The Industry Speaks: World Password Day 2025

This issue is especially pressing in Australia. In just the first three months of this year, Cloudflare blocked an average of 1.2 billion cyber threats daily – a 23 per cent increase from the previous quarter. Attackers are scaling phishing and credential-stuffing attacks, exploiting weak or reused passwords as an easy and effective way in. Traditional authentication methods simply no longer suffice. It’s not a matter of if you’ll be targeted, but when.

Strengthening authentication is critical. Multi-factor authentication, passkeys, and passwordless logins, including biometrics and hardware keys, are essential tools to safeguard data, reduce risk, and maintain trust. A more dynamic approach towards passwords utilising AI for login behavioural analysis is trending faster than ever. When paired with a Zero Trust approach – where every request is verified – these strategies can help close critical gaps in defence.

Erich Kron
Security Awareness Advocate at KnowBe4

World Password Day is no longer just a reminder to update login credentials. It is a call to modernise how we think about authentication. Changing a weak password offers little protection against sophisticated cyber threats. With phishing attacks, credential stuffing, and the sale of stolen credentials on the dark web becoming increasingly common, organisations must move beyond traditional password practices.

VIEW ALL

Real risk reduction starts with better habits. This includes encouraging the use of longer, more secure passphrases, requiring password managers to avoid reuse, and implementing multi-factor authentication wherever possible. These steps provide an added layer of defence, but they are not enough on their own.

Technology cannot account for every scenario. That is why building a strong security culture is essential. By providing ongoing security awareness training and practical tools, organisations can help employees recognise and respond to threats before they escalate.

The most effective defence is not a single product or policy. It is a workforce that understands its role in protecting the organisation.

Norbert Kiss
Senior Vice President - APAC at Delinea

Passwords still are the gatekeepers of our digital identities but relying on traditional passwords is simply not enough. Cyber-criminals are getting smarter when attacking passwords, especially those tied to privileged accounts, to breach networks and access sensitive data. With 80 per cent of security breaches involving misuse of privileged credentials, it's clear that organisations must adopt a Privileged Access Management (PAM) approach, combined with Zero Trust principles for data protection.

It's essential to use World Password Day as a reminder that password security alone isn't enough. We must never assume trust – especially privileged accounts – and always verify every access request.

By taking control of who has access to what, when and how, organisations can significantly reduce the risk of breaches. Smart identity security starts with Zero Trust and PAM – because data safety begins with stronger, verified access.

Tyler Moffitt
Senior Security Analyst at OpenText

World Password Day highlights a critical truth: while traditional passwords are fading, securing digital identities has never been more urgent. As we move toward a passwordless future, passkeys, backed by device-based biometrics and public key cryptography, are poised to reshape authentication. By the end of 2025, 25 per cent of the world’s top 1,000 websites are expected to support passkeys, a shift driven by their ability to prevent phishing attacks and data breaches while simplifying user experiences.

However, no solution is flawless. Passkeys, though promising, are still emerging. They face adoption hurdles, including limited support across platforms and challenges for users unfamiliar with biometric security or cryptographic keys. Transitioning to passwordless authentication demands more than just new technology, it requires layered defences, strong recovery mechanisms, and continuous user education.

As authentication evolves, fundamentals still matter. Staying vigilant, practicing good security hygiene, and embracing modern tools like passkeys with eyes wide open is the best way forward.

Carla Roncato
VP of Identity at WatchGuard Technologies

As we mark another World Password Day, the conversation often turns to strengthening password habits and promoting password managers.

While those are necessary steps, there’s a deeper, more pressing issue that needs the spotlight: the thriving underground economy trading in stolen credentials on the dark web.

Today, it’s not just careless password reuse or weak combinations that pose a threat, it’s the industrial-scale theft and sale of login data. Credentials are harvested through phishing, malware, and breaches, then packaged, sold, and exploited at astonishing speed. A single leaked password doesn’t just unlock one account, it can be a skeleton key to an entire digital identity.

The question is no longer “Are your passwords strong enough?” but “Do you know if your credentials are already out there?”

Organisations must treat credential exposure as a threat to be actively mitigated, not just a hygiene issue. That means proactive monitoring of the dark web, real-time alerting on compromised credentials, and an incident response plan that assumes breach, not just tries to prevent it.

Cybercriminals have evolved. It’s time our mindset around password security evolves too.

Fabio Fratucello
Field CTO World Wide at CrowdStrike

Today’s attackers are no longer relying on malware to break through defences. Instead, they’re exploiting stolen credentials and trusted identities to quietly slip into organisations and move laterally across cloud, endpoint and identity environments – often undetected. CrowdStrike’s 2025 Global Threat Report highlights this shift: 79 per cent of initial access attacks are now malware-free, and access broker activity has jumped 50 per cent year over year.

World Password Day is a timely reminder for organisations to rethink their identity security posture. That means going beyond traditional password hygiene and adopting an identity-first approach – one that applies Zero Trust principles, continuously monitors users and access, strengthens authentication with MFA and passwordless solutions, and removes unnecessary privileges. Layering in AI-driven identity threat detection and unifying visibility across endpoint, identity and cloud domains helps close the gaps attackers count on.

Nadir Merchant
General Manager, IT Operations Suite, at Kaseya

Instead of frequently rotating shorter passwords, it is actually more secure to use much longer passwords – for example, phrases of 50-70 characters with numbers and special characters incorporated, too. The problem with rotation is that it causes people to forget their passwords, which means they tend to write them down, creating all kinds of security holes. Phrases are much easier to remember. And a long, simple password is harder for attackers to brute force than a short, complex password.

Authenticators are becoming commonplace now, as well, and many vendors are requiring multi-factor authentication (MFA). Using a push MFA through an authenticator is a more secure way of doing two-factor authentication (2FA) as it requires the user to verify their identity by receiving a push notification to a separate device, usually their registered mobile phone. On the other hand, 2FA tools that are built into the browser defeat the purpose of 2FA; if somebody has access to your computer or compromises your computer, they're going to get access to your temporary one-time passcode (TOTP) the same way. Authentication needs to be kept separated on different devices.

David Rajkovic
Regional Vice President Australia and New Zealand at Rubrik

Despite being a decades-old security mechanism, passwords continue to serve as the gateway to critical systems and sensitive data.

While it might seem like a basic building block, the role of authentication systems and zero-trust in cyber resilience has never been more critical.

We're now seeing a concerning trend where compromised AI systems can be used as reconnaissance tools for attackers. Compromised credentials, notably passwords, remain among the most common entry points for ransomware and other advanced attacks.

World Password Day exists as a reminder. Businesses need a holistic approach to security and cyber resilience, including the ability to quickly recover critical systems that may have been compromised. This includes the protection and recovery of systems involved in the authentication of both human and non-human identities.

Brian Pontarelli
CEO of FusionAuth

The teams building the future of passwords are the teams that are building and managing the login pages of their apps. Some of them are getting rid of passwords entirely, others are not familiar enough with the alternatives to make the move; a recent survey of teams building auth on their own showed that passkeys (a replacement for passwords) were the feature that teams were both most familiar with AND least familiar.

In short, passkeys are the most polarising feature for the teams building the future of login… So the future of passwords is certainly not certain.

Ashley Rose
CEO of Living Security

Password misuse is a business/security alignment issue. We need to understand the business friction (visibility) around authentication and think with a secure by design mindset, implementing SSO/passwordless logins, allowing for use of password managers at work and at home etc.

Where Human Risk Management (HRM) comes in is visibility and prioritisation of efforts. For instance, if you see a segment of higher-risk users with a lot of access, we will want to start here to develop a policy around passwords (i.e. implement password manager or reset policies), or train, or change authentication processes… Versus trying to boil the ocean.

Bob Wambach
VP, Portfolio and Strategy, atDynatrace

Passwords were once the cornerstone of digital security. But today, they have become a growing risk, often exploited by sophisticated attackers. Static credentials alone can no longer defend the complexity of modern digital ecosystems.

Strengthening security today means thinking differently. Organisations need the ability to see risks in real time, understand vulnerabilities across their environments, and respond before attackers can exploit them. AI-powered observability and automated insights are helping businesses move from reactive defence to proactive resilience, embedding protection into every user experience, application and infrastructure.

On this World Password Day, the focus must shift from relying on passwords alone to building integrated, intelligent security. Digital trust depends on seeing more, understanding faster and acting earlier, at the speed of modern threats.

Morey Haber
Chief Security Advisor at BeyondTrust

World Password Day remains cyber security’s most ironically misguided celebration. As a yearly event, it is a reminder of our collective failure to promote good password hygiene and highlight bad habits and silly mistakes. Despite endless warnings and breaches demonstrating password fragility, we have decided to dedicate a day to celebrate the weakest link in cyber defence: us – human beings.

So, on May 2nd, we will recognise that as humans, we are fundamentally inept at password management and reuse secrets, refuse complexity, forget, and share passwords, creating a lucrative opportunity for threat actors to capitalise on our flaws. Therefore, for future celebrations, I would like to propose that World Password Day focus on marking a proactive pivot toward biometrics and passwordless authentication options, so we can ultimately change the narrative of identity attack vectors. Instead of promoting stronger passwords and a day when everyone should rotate their passwords, perhaps we should promote a technological revolution and replace passwords with modern solutions that can minimise our own human weaknesses: biometrics, MFA, and passkeys for everyone.

Patrick Harding
Chief Product Architect at Ping Identity

Passwords have long been a security crutch – and in today’s digital landscape, they’re quickly becoming a liability. Users continue to rely on weak, repurposed credentials, making them easy targets for sophisticated cyberattacks fueled by AI.

Recent data shows that 87 per cent of consumers are concerned about identity fraud, yet many still depend on outdated methods to secure their most sensitive data. Even worse, 48 per cent of IT leaders admit they’re not confident their current defences can withstand AI-driven attacks. That should be a wake-up call. With the rise in phishing, credential stuffing, and deepfake scams, it's time for organisations to retire traditional passwords altogether.

In the spirit of World Password Day, we must double down on access solutions that eliminate the guesswork and the risk. Passwordless authentication, like biometrically protected passkeys and secure device-based login, not only strengthens security but also improves the user experience. Organisations must embrace a future where identity is both frictionless and fundamentally more secure.

Rafa López
Evangelist & Solutions Engineer at Check Point Software Technologies

Despite security advances, people still trust what they know – and passwords feel familiar. But that familiarity comes at a price. Passwords are easily guessed, forgotten, shared, or stolen. Check Point notes that poor password hygiene – such as reusing passwords, writing them down, or using personal data – continues to be a major weak link in corporate and personal security​​. Even worse, phishing attacks – many AI-generated – continue to steal login credentials at scale, despite the presence of two-factor authentication (2FA). The rise in AI-powered phishing and deepfake attacks only makes password-based systems more vulnerable. Organisations should:

• Pilot passwordless systems using biometrics, tokens, or Passkeys.
• Use tools like Check Point Harmony to prevent password reuse and phishing.
• Enforce Privileged Access Management (PAM) solutions and Zero Trust architectures.
• Educate teams not just on stronger passwords –but on phasing them out altogether.

Check Point emphasises password length, diversity, and uniqueness, but is also aligned with the need to explore post-password approaches​​. World Password Day shouldn’t just be about creating stronger passwords. It should be a prompt to imagine a future without them. The tools exist. The threats demand it. The only thing missing is our willingness to let go.

Ezzeldin Hussein
Senior Director, Solutions Engineering, at SentinelOne

World Password Day is a reminder that password security is a shared responsibility. Organisations and individuals must adopt best practices such as using complex, unique passwords, enabling multi-factor authentication (MFA), and leveraging password managers to enhance security. Cyber hygiene starts with small habits – changing default passwords, avoiding reuse, and staying vigilant against phishing attacks. Let’s take this day to educate, implement stronger security measures, and advocate for passwordless authentication methods like biometrics and passkeys. A secure password is the first step toward a more resilient digital future.

David Nuti
Head of Security Strategy at Extreme Networks

For over a decade, IT departments have faced the challenge of managing diverse endpoints - both hybrid workers and IoT – and managing access to equally diverse data and application endpoints. Unfortunately, as complexities have continued to increase, the industry hasn't yet delivered a solution to closing the talent and resource gaps of budget-conscious IT teams. Opportunities in agentic AI are about to flip that script entirely.

The pathway for this revolution is centred on committing to an identity-based policy based on a Zero Trust framework. Identity micro-segmentation is the rocket fuel to power the next generation of AI-powered tools for planning, maintaining, and enhancing network performance, reliability, and security. The logistics and end-user behavioural data are precisely what AI agents will require to deliver interactive, and ultimately agentic, analysis and outcomes that become the force multiplier that IT teams need to perform beyond their current capacities.

Zero Trust has long been recognised for strengthening cloud security by eliminating implicit trust within a network. Instead of granting broad access, it mandates continuous verification and authorisation for every request. What empowers those observed decisions is the fine point data provided by identity-based policies.

Zero Trust can be both proactive – preventing attacks by verifying every request – and reactive – limiting attackers’ lateral movement with network segmentation and identity micro-segmentation. Combined with other solutions like network fabric, Zero Trust can help minimise the blast radius impact of breaches in cloud environments.

As cyber threats evolve, organisations must remain vigilant. By adopting Zero Trust and fostering a strong security culture, enterprises can significantly strengthen their overall security posture while simultaneously laying the data foundation for agentic AI and automating many of today's time-consuming IT workloads.

Takanori Nishiyama
SVP APAC Sales at Keeper Security

We’re celebrating this World Password Day in the age of generative AI, where traditional password tricks such as substituting “a” with “@” or adding an exclamation mark at the end don’t offer enough protection. Hackers today use password-cracking tools – many powered by machine learning – that can guess common patterns and character swaps in a matter of seconds, meaning that being clever isn’t secure anymore. The more we rely on predictable behaviour, the easier we make it for attackers to breach our accounts.

According to Keeper Security’s 2024 Future of Defense report, 95 per cent of IT leaders say cyber attacks are more sophisticated than ever before, with password-related attacks ranking among the top five fastest-growing threat vectors. To stay safe, users must practise good password hygiene by using passwords with at least 16 characters with upper and lowercase letters, numbers and special characters, and using a unique password for each account. They should also enable Multi-Factor Authentication (MFA) wherever available. For both consumers and businesses, adopting a zero-knowledge, zero-trust password management system is essential in defending against phishing, credential stuffing, and other password-related threats.

Chern-Yue Boey
SVP, GM APJ, at SailPoint

As organisations increasingly embrace AI agents and machine identities such as service accounts and APIs to boost productivity and operational efficiency, it is critical that they adopt best-in-class identity security solutions to manage these identities and reduce their attack surface. While human identities are validated via passwords, usernames, and biometrics, machine identities require credentials such as API keys, tokens and certificates. When these credentials are poorly managed or go undiscovered, they become potential points of compromise for attackers.

A 2024 global SailPoint survey revealed that nearly 70 per cent of companies now manage more machine identities than human identities, while Gartner estimates that by 2028, a third of enterprise software applications will include agentic AI, which is expected to manage 15 per cent of day-to-day work decisions autonomously. Yet, 57 per cent of organisations surveyed have reported inappropriate access being granted to non-human identities. Breaches tied to these vulnerabilities cause delays in application launches, outages, and reputational damage, demonstrating that the risks are not just security-related but operational and commercial.

To mitigate these risks, organisations must implement advanced identity security measures and stronger credential hygiene. Like human credentials, machine credentials must be regularly rotated and revoked to prevent misuse, especially since stale and exposed credentials are common entry points for attackers. Organisations must also enforce strong, unique cryptographic keys and digital certificates for all machine identities and adopt automated credential management and real-time monitoring to keep up with the scale and complexity of machine identities. As for AI agents, as they operate autonomously and require access to multiple data sources and systems to function effectively, it is crucial that they are managed with the same degree of visibility, governance and control as human and machine identities.

Olly Stimpson
Senior Security Strategy Adviser ANZ at CyberArk

As the boundaries between our personal and professional lives continue to blur, World Password Day is a timely reminder that this convergence extends to how we manage passwords. The human element remains a well-known challenge for security and identity professionals. With password reuse common across personal and corporate accounts, a single compromised credential can expose entire organisations to risk.

Credential theft remains one of the most frequent identity-related breaches. The recent superannuation funds incident serves as yet another example of the inherent weakness of passwords as a standalone form of authentication. But we must not view it as an isolated case – it highlights a broader trend of escalating risk as identity breaches cascade through supply chains.

On the consumer front, mandatory multi-factor authentication – or better yet, the adoption of passwordless technologies like passkeys – should be a serious consideration. Enterprises must hold themselves to the same standard, prioritising stronger authentication methods and short-lived, federated access models – and do so for both human and machine identities.

Ultimately, the risk of a domino effect is real. One identity compromise can lead to many more, with CISA already warning of the downstream impact of lost credential material from the recent breach of Oracle Cloud. Solving tactical issues is no longer enough – organisations must shift their mind and uplift their thinking to address the systemic risk created by repeated and widespread identity exposures.

Jared Atkinson
Chief Technology Officer at SpecterOps

On World Password Day, we take a moment to recognise the importance of strong authentication practices. From using complex passwords to enabling multifactor authentication and leveraging password vaults, these measures form the bedrock of identity security. But while these tools help protect credentials at rest and during login, they don’t address what happens next – when identities are in motion.

Once authenticated, users generate sessions, browser cookies, Kerberos tickets, and other forms of temporary identity that move across the environment. These credentials in transit are often overlooked, yet they present some of the most attractive targets for attackers. Adversaries don’t need to break passwords if they can steal an active session. This is where Attack Path Management becomes essential – shedding light on how these ephemeral identities can be exploited and how a single compromise can cascade through an environment toward full domain control.