 |
| Concept art generated by Google Gemini for World Password Day. The image highlights the growing complexity and mental burden of modern cybersecurity, with its wide variety of specific authentication demands. |
Intel publicised World Password Day in 2013 to raise awareness about the role passwords play in securing our digital lives. In 2026, World Password Day falls on May 7, and password protection continues to be a concern.
Jeramy Kopacko, Associate Field CISO Americas, Sophos, shared that Sophos analyses password breaches every year to understand user habits and password practices. "They reveal two main problems:
- Passwords are weak, lacking complexity or character length
- Passwords are reused across several sites and services," he said.
“Despite heavy pushes from Apple, Google, Microsoft, CISA, and us (Sophos) encouraging stronger authentication methods, compromised credentials remain our most observed root cause in identity-related attacks last year. Attackers will take advantage of password breaches from popular sites and apps we use as consumers," Kopacko said, pointing out that attackers can easily use stolen passwords for 'spray and pray' attempts or building a dictionary of a person's password history.
Darren Guccione, CEO & Co-Founder, Keeper Security, spoke of déjà vu: "Every year, World Password Day generates the same conversation. And every year, attackers walk straight through the same open doors. Credentials remain the most exploited entry points in enterprise breaches – not because the risk is unknown, but because access is still not being controlled with the rigour the threat demands. A compromised password doesn’t just unlock an account. It hands an attacker a foothold for lateral movement, data exposure and, in many cases, full environment takeover.
Tomer Bar, Associate VP of Security Research, Semperis, noted that 10-character password using lowercase letters, uppercase letters, digits, and special characters can still be cracked fairly easily "because very few people choose random 10-character passwords". Fifteen-character passwords are equally weak because of "memorable options like reused patterns, small variations of old passwords, predictable phrases, or popular lyrics, quotes, and memes rather than random strings".
Multifactor authentication
"Are passwords useful today? Yes, but they’re no longer enough on their own. Multifactor authentication (MFA) should be enabled wherever possible because it makes stolen or guessed passwords far less valuable," Bar said.
"If you keep using passwords, the best practice is to stop letting humans design them. Use a password manager to generate and store long, truly random passwords (20+ characters) and never reuse them; turn on MFA wherever possible so stolen passwords are far less useful; and for the few passwords you must remember, use long, unique passphrases made of random words instead of lyrics, quotes or clever patterns. The goal isn’t perfect, it’s to make attacking you so difficult and unprofitable that attackers move on to easier targets."
"While passwords remain the frontline defence for our digital identities, they are also one of the most persistently weak links. Strengthening digital hygiene is really a cultural issue as even the most sophisticated tools can be undermined by friction or complexity. If controls are difficult to follow, they are bypassed. But if they are simple, intuitive and embedded into daily workflows, they become second nature."
Sharing isn't caring
"As we observe World Password Day 2026, we must accept that the era of the 'strong password' as a primary defence is over; in today’s landscape, even the most complex character string is a liability if it can be harvested by infostealer malware or inadvertently leaked into an unmanaged AI chatbot," observed Abhishek Kumar Singh, Head of Security Engineering, Singapore, Check Point Software Technologies.
"With a sophisticated 'cybercrime-as-a-service' economy now thriving on Telegram and the dark web, hackers rarely need to break in, as they can simply log in using stolen credentials, often moving from a leaked password to a full-scale ransomware deployment at lightspeed."
John Wojcik, Senior Threat Researcher, Infoblox, agreed that even strong passwords can be bypassed. He described fake CAPTCHAs that trick victims into installing malware as one way this can happen. "This World Password Day, we must recognise that the most effective defence isn’t just a better password: It’s a proactive foundation that stops the thieves before they can ever reach the door," he said.
Guccione also said that password strength alone is not the issue. "The real exposure sits in how credentials are stored, shared and governed across users, systems and service accounts. This is where privileged access management (PAM) becomes critical. Enforcing least privilege, rotating credentials, removing standing access and introducing visibility over how credentials are used changes the risk profile entirely," he emphasised.
"Strong passwords still matter. But without control over who can use them, when and under what conditions, they offer a false sense of security. Organisations that treat access as a one-time configuration rather than a continuously managed risk are not protected. The credential problem is solvable. What is lacking is the will to govern access with the same discipline we apply to every other critical business function."
Nicky Choo, VP and GM, APAC, Mimecast, said that the focus should not be whether passwords are strong enough, but if businesses even know what is accessing their systems in the first place. "The way work gets done has quietly shifted. Employees are no longer the only actors moving through your environment. AI tools and autonomous agents now retrieve information, generate outputs, and inform decisions, often without traditional logins, and increasingly without IT's knowledge or approval," he pointed out.
"Managing this requires moving beyond static controls. Organisations need continuous visibility into how access is being used, not just by people, but by the machines and tools operating alongside them. Behaviour, accountability, and the integrity of work output all need to be part of the equation."World Password Day remains a useful prompt. But the conversation it should spark in 2026 is this: how do organisations protect their environments when the biggest risk is not a stolen password, but an unseen tool that was never meant to be there?"
Passkeys
Passkeys are gaining serious institutional momentum, Guccione added. "The UK’s National Cyber Security Centre (NCSC) and US agencies including CISA are actively pushing phishing-resistant authentication aligned with FIDO standards – and adoption is already visible across public services. The direction is set," he said.
"Even so, most organisations remain in hybrid environments where passwords persist. Governance does not disappear in that model. It expands to both passkeys and traditional passwords in parallel."
Geoff Schomburgk, Regional VP, Asia Pacific & Japan, Yubico, referenced the new name for World Password Day, World Passkey Day. "World Passkey Day is a useful checkpoint for organisations in APAC to reflect on the cybersecurity habits of employees, and what improvements can be made to become more cyber resilient – particularly, moving from insecure, legacy authentication methods like passwords and OTP-based methods such as SMS," he said.
While Schomburgk said passkeys are seeing widespread adoption, he also cautioned that there can be security tradeoffs if passkeys are tied to third-party platforms, as they can be exploited in account takeovers. "For security conscious companies and higher-risk environments, organisations are responding by using hardware-backed, device-bound passkeys – like those on security keys – where private keys stay on a physical device and cannot be copied, synced, or accessed remotely," he added.
"Passkeys will continue to gain ground globally, but how they are deployed will determine how much risk is actually reduced," he concluded.
Check Point's Singh added: "To protect the future of our digital identities, especially in a mobile-first hub like Singapore, organisations must pivot towards a Zero Trust architecture, embracing passwordless FIDO2 authentication and robust browser security to ensure that sensitive data is no longer just a 'copy-paste' away from exploitation."
Quantum computing
There is increasing concern about emerging technologies affecting passwords this year, however. Stephanie Hottle, Director, Payments Education, said in a blog post that AI and quantum computing are changing how passwords are constructed and protected. "Quantum computing threatens traditional password security by utilising algorithms to break current encryption, making conventional passwords vulnerable by 2030. As the power of quantum computing gets into the hands of cybercriminals, robust passwords that can withstand this unprecedented kind of attack will be critical to the safety and security of financial transactions and other personal data," she noted.
AI
Anne Cutler, VP Global Communications, Keeper Security, noted that credential theft is increasingly easy for cyber criminals with AI, with stolen credentials immediately tested against multiple platforms to see if the same ones were reused.
"A
phishing message, fake login page and impersonation are not crude scams
anymore. They are convincing, personalised and increasingly automated,"
she said, alluding to AI-refined attacks.
"The good news is that
the defence is not complicated. A password manager eliminates the reuse
problem entirely, giving each account a strong, unique credential –
whether it’s a traditional password or a phishing-resistant passkey –
that is generated and stored without you having to think about it.
Paired with built-in multifactor authentication, you remove the two
entry points attackers rely on most."
John Cannava, CIO, Ping Identity, highlighted how AI has changed password concerns. “As organisations rapidly adopt AI agents, large-scale data breaches are becoming less of an anomaly and more of an inevitability. These systems are doing more than just responding to prompts. They’re making decisions, taking actions, and even spawning new agents with increasing autonomy and speed. That shift fundamentally changes the security landscape," Cannava said.
"The challenge is that many organisations are deploying AI agents faster than they can establish clear identity, accountability, and governance for them. When you can’t definitively answer what an agent did, why it did it, or under whose authority it acted, you introduce significant risk. This is why identity for AI must become a foundational priority.
"Every agent needs a verifiable identity with clear permissions and continuous oversight, just like any human user or service account. Without that, the growing ecosystem of autonomous AI will continue to expand the attack surface in ways most organisations aren’t yet prepared to manage.”
Next steps
Kopacko noted that the US National Institute of Standards and Technology (NIST) updated its guidelines to emphasise longer passphrases of 15 or more characters instead of passwords with minimum character lengths and complexity. NIST also ended requirements to change the password or passphrase on a periodic basis in 2024.
"As a consumer, use the day to set up or help someone else setup a password manager. This will automate the process of creating unique passphrases, storing them, and managing the login experience. Password managers can ensure only the proper site is receiving credentials and scan emerging password breaches to see if you’re impacted," Kopacko advised.
"As a professional, investigate your identity and authentication strategy across the organisation. Evaluate what is required and how you can move the organisation to a passkey-based method. It will greatly reduce your identity-based risks while improving the user experience."
Lavy Stokhamer, Global Head, Cybersecurity and AntiCrime Tech, Standard Chartered, said that the focus for World Password Day should move beyond password complexity toward stronger client identity protection. "At Standard Chartered, we continue to strengthen layered authentication, intelligent fraud detection, and adaptive security controls designed to protect clients while maintaining a seamless digital experience. As digital adoption accelerates, trust will increasingly be defined by how effectively organisations secure every customer interaction," Stokhamer said.
Cezary Piekarski, Group CISO, Standard Chartered, elaborated: "As we strengthen our security foundations, we are simplifying secure access to our banking systems by reducing friction while reinforcing stability and protection. This includes biometrics login, enabling colleagues to connect seamlessly with a single click. However, much of the risk still comes down to 'human hygiene'. Effective cyberdefence means equipping people with the skills and habits to take ownership, not leaving it solely to cyber teams," he said."At Standard Chartered, we combine strong controls with a robust security culture through year-round training, phishing-resilience campaigns and security-by-design engineering. Individually, the basics still matter – using strong, unique passwords and multifactor authentication."
Hashtags: #WorldPasswordDay, #WorldPasswordDay2026
*While a password is relatively short, pass phrases are longer and linked to something logical. Passkeys use a differemt method for authentication. Sophos has a CISO playbook that explains passkeys at https://www.sophos.com/en-us/blog/strengthening-authentication-with-passkeys-a-ciso-playbook
APAC stands for Asia-Pacific region; OTP for one-time password; CAPTCHA is an acronym for completely automated public Turing test to tell computers and humans apart, and SMS is an abbreviation for short message service.
No comments:
Post a Comment