World Password Day warnings urge shift to passkeys

Cybersecurity specialists are using World Password Day to warn that traditional passwords no longer match the scale and sophistication of current cyber threats. Experts in biometrics, information security and identity management are urging organisations to treat authentication as a continuous discipline, not a yearly reminder.

World Password Day has traditionally focused attention on password hygiene. This year, the debate is widening as vendors and security leaders highlight structural weaknesses in password-based systems and the slow adoption of stronger authentication methods.

Marcus Lauren, chief product officer at biometric security company NEXT Biometrics, linked rising geopolitical tension to growing pressure on legacy defences. He pointed to diverging national guidance on password use and argued that businesses remain too reliant on knowledge-based credentials.

"World Password Day this year comes against a backdrop of rising geopolitical tension and an increasingly hostile cyber threat landscape. While ransomware and criminal activity remain persistent risks, the most serious and sophisticated attacks are now often linked, directly or indirectly, to nation states.

The UK's National Cyber Security Centre (NCSC), part of GCHQ, has already signalled a shift, warning that passwords are too vulnerable to modern attacks, no matter how complex and forgettable they are. It says it is 'overhauling decades of practice' by advising the public to stop relying on passwords for protection. By contrast, India's Computer Emergency Response Team (CERT-In) continues to emphasise stronger password hygiene and multi-factor authentication, noting that most unauthorised access incidents stem from poor password management. This divergence highlights a broader reality: while improving passwords remains important, many leading authorities now recognise that passwords alone are no longer sufficient. If that is the direction of travel for individuals, businesses should be asking why they are still so dependent on them.

Passwords are no longer fit for purpose in a high-risk digital environment. As critical systems and sensitive data move online, organisations continue to rely on credentials that are routinely reused, weak or easily compromised. Approximately 42% of people who have been hacked use passwords that combine letters and numbers but also have personal significance, making them easier to guess. In theory, passwords can be secure, but only if they are, for example, 100 characters long, unique, complex and changed every day. In practice, that is simply not realistic.

Security has always been a balance between risk and convenience. Like a door, a rural home may need a single lock, while a city property using the same door requires multiple layers of protection. Today, our digital 'doors' protect far more, yet they are too often secured with outdated methods.

For businesses, dependence on passwords is now both a security risk and an operational burden. They remain one of the most common entry points for attackers, while also driving inefficiency through resets, lockouts and user friction. The shift towards biometrics, passkeys and modern identity systems is no longer optional; it is necessary. By moving from what users know to who they are, organisations can strengthen security while improving usability.

Incremental fixes to passwords are not enough. Businesses must prioritise more robust, user-centric approaches to identity and access that reflect today's threat landscape and support best practices such as Zero Trust."

Chris Newton-Smith, chief executive of IO, said World Password Day was a useful reminder, but only a point-in-time measure.

"You change the password, tick the box, move on. And the threat landscape doesn't pause while you do.

The real challenge isn't that employees use weak passwords. It's that organisations treat security as a series of one-off actions rather than a continuously managed system. Our State of Information Security Report found that 35% of respondents had used personal devices for work without proper security measures in place. That gap doesn't exist because people don't care about security. It exists because the culture, training and controls weren't embedded into how those people work every day."

He pointed to international standards as a model for a more systematic approach.

"ISO 27001 gets this right. Multi-factor authentication, role-based access control and ongoing employee awareness training aren't annual reminders, they're continuous operating disciplines. The organisations that manage them that way aren't just better protected against social engineering and business email compromise. They're building something that holds up under scrutiny from customers, partners and regulators, not just on World Password Day, but on every other day of the year.

Password hygiene matters. But it's one signal in a much bigger system. The question worth asking today isn't 'how strong is our password policy?' It's 'what are we doing on every other day of the year?'"

Michael Downs, vice president at SecurEnvoy, highlighted the continued use of stolen credentials as an initial route into corporate networks.

"World Password Day is a good reminder that passwords aren't failing because people choose bad ones. They're failing because stolen credentials are still an initial access vector in 22% of all confirmed breaches. The Colonial Pipeline attack in 2021 came down to a single compromised password on a VPN with no second factor. Five years on, password governance and hygiene remain poor, with 88% of organisations having stale but enabled ghost users that still provide access to accounts and information.

The problem isn't that people need to choose stronger passwords, but that password hygiene alone won't protect you once credentials are leaked or bought on the dark web. And they get leaked constantly.

Only 47% of organisations have deployed MFA as standard, which means the majority are one credential leak away from a serious incident. Attackers know this, which is why access brokers have made a business out of selling working login details to whoever wants them.

If there's one thing worth doing today, it's auditing which of your systems still rely on a password alone and asking why MFA isn't on them yet. That's a more useful exercise than a reminder to use a capital letter."

Alongside World Password Day, vendors are also drawing attention to World Passkey Day and the broader push towards passwordless authentication. Danny de Vreeze of Thales said enterprise reliance on passwords remains entrenched, even as users show support for alternatives.

"We tend to associate the problems of passwords with the customer experience, but the bigger issue is that they're still deeply embedded across the enterprise. The Thales Digital Trust Index shows a clear pattern: users are aligned on the need for stronger, simpler authentication, but rollout isn't keeping pace.

68% of consumers say they trust passkeys more, and 57% of partner users say stronger authentication such as MFA increases trust. Yet despite 87% of IT leaders recognising the importance of passkeys, only 49% have deployed them.

When identity processes are slow or difficult, people find ways around them. In fact, 66% of third-party users admit to sharing or borrowing credentials, highlighting how quickly friction turns to risk.

Passkeys are a step in the right direction, but this can't be a front-end fix. Organisations need to rethink identity across customers, employees and partners. Those that apply consistent, user-friendly authentication across the business won't just strengthen security; they'll remove friction from how work actually gets done."

Despite the push towards biometrics and passkeys, some industry voices expect passwords to remain part of the mix for years, particularly in device and data protection.

"Weak password practices remain one of the easiest ways for attackers to gain access, yet many organisations still fail to enforce strong password policies, leaving a basic gap in their defences.

Where policies are in place, the focus should be on strength rather than frequent changes. And while password managers have helped tackle reuse by generating unique credentials, they also need to be secured properly with a strong master password and multi-factor authentication.

Crucially, organisations must ensure this is enforced across all devices, and removable media remains a major blind spot. USB drives and external hard disks often fall outside standard controls. Encrypting them, with access available only through a password configured in line with corporate policy, helps ensure sensitive data remains secure if devices are lost or stolen. The shift is now towards always-on, hardware-based encryption combined with tighter device control policies, ensuring sensitive data remains protected even if devices are lost, stolen or connected to untrusted systems. Our 2025 survey showed growing maturity in encryption adoption, with 94% of organisations now having a defined data encryption strategy or policy for removable media, working alongside password protection.

While alternatives such as biometrics and passkeys gain ground, passwords will continue to play a key role, strengthened by measures such as multi-factor authentication and Zero Trust."