The industry speaks: World Password Day

The first Thursday in May is World Password Day, and while that may be an easily predictable event, one thing that should not be predictable is your password.

Poor password habits can lead to your data being stolen, bank accounts being accessed, and more. We should be thinking about our passwords every day, but today’s an especially good day to get some advice on how to boost your own personal security.

Here’s the collective wisdom of some of the best in the business.

Wayne Phillips
Field chief technology officer, Asia-Pacific and Japan, at SentinelOne

Passwords aren’t going away anytime soon. While biometric data, facial and fingerprint scanning all have a role in helping secure access to services, the one overriding benefit of a password is it’s the “something you know” and not the “something you are”. The latter might be simple to set up, simple to use and always available, but that means it can be read without you knowing, in some cases from a coffee cup or social post, but the former cannot, so long as you ensure that it’s sufficiently complex, unique, secret, and you haven’t unwittingly shared it with someone else.

The downfall of passwords is the need to share them with the system you need to access to ensure you can access them. Sharing passwords at account creation is the paradox for security, and where the whole notion of trust begins. Combine passwords with as many factors as possible without increasing friction, and your chances of suffering data loss through password hacking are both extremely low and – importantly – highly limited. Combining “what you know”, “what you have”, “what you are”, “where you are“, and “when you are” can be a hard chain of secrets to break.

Patrick Harding
Chief architect at Ping Identity

As threat actors become more sophisticated and lean on new technology like artificial intelligence, most users underestimate the risks associated with relying on passwords to protect valuable information. On top of that, a whopping 48 per cent of IT decision-makers are not confident they have technology in place to defend against AI attacks. Traditional passwords make organisations vulnerable to these types of attacks, leaving the door open for hackers to access critical data. Consumers have also become increasingly frustrated with remembering multiple, complex passwords and often choose to reuse the same password on various sites, increasing security risks even further.

VIEW ALL

The good news is there are more secure alternatives that provide better digital experiences for the user. Passwordless authentication replaces traditional passwords with more seamless and secure methods and helps enterprises reduce risk and stop threats at scale. This World Password Day, let’s focus on moving towards a passwordless future that offers better and safer digital experiences while educating organisations about technology that strengthens security.

Carla Roncato
Vice-president of identity at Watchguard Technologies

On this World Password Day, we should all pause and think about how we can adopt passkeys. Passkeys represent a significant industry shift in identity security, moving away from traditional credentials of usernames and passwords to a more secure “no knowledge” approach to authentication that is a vastly better user experience. As a form of passwordless authentication, passkeys aim to eliminate the inherent risk factors of traditional credentials. At the same time, any use of biometrics and biometric data for fingerprint or face unlock remains on your device and is never shared with Google (in this example) or any website that accepts passkeys.

It’s also a good time to think about better password hygiene and password management practices. First, it’s time to do away with weak and reused passwords. Use complex passwords, consisting of more than 16 random characters or passphrases unique for every login. Since that can be onerous, using a password manager is optimal. Password managers can auto-generate and securely vault complex passwords. Plus, with a password manager, there is only one password you’ll have to remember: the one for your vault.

Sadiq Iqbal
Cyber security evangelist at Check Point Software Technologies

As we observe World Password Day, it’s essential to acknowledge that robust passwords form the bedrock of effective security measures. Even with the most advanced security technologies, the simplest oversight on passwords can grant attackers access to our systems. Strong passwords are more than just a recommendation; they are a critical defence mechanism. Recent attacks on major organisations like Okta and 23AndMe were facilitated by stolen login details, demonstrating the widespread impact and ongoing threat posed by weak password practices. However, by reinforcing password security, we protect not just our data but maintain the integrity and trust of our entire organisation.

Erick Reyes
Strategic clients director for data security at Thales Australia

Every year, World Password Day comes around, and every year, we see the same advice about the need for strong passwords issued. The advice simply isn’t working. Passwords are no longer fit for purpose – they’re easily hacked and put too much onus on the end user. Our recent Digital Trust Index research found that 64 per cent of customers are frustrated with cumbersome password resets, and with human error still the leading cause of data breaches, this should be a leading concern for businesses, too. Developments in AI and quantum computing, which will put how and what data is used firmly in the spotlight, only further make this a pressing need.

If we need an awareness day, it’s time to rebrand and highlight the importance of passkeys. Using cryptographic techniques, passkeys are harder to crack – making them far more secure. They’re also automatically generated and can be safely stored on devices, making it easier for the consumer and eliminating the need to create long, complex passwords or phrases. Finally, passkeys enable greater privacy by granting authentication without handing over sensitive information – reducing the risk of data breaches.

Chern-Yue Boey
Senior vice-president, Asia-Pacific, at SailPoint

With as many as 4,000 password attacks occurring per second globally, the vulnerability of user passwords has become more pronounced, with a tenfold increase in attacks in the past year alone. Despite years of industry discourse on the perils of weak passwords, organisations continue to underestimate the risks associated with relying solely on passwords to safeguard valuable information – with login and access passwords serving as the Achilles heel exploited by hackers to breach corporate networks.

Passwordless solutions have emerged as a promising alternative, incorporating technologies such as biometrics, authenticator apps and tokens. However, it remains crucial for organisations to recognise that these alone do not ensure security. Malicious actors often also exploit weaknesses in business systems lacking least privileged access controls – especially in today’s dynamic threat landscape, where compromised identities often serve as the primary trigger for majority of data breaches.

The consequences of this oversight are costly, making businesses susceptible to a barrage of attacks once cyber attackers get one foot in the door. Instead of viewing passwordless authentication as a standalone solution, organisations should seamlessly integrate it with a robust identity security framework.

Roger A. Grimes
Data-driven defence evangelist at KnowBe4

The uncomfortable truth is that password strategies have not kept pace with the skills of modern hackers. Far too many people are still using passwords that could be cracked in a matter of minutes or even seconds. It is not just about complexity; it is about approaching passwords with a mindset of strategic defence.

Adrian Covich
Senior director, technical sales, Asia-Pacific and Japan, at Proofpoint

Passwords are one of the first critical barriers between a person, a threat actor and a successful cyber attack, but many people make the mistake of reusing the same login credentials across multiple sites and devices. This makes it easier for threat actors to gain access to sensitive information through advanced credential phishing campaigns.

When it comes to password creation, avoid common words, phrases, names, and dates associated with you or direct family members. It is also wise to turn on multifactor authentication (MFA), which uses two forms of “evidence” to validate an identity before access is granted or, if not available, use a password manager. A password manager creates randomised passwords that are safely stored, encrypted, and accessible across all personal devices and reduces the burden of trying to remember complicated login credentials across multiple websites. It’s also best to change all passwords twice a year and change business passwords every three months.

Andrew Slavkovic
Solutions engineering director, ANZ, at CyberArk

Organisations should adopt passwordless authentication to withstand the ever-looming threats of cyber attacks, including phishing, keylogging, and man-in-the-middle attacks.

By eliminating the constraints of complex password requirements and frequent updates, this approach not only strengthens security but also streamlines the user experience.

However, despite its clear advantages, transitioning to passwordless systems presents challenges for organisations. The top barriers preventing organisations from going passwordless are legacy systems, as they tend to be tethered to traditional password structures. With those also comes the intricate management demands of expansive, multifaceted environments – comprising diverse users, numerous applications, and hybrid and multi-cloud set-ups – which organisations today are still tackling. 

In navigating this transition, identity and access management (IAM) solutions emerge as crucial allies. This solution facilitates the implementation of features like passwordless endpoint authentication.

Matt Caffrey
Senior solutions architect at Barracuda

Last year, around half of reported data breaches, including 86 per cent of web application breaches, involved the use of stolen credentials: usernames and passwords. [In] Australia,1.8 million accounts were breached in the first quarter of 2024 alone. When it comes to secure authentication, there seems to be a lesson we’re not learning.

We know that passwords are vulnerable to being cracked, exposed or stolen and used against us, but many organisations still rely on them for securing access. There are a number of reasons for this – and it is important to remember those reasons when we try to replace or supplement them.

Passwords are convenient. They’re familiar, and both users and administrators understand them. They’re easy to implement and require minimal infrastructure and investment. There’s no need for additional hardware, and they’re everywhere. Nearly every service and device supports password authentication.

When considering alternatives to passwords, it’s important to prioritise security, usability, and scalability to ensure a seamless and secure authentication experience for users. If you introduce too much complexity and friction, people will find a way around it.

Martin Dube
Vice President for Public Cloud in APJ at Rackspace Technology

Easy alternatives to passwords include biometrics (fingerprints, retinal and voice), OTPs and multifactor authentication to name just a few of the readily available options. Most websites and applications offer one or more of these options already so there really is no excuse for still using a technology that has demonstrated time and again that it is not effective. According to research from Microsoft, as much as 99 per cent of fraudulent sign-in attempts can be blocked just by adding a second authentication step.

Unfortunately, Australia and Australians face an ever-increasing threat landscape. According to CommBank research, Australians receive an average of five scam calls, emails or messages a week, equating to over 250 attempts a year. With the number of cyber-attacks in Australia increasing every day, it is time we all adopted a modern solution to tackle this ancient problem.

Tyler Moffitt
Sr. Security Analyst at OpenText Cybersecurity

Today, anything with a password is a potential attack point, including Internet of Things (IoT) devices. IoT is an unfortunate example of issues that can arise when low profit high volume devices emerge in the market, meaning adequate care is not given to their security by such manufacturers.

We've already seen major steps forward in addressing these issues. One of the more interesting steps is pioneering new legislation introduced this week by the UK parliament that cracks down on the myriad of cybersecurity issues caused by IoT devices. This includes prohibiting the use of weak, easily guessable default passwords such as 'admin' or '12345. However, it's important to note that brute force attacks remain relevant due to advancements in technology.

The increase in GPU power has made these types of attacks more feasible, allowing cybercriminals to crack passwords faster than ever before. This persistence, along with a rise in phishing attacks and credential stuffing, where attackers exploit poor password hygiene and use previously breached data to access new systems, highlight the need for robust password policies and advanced security measures in the future.

Chern-Yue Boey
Senior Vice President, Asia-Pacific, at SailPoint

With as many as 4,000 password attacks occurring per second globally, the vulnerability of user passwords has become more pronounced with a tenfold increase in attacks in the past year alone. Despite years of industry discourse on the perils of weak passwords, organisations continue to underestimate the risks associated with relying solely on passwords to safeguard valuable information – with login and access passwords serving as the Achilles heel exploited by hackers to breach corporate networks.

Passwordless solutions have emerged as a promising alternative, incorporating technologies such as biometrics, authenticator apps and tokens. However, it remains crucial for organisations to recognise that these alone do not ensure security. Malicious actors often also exploit weaknesses in business systems lacking least privileged access controls – especially in today’s dynamic threat landscape, where compromised identities often serve as the primary trigger for majority of data breaches.

The consequences of this oversight are costly, making businesses susceptible to a barrage of attacks once cyberattackers get one foot in the door. In fact, IDC’s recent report found that a staggering 59 per cent of enterprises in APJ have fallen victim to ransomware attacks, with 32 per cent ultimately paying the ransom. Furthermore, the advent of AI has exacerbated the risk for businesses, empowering even novice cybercriminals with accessible means to launch even more complex and sophisticated threats.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.