The industry speaks – part 1: World Password Day 2026

Data is the lifeblood of today’s digital economy, growing rapidly in both volume and value across personal and enterprise environments. As attention shifts beyond access to how data is stored, protected, and preserved, secure storage becomes a foundational layer of trust – ensuring information remains safe, accessible, and resilient over time.

Ultimately, there is no data security without secure storage. As data continues to grow in importance, so must our commitment to protecting it – so it remains available, recoverable, and secure when it matters most.

Charles Guillemet
CTO at Ledger

Passwords are a relic of a less adversarial internet. They were never built to withstand the scale and sophistication of today’s threats, and that gap is only widening. AI is fundamentally rewriting the economics of security: lowering the cost of attacks, industrialising phishing and social engineering, and making the internet more adversarial by design.

In this context, asymmetric-cryptography-based authentication, such as passkeys, is a meaningful step forward. They reduce human error and improve usability. But they still rely on trusted environments, smartphones, and laptops, [which] remain vulnerable in a world where attackers are increasingly automated and adaptive.

What comes next is not just an evolution of authentication, it’s a paradigm shift. The account-based model that protects our secrets will give way to a model built on secure digital ownership, like Ledger’s, where users hold their own cryptographic keys securely and with sovereignty. In this world, wallets won’t just secure assets; they will become the primary interface for identity, authentication, and interaction online. You no longer log in; you connect. Your wallet becomes your identity. This is why wallets won’t simply replace passwords as a feature; they redefine the foundation of the internet itself: a model where trust is minimised, intermediaries are reduced, and users regain full control over both their digital value and identity.

VIEW ALL

Passkeys improve usability. Secure self-custody is the endgame, where security, identity, and ownership converge into a single, user-controlled system.

Darren Guccione
CEO and co-founder at Keeper Security

Every year, World Password Day generates the same conversation. And every year, attackers walk straight through the same open doors. Credentials remain the most exploited entry points in enterprise breaches – not because the risk is unknown, but because access is still not being controlled with the rigour the threat demands. A compromised password doesn’t just unlock an account. It hands an attacker a foothold for lateral movement, data exposure, and, in many cases, full environment takeover.

Password strength alone is not the issue. The real exposure sits in how credentials are stored, shared, and governed across users, systems, and service accounts. This is where Privileged Access Management (PAM) becomes critical. Enforcing least privilege, rotating credentials, removing standing access, and introducing visibility over how credentials are used changes the risk profile entirely.

Passkeys are gaining serious institutional momentum. The UK’s National Cyber Security Centre (NCSC) and US agencies, including CISA, are actively pushing phishing-resistant authentication aligned with FIDO standards – and adoption is already visible across public services. The direction is set. Even so, most organisations remain in hybrid environments where passwords persist. Governance does not disappear in that model. It expands to both passkeys and traditional passwords in parallel.

Strong passwords still matter. But without control over who can use them, when, and under what conditions, they offer a false sense of security. Organisations that treat access as a one-time configuration rather than a continuously managed risk are not protected. The credential problem is solvable. What is lacking is the will to govern access with the same discipline we apply to every other critical business function.

Anne Cutler
VP global communications at Keeper Security

Most people don’t think about their passwords until something goes wrong. By then, the damage is usually already done. A breached email does not just expose one account – when passwords or variations of passwords are reused, it opens everything attached to them: password resets, linked services, saved payment details, the list goes on. It unravels faster than you might expect.

What makes this so frustrating is how little effort it takes on the attacker’s side. Credentials stolen from one platform get tested automatically across hundreds of others within seconds. And AI has made the front end of that process genuinely difficult to defend against. A phishing message, a fake login page, and impersonation are not crude scams anymore. They are convincing, personalised, and increasingly automated.

The good news is that the defence is not complicated. A password manager eliminates the reuse problem entirely, giving each account a strong, unique credential – whether it’s a traditional password or a phishing-resistant passkey – that is generated and stored without you having to think about it. Paired with built-in multifactor authentication, you remove the two entry points attackers rely on most.

The threats have gotten smarter. Fortunately, so have the tools.

Kevin Charest
Vice president of cyber governance services at Netrio

World Password Day has been around for more than a decade, but in the last year, the conversation has shifted from stronger passwords to MFA, phishing resistance, and passkeys. While it probably should be renamed “World Passkey Day”, the reality is that most people still use passwords for everything. Companies are also not using passkeys at scale, which means security tools are left to make up for the shortcomings of how people actually use passwords.

To this day, the single biggest issue remains password reuse. With so much breach and security incident data available, attackers often do not need to crack a password; they can take a known password and try it across multiple services and systems. Complexity rules do not fully solve the problem either. Users often just add a few required characters or move from “password123” to “password124”. Relying on user IDs and passwords as the primary form of security can be the downfall of many companies.

Until organisations can truly move away from passwords, MFA and detection tools must do more of the work. For SMBs and mid-market enterprises in particular, the challenge regarding passwords is especially tough. If they cannot afford to apply the highest level of security across the entire organisation – which, in many cases, is true, due to limited budget – they should at least identify critical roles and apply stronger controls in those areas. At a minimum, financial teams, employees sending or receiving money, and those handling sensitive data, intellectual property, or the company’s “crown jewels” need a higher level of security.

However, in the end, the biggest hurdle is not always technology. Culture eats technology for breakfast. Asking users to carry a physical hardware device or adopt a new authentication process can create resistance. At its core, change management is difficult, but necessary. Passwords are still the game for most users, and until that changes, companies need to treat password behaviour as a foundational security gap that must be actively managed.

Mohammed Khan
Strategic engagement lead at HP

World Password Day is a timely reminder for Australian businesses that the case for strong password hygiene and identity security has never been more compelling.

HP’s latest Threat Insights Report shows attackers are increasingly using AI to scale low-effort, modular campaigns that can bypass traditional defences. These aren’t always sophisticated attacks, but they are often effective. They highlight a shift in the threat landscape where speed and volume can outweigh complexity.

We’re seeing techniques like “vibe-hacking” scripts and reusable malware components, allowing attackers to rapidly build and adapt campaigns – including credential harvesting and account compromise. The reality is that even basic attacks can have a significant impact if organisations aren’t ready to respond.

This is why strong password practices and identity protection are critical. When threats target user credentials, simple steps like using unique passwords, enabling multifactor authentication, and adopting password managers can significantly reduce risk.

At HP, we believe organisations need to rethink security with a focus on reducing exposure – protecting identities, isolating high-risk activities, and building resilience from the hardware up.

World Password Day should serve as a call to action: strengthen your password practices, secure your identities, and ensure your organisation is prepared for evolving threats.

Munu Gandhi
President, Xerox IT Solutions, and chief technology officer at Xerox

World Password Day reinforces a simple reality: identity is the control point in modern cyber security.

At Xerox IT Solutions, we apply a zero-trust model where every access request is continuously validated using adaptive authentication. The focus is not more controls – it’s smarter, contextual access that reduces risk while enabling speed.

Organisations that build integrated identity frameworks will be better positioned to protect operations, earn client trust, and move with confidence in an increasingly distributed, AI-driven world.

Doug Kersten
CISO of Appfire

World Password Day reminds us that passwords are still one of the most common ways attackers gain access to systems, and the most common ways to protect information. Password risk doesn’t usually come from a single weak password; it comes from how those credentials are used across an organisation. Employees reuse the same passwords across systems, share access to move work forward, or connect them to new tools that aren’t centrally tracked. Over time, no one has a complete view of where access exists or who owns it.

That lack of visibility is exactly what attackers take advantage of. AI is making phishing emails, messages, and even voice calls more convincing, which increases the chances that someone could unknowingly give up a password that can be used across multiple systems. Password risk lies within everything that [the] password connects to. The priority now is to reduce how often passwords are used, limit where they can be used, and ensure every system and account has clear ownership. This includes using multifactor authentication, where you need a password and something you know, have, or are to increase the level of difficulty needed to compromise your accounts. When organisations have consistent visibility and control over access – alongside clear governance around how tools and credentials are used – a compromised password is far less likely to lead to a broader security issue.

Kevin Higgins
Senior consultant at Optiv

World Password Day is no longer just about protecting people. It’s now also about protecting machines. As machine-to-machine communication accelerates, strong, frequently rotated credentials are essential to ensure trusted systems don’t execute malicious or compromised instructions.

The challenge, however, is that many organisations still rely on static credentials. Long-lived API keys and persistent service account passwords create machine credentials with unlimited replay value. When credentials become permanent, compromise becomes persistent. If these credentials leak through logs, configuration files, AI, or repositories, attackers can impersonate trusted systems for extended periods without triggering the authentication signals typically associated with human access.

Modern security requires a shift to short-lived, cryptographic identities, where every workload proves what it is through mechanisms like mutual TLS authentication and temporary identity tokens. This ensures every interaction is verifiable and resilient by design.

The future of cyber security will be defined by how effectively we secure the machines that now act on our behalf, and passwords continue to play an important role in the evolving security journey.

Jack Cherkas
Global CISO at Syntax

World Password Day 2026 brings the usual advice for passwords: longer, unique, never reused. That is no longer enough. Passwords are only one of many credentials now under AI-powered attack. Generative AI has industrialised credential attacks: phishing lures that defeat traditional user training, voice clones that pass help-desk identity checks, and credential stuffing at an industrial scale.

Credentials remain one of the top initial access vectors year after year, and non-human identities, from AI agents to service accounts, are multiplying, each one holding credentials, each one a potential blast radius. When the next breach arrives, “we didn’t know who or what had access” will not be acceptable as a defence.

The fix is not novel. For organisations: phishing-resistant multifactor authentication (MFA) and passkeys, single sign-on wired into a disciplined joiner-mover-leaver process, vaulted privileged access, and scoped, logged, revocable credentials for every non-human identity, AI agents included, never a shared service account. For individuals: a password manager, unique passwords or passkeys, and MFA on every account. The password era is ending, the credential era is not. Most breaches still begin with a credential someone forgot to protect, revoke, rotate, or retire.

The organisations and individuals that master that unglamorous work are the ones that stay resilient when the next AI-powered attack lands.

Jason Pearce
Field CTO APJ at Claroty

World Password Day is a timely reminder that despite years of warnings, “admin/admin” remains the skeleton key to the world’s most critical infrastructure. Shockingly, many important systems are still protected by these weak, unchanged default logins. In the realm of cyber-physical systems (CPS), weak or default passwords aren’t just a digital vulnerability – they are a direct threat to physical safety and operational uptime. As organisations continue to bridge the gap between IT and OT systems without the proper security in place, they are essentially leaving the front door unlocked to our power plants, water systems, and hospitals for any adversary with a basic search engine and a bit of persistence.

To shut this door, organisations must move past manual password management and embrace automated exposure management instead. Humans cannot feasibly manage hundreds or thousands of passwords at once – in many cases, humans can’t even identify every single device that exists on their network. Therefore, any good exposure management program must start with having total visibility into every connected asset across the XIoT. This should be followed by implementing secure access controls that “wrap” legacy systems in modern security layers like multifactor authentication (MFA). On this World Password Day, the goal shouldn’t simply be “have better passwords”. Instead, organisations should aim for a zero-trust architecture that ensures a single compromised credential can’t take down an entire production line, a power grid, or a healthcare facility.

Tomer Bar
Associate VP of security research at Semperis

Passwords have a terrible reputation, but that’s not really the password’s fault. It’s ours. Most of the risk comes from human limitations and predictable behaviour. The comforting myth is, “if the number of possible combinations for a 10-character password using lowercase letters, uppercase letters, digits, and special characters is enormous, then the password must be safe”. The total search space is in the order of tens of quintillions of combinations. Even if an attacker can test 1 billion guesses per second, it would take roughly 1,700 years to exhaust the entire space with a pure brute-force attack.

On paper, that looks great. It’s misleading – because very few people choose random 10-character passwords. Humans tend to fall back on predictable patterns: a capital letter first, followed by one or more lowercase letters, then one to four digits (often a year), and finally a single special character at the end.

Advanced attackers know this. They don’t brute-force the entire key space; they brute-force your habits, making it much quicker to guess. If you keep using passwords, the best practice is to stop letting humans design them. Use a password manager to generate and store long, truly random passwords (20-plus characters) and never reuse them; turn on MFA wherever possible so stolen passwords are far less useful; and for the few passwords you must remember, use long, unique passphrases made of random words instead of lyrics, quotes, or clever patterns. The goal is to make attacking you so difficult and unprofitable that attackers move on to easier targets.

Robb Reck
Chief information, trust, and security officer at Pax8

For most small and mid-sized businesses, the password is still the front door. After years of breaches, credential stuffing, and cheap compute power, that door is effectively unlocked.

MSPs exist to close that gap. Helping customers eliminate account takeover risk is one of the highest-leverage moves in the SMB security stack.

World Password Day is a reminder to act on the basics. Microsoft’s data is unambiguous: over 99.9 per cent of compromised accounts had no MFA. Turning it on is the single highest-impact control an SMB can implement today. Longer term, FIDO-based passkeys remove the password attack surface entirely by eliminating passwords from the equation.

The path is straightforward: unique credentials and MFA now, passwordless tomorrow. SMBs don’t need enterprise budgets. They need an MSP with a repeatable playbook and the will to enforce it.

Nick Nigro
VP sales, Reolink Australasia

As we mark World Password Day, it’s worth remembering that passwords are fundamental to our digital safety. With recent reports showing Australia logged 1.1 million leaked accounts in Q1 2026 alone, it’s clear that safeguarding our personal data has never been more critical.

At Reolink, we believe your security system should be safe from the moment you plug it in. That’s why we support the Australian government’s recent mandate to remove universal default passwords across consumer smart devices. Instead of relying on risky factory defaults, we have our users create their own unique passwords right from the setup.

Managing multiple logins can feel like a chore, but basic habits drastically improve your digital safety. Since longer equals stronger, always use at least 10 characters. Avoid real words, obvious names, and birthdays; instead, rely on random combinations of letters, numbers, and symbols to stop bad actors. If tracking these complex codes seems daunting, a password manager can securely generate and store them for you. Finally, always enable two-factor authentication (2FA). While it might require an extra step at login, that unique code sent to your phone provides a massive, necessary layer of defence.

Ultimately, the motivation for using strong, unique passwords is the exact same reason we use home security systems: safety, protection, and peace of mind.