The industry speaks – part 2: World Password Day 2026

Threat actors typically do not hack in the traditional sense anymore via vulnerabilities and exploits. They simply log in via stolen credentials (username and passwords). Credential theft, password spraying, and replay attacks have industrialised access for crime syndicates and nation state threat actors. Billions of compromised credentials circulate across the dark web, and even the most complex password policy cannot defend against password reuse, human behaviour, and a leaked secret. Complexity does not equal security and if you rely on password obfuscation, it only increases user and automation friction.

Organisations must treat these changes in password (human) and secrets (machines) management as an inflection point. Identity has become the new perimeter, and passwords cannot carry that burden alone for trust. Multifactor Authentication (MFA) and Single Sign On (SSO) where the first evolution, but even these technologies are under pressure from phishing-resistant bypass techniques, social engineering, token theft, and SIM jacking. The next phase demands a shift toward passwordless architectures, implementing the principle of least privilege, continuous authentication, just-in-time access, and behavioural monitoring.

Raymond Schippers
Lead Technologist – ANZ, at Check Point Software Technologies

Despite years of warnings, users persistently reuse passwords, unaware that when one platform is breached, automated credential-stuffing attacks instantly unlock user profiles across hundreds of other services.

However, the biggest human element threat in 2026 isn't just password reuse – it's the accidental insider threat created by Generative AI. Indeed, the world is currently witnessing an epidemic of employees inadvertently feeding corporate secrets directly into AI tools.

According to Check Point Research, for the month of March 2026, one in every 28 GenAI prompts submitted from enterprise environments posed a high risk of sensitive data leakage, impacting 91 per cent of organisations that use GenAI tools regularly. An additional 17 per cent of prompts contained potentially sensitive information. Even worse, 82 per cent of these copy-paste actions happen via unmanaged, personal accounts according to the LayerX report, creating a massive blind spot.

VIEW ALL

Mathieu Chevalier
Principal Security Architect at Genetec

AI is changing the speed and scale of cyber risk. Attackers can now move faster and are using AI to impersonate people, tailor social engineering attacks, uncover vulnerabilities at scale, and evade detection. To respond, organisations need to actively govern access and identity across their systems, not just set controls once and hope they hold.

These risks are already affecting organisations that manage physical security systems. The recent Genetec Enterprise Physical Security in the Cloud Era research, which was based on insights from more than 7,300 physical security professionals worldwide, found that 58.7 per cent of organisations have experienced an increase in phishing and smishing attacks, while 41 per cent reported a rise in overall physical or cyber incidents. Social engineering was identified by 43.5 per cent as a leading attack vector.

Genetec encourages organisations to move beyond isolated credential controls and adopt a governance‑first approach to identity management in physical security environments, including:

Strengthen identity and credential controls

Organisations should eliminate default and shared credentials, enforce strong authentication such as passkeys, and adopt multi-factor authentication (MFA) to reduce common attack entry points. This must extend to devices as well, replacing static passwords with certificate-based authentication when possible, and ensuring centralised management and regular credential rotation.

Closer alignment between IT and physical security teams

Bringing IT and physical security teams together helps apply consistent security standards, improve visibility into access risks, and coordinate incident response. As physical security systems become more connected to enterprise networks, cross-functional alignment can help organisations identify weak points and respond more effectively to credential-based attacks.

Governance-first management of physical security systems

Organisations should manage physical security infrastructure with the same rigor as other mission-critical systems. This includes regular access reviews, controlled updates, and partnerships with trusted technology partners that support long-term security, transparency, and operational resilience.

Ryan Rayner
Co-Founder and Chief Customer Officer at iCXeed.ai

World Password Day falling in the middle of Privacy Awareness Week is a timely reminder that trust is the new currency of customer experience, especially as AI reshapes how we all engage with customers at scale. In a world of rapid privacy reform, sharper regulatory expectations, and heightened concern about how AI systems handle personal information, organisations across Australia and New Zealand are under real pressure to prove their use of data is transparent, fair, and secure. Customers want the benefits of hyper‑personalised, AI‑driven interactions, but they are increasingly unwilling to sacrifice their privacy to get there. For me, this year’s theme of building trust lands squarely in the realm of CX, AI, and data leaders.

When I look ahead, I’m convinced the organisations that will win in our region are those that pair accredited cloud and AI expertise with an uncompromising commitment to privacy and customer trust.

Srinivas Gutta
Technical Director at Adactin

International Password Day is not just a reminder to update credentials; it is a timely signal that passwords, while still widely used, are no longer sufficient as a standalone control in today’s threat landscape. At Adactin, we see this as a clear call for organisations to move beyond basic password hygiene and adopt a more holistic, identity-first security model. This includes combining multi-factor authentication, privileged access controls, and zero-trust principles to ensure every access request is verified, not assumed. With the rapid enablement of AI, this shift becomes even more critical as cyber threats grow in sophistication and relying solely on passwords introduces unnecessary risk. Modern security demands a more resilient and adaptive approach to managing and protecting access.

At the same time, technology alone cannot solve the challenge. The real differentiator lies in building a strong security culture where employees understand their role in safeguarding digital assets. At Adactin, we view International Password Day as an opportunity for organisations to reinforce accountability and embed continuous awareness and education across their workforce. Strengthening user behaviour and security habits plays a vital role in reducing exposure to cyber threats. Ultimately, this is about moving from reactive compliance to proactive resilience, embedding secure practices, continuous monitoring, and user education into everyday operations to build trust in an increasingly digital world.

John Cannava
CIO at Ping Identity

As organisations rapidly adopt AI agents, large-scale data breaches are becoming less of an anomaly and more of an inevitability. These systems are doing more than just responding to prompts. They’re making decisions, taking actions, and even spawning new agents with increasing autonomy and speed. That shift fundamentally changes the security landscape.

The challenge is that many organisations are deploying AI agents faster than they can establish clear identity, accountability, and governance for them. When you can’t definitively answer what an agent did, why it did it, or under whose authority it acted, you introduce significant risk. This is why identity for AI must become a foundational priority. Every agent needs a verifiable identity with clear permissions and continuous oversight, just like any human user or service account. Without that, the growing ecosystem of autonomous AI will continue to expand the attack surface in ways most organisations aren’t yet prepared to manage.

Cynthia Lee
APAC VP at Delinea

World Password Day feels increasingly outdated. Passwords can no longer be relied on as a meaningful line of defence, as attackers routinely bypass them through social engineering and third-party apps.

To make matters worse, many organisations are deploying AI agents to improve productivity and granting them standing access to their core systems, which 72 per cent of Australian leaders acknowledge is increasing their security risk. AI agents are susceptible to revealing passwords themselves or to being used as an entry point for attacks.

Organisations can build true resilience by rethinking access altogether. For example, they can adopt ephemeral permissions, which last just for a set period, or just-in-time (JIT) access management, to ensure privileges exist only when needed, and drastically reduce the window of opportunity for attackers. By creating strict role-based access controls, businesses can limit both movement and overall exposure.

Ultimately, organisations’ mindsets must shift toward a model of zero standing privilege where no user, device, or agent is inherently trusted, and every access request is continuously verified.

Anthony Daniel
Managing Director, Australia, New Zealand and the Pacific Islands, at WatchGuard Technologies

This World Password Day, the conversation needs to move beyond password strength to the growing reality that most credentials are already exposed and circulating online.

Across Australia, where cybercrime is reported every six minutes, attackers are increasingly bypassing traditional intrusion methods altogether. Instead of breaking in, they are logging in using stolen credentials, acquired through phishing and infostealer malware, allowing them to operate without triggering conventional security alerts.

WatchGuard’s latest threat intelligence highlights how this shift is being enabled. Today, 96 per cent of malware arrives over encrypted channels, while 23% is designed to evade traditional signature-based detection, making credential theft harder to spot and easier to scale.

For Australian organisations, this changes the role of identity entirely. A valid login can bypass legacy controls, leaving businesses exposed if they lack visibility beyond the point of access.
The focus now needs to shift from password strength to post-login detection. Multi-factor authentication remains essential, but it must be paired with continuous monitoring and behavioural analysis to identify when legitimate credentials are being misused. The question is no longer whether passwords will be compromised, but how quickly organisations can detect and respond when they are.

James Ross
Regional Vice President – ANZ, at Saviynt

World Password Day is a good reminder for Australian businesses and their workforces that passwords alone are no longer enough to protect their organisation. Indeed, passwords are the low-hanging fruit that cybercriminals turn to first to commit identity theft and financial fraud.

Today, however, as businesses accelerate their AI agenda, attackers increasingly also have the advantage to scale credential-based attacks. As a result, identity security is no longer a peripheral concern but a core business priority, and, as cyber threats continue to evolve, organisations must adopt a holistic approach that combines technology, processes and people. They require robust visibility into who has access to what, and stronger controls to manage and adjust that access as risks evolve.

With digital ecosystems expanding and the boundaries of the enterprise becoming more fluid, identities have become the new perimeter with the core test ahead to establish visibility and governance. Ultimately, reducing reliance on passwords starts with taking a more proactive approach to managing identity and access across the business. Fixing access governance makes reducing password reliance an automatic outcome, not a separate initiative. The north star aim: improved user experience and better security.

Jeramy Kopacko
Associate Field CISO Americas at Sophos

Despite heavy pushes from Apple, Google, Microsoft, CISA, and us (Sophos) encouraging stronger authentication methods, compromised credentials remain our most observed root cause in identity-related attacks last year.

Attackers will take advantage of password breaches from popular sites and apps we use as consumers. This is low-hanging fruit to obtain with a strong history of success in cyber-attacks. This allows for spray and pray attempts or building a dictionary of your password history.

Each year, these password breaches are analysed to understand user habits and password practices. They reveal two main problems:

• Passwords are weak, lacking complexity or character length
• Passwords are reused across several sites and services

As a consumer, use the day to set up or help someone else setup a password manager. This will automate the process of creating unique passphrases, storing them, and managing the login experience. Password managers can ensure only the proper site is receiving credentials and scan emerging password breaches to see if you’re impacted.

As a professional, investigate your identity and authentication strategy across the organisation. Evaluate what is required and how you can move the organisation to a passkey-based method. It will greatly reduce your identity-based risks while improving the user experience.

Kawin Boonyapredee
APJ CISO advisor at KnowBe4

World Password Day 2026 is a call to stop treating passwords as the perimeter and start treating identity as the perimeter: reduce password reliance, use long unique ones (25+ characters) when you must, adopt phishing‑resistant MFA and passkeys, and make behavioural and risk‑based checks part of every login. Small steps today greatly reduce the chance an attacker can simply “log in as you”.

This day matters because it creates a predictable, global moment to act; not later, not when an incident happens, but now. Regularly scheduled reminders overcome human inertia: people and organisations are far more likely to adopt a password manager, enable phishing‑resistant MFA, update recovery contacts, or audit shared credentials when prompted by a recognisable event. That collective action reduces the pool of easily exploitable accounts, raises the baseline of resilience across services, and makes large-scale automated attacks such as credential stuffing and mass phishing less effective.

Carlos Arnal
Product Marketing Manager at WatchGuard

For years, the security conversation revolved around the password. Make it long, make it complex, never reuse it. And that made sense, because it was the primary line of defence. Today, that line has shifted. When an attacker wants to get into a company, in most cases they do not try to break anything: they test credentials they already have in their possession.

Verizon’s latest Data Breach Investigations Report makes this clear: stolen credentials remain the most common entry point in attacks affecting organisations of any size. For the attacker, it is simple. For the defender, it is incredibly difficult because someone logging in with a valid password does not look like an attacker. They look like just another employee.

The good news is that the tools to respond already exist and are mature. Multifactor authentication remains the foundation, and it should be enabled on every account without exception. Where the risk is greatest – administrator access, executive teams, critical systems – passkeys offer something passwords never could: a mechanism that cannot be stolen through phishing. Zero Trust policies add context to every access attempt, evaluating whether it makes sense for that person to connect from that location at that time. Continuous monitoring of leaked credentials makes it possible to act before someone uses them, not after. These layers already exist; they are accessible, and the challenge lies in deploying them with the level of priority they deserve. That is what it means today to treat identity security as a company responsibility.