance issues, and scale to manage a growing range of identity types."

Intel created World Password Day in 2013 to raise awareness about the role good passwords play in securing our digital lives. In 2025, World Password Day falls on May 1.