Every year, World Password Day arrives with a familiar chorus: use longer passwords, don’t reuse them, enable multi-factor authentication, and every year, attackers walk straight through the same open doors. The advice hasn’t changed dramatically. The threat, however, has, and the gap between the two is wider than ever.
In 2026, the conversation around passwords sits at a genuine inflection point. Passkeys are gaining serious institutional momentum. AI is turbocharging credential attacks at an industrial scale. Machine identities are multiplying in ways that make human password hygiene look like a quaint footnote. And yet, in most organisations, the foundational problems remain stubbornly unsolved: default credentials left unchanged, credentials stored and shared insecurely, recovery routes left pointing at old phone numbers, and access governed by policy documents that nobody enforces.
We asked leading voices from across the security industry to share their thinking. The picture that emerges is urgent, honest, and sometimes uncomfortable.
The Credential Problem Isn’t About Password Strength
Let’s start with the headline finding that should make every IT team uncomfortable. According to Dragos Sandu, Product Manager at Pentest-Tools.com, whose team analysed findings from offensive security testing workflows since the start of 2026, the single biggest category of credential-related findings isn’t weak passwords at all. “Looking at findings from real offensive security testing workflows since the start of the year, the single biggest category isn’t weak passwords. It’s default credentials. Roughly 60% of those findings came from services still running factory-default logins: FTP first, then RDP, Redis, HTTP-accessible admin interfaces, Telnet.” Sandu said. “That’s worth sitting with. These aren’t findings that require sophisticated brute-forcing or breach data. They require trying the credentials that came in the box.
“When weak passwords do appear, they follow the same pattern: FTP leads by a significant margin (60%), followed by HTTPS, Telnet, VNC, and SSH. Remote access and file transfer services, exactly the kinds of interfaces that get stood up, forgotten, and left exposed.
The practical implication is that most organisations have already solved the password problem in the places they think about it: their corporate SSO, their email, their well-monitored identity layer. What they haven’t solved is the perimeter they don’t look at. A Redis instance with default credentials, reachable from a compromised workstation, isn’t in anyone’s password rotation policy. Neither is the FTP server that got stood up for a vendor transfer two years ago.
Default credentials on network-facing services remain one of the most reliable paths to initial access and lateral movement that assessments consistently validate. They’re not glamorous. They show up in almost every environment we test.”
The Governance Gap: Why Credentials Keep Failing
Darren Guccione, CEO and co-founder at Keeper Security, has spent years watching organisations invest in security tooling while leaving access management as an afterthought. His assessment of where the real exposure lies is unsparing. He explains, “Credentials remain the most exploited entry points in enterprise breaches – not because the risk is unknown, but because access is still not being controlled with the rigour the threat demands. A compromised password doesn’t just unlock an account. It hands an attacker a foothold for lateral movement, data exposure, and, in many cases, full environment takeover.
Password strength alone is not the issue. The real exposure sits in how credentials are stored, shared, and governed across users, systems, and service accounts. This is where Privileged Access Management (PAM) becomes critical. Enforcing least privilege, rotating credentials, removing standing access, and introducing visibility over how credentials are used changes the risk profile entirely.
Passkeys are gaining serious institutional momentum. The UK’s National Cyber Security Centre (NCSC) and US agencies, including CISA, are actively pushing phishing-resistant authentication aligned with FIDO standards – and adoption is already visible across public services. The direction is set. Even so, most organisations remain in hybrid environments where passwords persist. Governance does not disappear in that model. It expands to both passkeys and traditional passwords in parallel.
Strong passwords still matter. But without control over who can use them, when, and under what conditions, they offer a false sense of security. Organisations that treat access as a one-time configuration rather than a continuously managed risk are not protected. The credential problem is solvable. What is lacking is the will to govern access with the same discipline we apply to every other critical business function.”
AI Is Fundamentally Changing the Attack Surface
Perhaps the most significant shift in 2026 is how artificial intelligence is affecting credential attacks. Jack Cherkas, Global CISO at Syntax, describes a transformation that makes last year’s threat landscape look almost quaint. He says, “World Password Day 2026 brings the usual advice for passwords: longer, unique, never reused. That is no longer enough. Passwords are only one of many credentials now under AI-powered attack. Generative AI has industrialised credential attacks: phishing lures that defeat traditional user training, voice clones that pass help-desk identity checks, and credential stuffing at an industrial scale.
Credentials remain one of the top initial access vectors year after year, and non-human identities, from AI agents to service accounts, are multiplying, each one holding credentials, each one a potential blast radius. When the next breach arrives, ‘we didn’t know who or what had access’ will not be acceptable as a defence.
The fix is not novel. For organisations: phishing-resistant multi-factor authentication (MFA) and passkeys, single sign-on wired into a disciplined joiner-mover-leaver process, vaulted privileged access, and scoped, logged, revocable credentials for every non-human identity, AI agents included, never a shared service account. For individuals: a password manager, unique passwords or passkeys, and MFA on every account. The password era is ending; the credential era is not. Most breaches still begin with a credential someone forgot to protect, revoke, rotate, or retire. The organisations and individuals that master that unglamorous work are the ones that stay resilient when the next AI-powered attack lands.”
Kevin Higgins, senior consultant at Optiv, extends the argument to the machines themselves, saying, “World Password Day is no longer just about protecting people. It’s now also about protecting machines. As machine-to-machine communication accelerates, strong, frequently rotated credentials are essential to ensure trusted systems don’t execute malicious or compromised instructions.
The challenge, however, is that many organisations still rely on static credentials. Long-lived API keys and persistent service account passwords create machine credentials with unlimited replay value. When credentials become permanent, compromise becomes persistent. If these credentials leak through logs, configuration files, AI, or repositories, attackers can impersonate trusted systems for extended periods without triggering the authentication signals typically associated with human access.
Modern security requires a shift to short-lived, cryptographic identities, where every workload proves what it is through mechanisms like mutual TLS authentication and temporary identity tokens. This ensures every interaction is verifiable and resilient by design.
The future of cybersecurity will be defined by how effectively we secure the machines that now act on our behalf, and passwords continue to play an important role in the evolving security journey.”
The Attack Sophistication Is Now Personal
Nathan Davies-Webb, Principal Consultant at Acumen Cyber, has watched phishing and account takeover attempts reach a new level of sophistication and one that fundamentally changes the nature of social engineering risk. He says, “We are seeing more password reset scams, phishing emails, and account takeover attempts than ever before, particularly as AI makes these attacks more convincing and personalised. What used to be easy to spot is now far more polished, with attackers able to mimic trusted brands, familiar language, and even internal business communications.
For individuals, a few basic password practices make a huge difference. Never click unexpected password reset links, even if they appear genuine. If you receive a message claiming there is an issue with your account, it’s always best to go directly to the platform itself rather than following the link in the email. In today’s connected world, be aware of when somebody may be trying to get useful background information on phrases that could be in your password – a phone call or Instagram post can be enough to confirm your pet’s name or birthday, or reveal some other information while you’re in a hurry. This is where using unique passwords for every account is also critical, because once one password is exposed, attackers will often try the same credentials across multiple services. There are plenty of free password managers that generate strong and random passwords while working across your desktop and mobile device to make logging in seamless.
Multi-factor authentication (MFA) is equally important, but organisations and users should move beyond weak methods like SMS and email where possible. App-based authentication, like Time-Based One-Time Password and push notifications with number matching, offers much stronger protection against account takeover attempts.
For businesses, a password isn’t enough to provide good confidence that a user is who they say they are, and they should adopt zero-trust principles whenever possible. Organisations need to enforce strong password policies, use conditional access controls and monitor for suspicious login activity, using a baseline of expected activity. Security awareness training also needs to evolve to reflect how modern phishing attacks actually look and behave today, such as the increase in vishing or qwishing.
Even more importantly, businesses should assume that some credentials will eventually be compromised. The focus should therefore be on adopting more modern standards like Passkeys and limiting what attackers can actually do in an identity breach through layered security, visibility, and rapid detection.
If someone believes they may have already clicked a malicious link, they should immediately notify their company’s security team, who can support in changing passwords directly through the legitimate methods, reset any reused passwords on other accounts, and review MFA settings and monitor for unusual account activity. The quicker this is addressed, the better the chance of preventing a wider compromise.”
Behaviour Is the Gap Technology Can’t Close on Its Own
Tim Ward, CEO and co-founder at Redflags, argues that fixating on technology misses where the real problem lives, saying, “The attack surface has shifted dramatically in recent years. Ransomware is on the rise, credential-based attacks are more sophisticated, and yet most breaches still trace back to the basics, including weak passwords, no 2FA, and employees sharing access through informal channels. The reality is that organisations operate in complex, hybrid environments where employees manage numerous credentials, and where risk isn’t inevitable so much as it is largely preventable. However, the gap is rarely technology; it’s behaviour, and when security education is done effectively, focusing on secure behaviour change, the results speak for themselves. In fact, we’ve seen credential entry after phishing links drop by as much as 82% in some cases.
With regulatory standards tightening, the stakes have never been higher: a breach today means far more than lost data; it means damaged customer trust, revenue loss, and long-term reputational harm that can take years to recover from. The shift towards passwordless technologies, enforced MFA, and centralised identity management all reflect a broader move to reduce reliance on human behaviour. For businesses, World Password Day should be less about changing passwords and more about building a culture where employees genuinely understand the risks. To do this, they often need contextual support and behavioural nudges. Technology alone doesn’t close the gap, and neither does awareness in isolation. Telling people about risk rarely changes what they do in the moment. What does work is intervention at the point of decision: a timely nudge when someone is about to enter credentials into a phishing site, share sensitive data through an unmanaged channel, or feed confidential information into an unsanctioned AI tool. As AI usage accelerates, that last risk is no longer theoretical. It’s happening daily, often invisibly. The goal isn’t awareness. It’s managing risk where it actually lives, in the moment, on the device, with the person.”
Chris Gunner, vCISO at Thrive, echoes this identity-led framing. He says, “World Password Day is still certainly a useful reminder on the importance of password hygiene – ensure passwords are unique across different accounts, incorporate a mix of letters and characters and don’t use any personal information. However, the key priority for organisations in today’s cyber landscape should be reducing dependence on passwords as a single control.
With evolving phishing and social engineering techniques being used to obtain the credentials of legitimate users and bypass security controls, even a strong password can be undermined if the wider identity and access environment is not properly managed.
Passwords must therefore complement a broader identity-led strategy. They’re perfect as a first line of defence, but a second identification step is needed so accounts continue to stay protected if a password is breached. Multi-factor authentication requires an additional form of verification, such as a code provided to the user via an app or biometric proof, before an account can be accessed. Biometric protection, in particular, is nearly impossible for hackers to get past.
MFA controls should then be joined by identity governance and endpoint protection so gaps between systems are reduced. A broader Zero Trust and secure access model should revolve around users and devices being verified before access is granted, and then continuously validated thereafter, rather than trusted by default.
Businesses should also never forget the importance of education. People should be trained to recognise suspicious messages, avoid handing over sensitive information, stay current on threat trends and act as a stronger line of defence alongside controls such as MFA and other security tools.”
Passkeys: The Promise, and the Patience Required
Every expert we spoke to pointed toward passkeys as the direction of travel. The institutional endorsement is real: the NCSC is actively recommending passkeys wherever services support them. Consumer appetite is measurable. Danny de Vreeze, VP of Identity and Access Management at Thales, said, “The industry has spent decades trying to improve passwords, but the reality is that people have long moved on. When 68% of consumers say they trust companies more when passkeys are used, it’s clear that authentication is no longer just a security control but a key part of the overall customer experience. The Thales Digital Trust Index shows that trust in businesses to protect data remains low, with most industries struggling to earn the confidence of even half their customers. People are looking for clear reassurance that their data is protected, and passkeys are one simple, seamless way to provide that. The challenge is that while 87% of IT decision makers recognise the importance of passkeys, only around half have actually implemented them. Consumers are ready for passwordless, but businesses are lagging behind. Closing that gap isn’t just about reducing risk; it’s about building trust from the very first interaction and turning security into a competitive advantage. Customers are officially over passwords, and businesses need to keep up.”
Steven Furnell, senior IEEE member and professor of cybersecurity at the University of Nottingham, welcomes the direction but urges realism about the timeline. Furnell says, “The NCSC’s recommendation to use passkeys ‘wherever a service supports them’ is good from both security and usability perspectives. Passkeys have been specifically designed to overcome our primary problems with passwords.
However, the ‘wherever supported’ aspect is a potential challenge, because many users won’t be able to follow the guidance uniformly or consistently across the services they use. Many sites and services still don’t offer passkey support, so users will find themselves with a mixed login experience. It’s still the correct advice, but no matter how good passkeys are, we need to recognise that this is going to be a long game rather than flipping a switch.
Where passwords are still in use, it’s far too easy to find sites that fail to support the user in two significant and fundamental ways: by asking them to create new passwords while providing little or no tangible guidance on how to do so securely, and/or allowing them to get away with making choices that would generally be regarded as weak. While some might argue that it’s the user’s responsibility to protect themselves properly, they need to know how to do it. Where are they supposed to get this knowledge if the sites don’t offer it? Why would the user even suspect there’s a problem if the site lets them choose a poor password without complaint?
This World Password Day, the main message ought not to be to the users, who often have no choice but to use passwords anyway, but to the sites and providers that are requiring them to do so.”
Minh Nguyen, VP of Identity Security at Entrust, offers the starkest verdict on passwords as a technology. “Passwords are a relic. Designed for a simpler digital era, they were never built to withstand today’s sophisticated threat landscape. Yet compromised passwords remain the leading cause of data breaches, enabling account takeover attacks through phishing, malware, and social engineering. As fraud techniques grow more organised, targeted, and increasingly AI-driven, continuing to rely on passwords is a risk organisations can no longer afford. On World Password Day, the focus should be on moving beyond credentials to methods that bring enhanced security and convenience. By using authentication methods consumers already trust, such as biometrics, organisations are strengthening security in a way that feels familiar to users rather than disruptive. Most importantly, biometrics enable continuity of identity, confirming that the person accessing or transacting on an account is the same individual who opened it. That continuity is essential for protecting accounts, money, and personal data as fraud becomes harder to detect and easier to scale.”
The Basics Still Matter and They’re Still Being Ignored
Amidst the discussion of passkeys, AI threats, and machine identities, it’s worth pausing on what Richard Bradley, Data Protection Team Manager at WorkNest Secure, identifies as the persistent, mundane reality. He says, “Most people do not think twice about their passwords until something goes wrong, whether that is a compromised email account, a suspicious login notification, or, in some cases, a full-scale data breach. Yet weak password habits remain one of the easiest ways for cyber criminals to gain access to personal and business accounts.
One of the most common mistakes people still make is reusing the same password across multiple accounts and services. If just one of those accounts is breached, attackers can quickly try those same details elsewhere, potentially gaining access to email, banking, shopping, or work systems. For most people, the advice is simple: use strong and unique passwords for every account, enable multi-factor authentication wherever possible, and consider using a good-quality password manager to safely store passwords if you will struggle to remember these. Never ignore software updates, as these often patch security vulnerabilities that attackers actively exploit. Good quality passwords often follow the 3-4 random words approach, as these offer complexity while being memorable.
Passkeys are increasingly being seen as the future of secure login methods, with strong backing from organisations such as the NCSC. They offer a more streamlined and phishing resistant way to access systems, reducing the need to remember multiple passwords and helping tackle password fatigue. However, there is still a balance to strike. If a device or authentication service is lost or compromised, recovering access can become more complicated, so organisations and individuals need to choose solutions that work for their level of risk and operational needs.
For businesses, password safety should not just be seen as an IT issue. Simple yet comprehensive policy backed by staff training is critical, particularly around phishing attacks and credential theft. Organisations should also look to adopt modern authentication methods such as passkeys where appropriate, enforce multi-factor authentication across all cloud services, and regularly review access controls to ensure employees only have access to what they genuinely need. Good password behaviour may seem basic, but it remains one of the most effective ways to reduce the risk of cyber attacks.”
Javvad Malik, lead CISO advisor at KnowBe4, cuts through the complexity with characteristic directness. “Passwords are like fax machines. Some people still use them, but they’re well past their best. Use this year’s World Password Day to reduce the number of passwords you have and start replacing them with alternatives like passkeys where you can. Don’t try to fix every account in one go. Pick your 5 most important accounts: email, banking, main socials, cloud storage, etc., and secure them first. The weak spot often isn’t the password, but the recovery route. Check to make sure accounts don’t still use old phone numbers, outdated backup emails, or still running on old devices. These can become an easy point of compromise,” says Malik.
The Research Gap: Why Investment Isn’t Enough
Son Nguyen Kim, head of Proton Pass at Proton, arrives with data that should reframe the entire conversation and challenge one of the most persistent assumptions in security. He says, “World Password Day tends to bring the same familiar advice each year: use stronger passwords, avoid reusing them, and enable two-factor authentication. But Proton’s latest research reveals a more uncomfortable truth. Businesses are already doing these things, and it still is not enough. We surveyed 3,000 small business leaders across six markets and found that 92% are investing in cybersecurity measures. Yet despite this, one in four experienced an attack or breach in the past year.
This points to a deeper issue. It is not a lack of awareness or even a lack of preparation. It is the challenge of consistently enforcing secure tools and effectively detecting and stopping threats. For example, more than half of the businesses we surveyed have deployed password managers. However, those same organisations report that employees continue to share credentials via email, messaging apps, and even shared spreadsheets.
This research also challenges the stereotype that small businesses do not take security seriously. In reality, most are investing in tools and training. The problem is that making security work in practice, with real people and everyday workflows, is far more difficult than simply deploying a tool or designing a policy. Not every password manager is built with collaboration in mind. As a result, employees often fall back on insecure workarounds. Security should not depend on every employee and partner getting everything right all the time. True protection comes from systems, policies, and practices that are resilient enough to work effectively in real-world conditions, where mistakes are inevitable. That is the real issue World Password Day should be highlighting.”
The Managed Transition: Building for the End of Passwords
Dan Moore, Sr. Director of CIAM Strategy at FusionAuth, offers a perspective that is both clear-eyed about where the industry stands today and unusually candid about where it is heading. Moore says, “World Password Day exists because passwords remain the weakest link in most security chains and that’s still true in 2026, even as passkeys gain momentum. The reality is that the vast majority of applications in production today still rely on passwords as either a primary or fallback credential. That means the basics still matter enormously: checking credentials against breach databases, knowing and following NIST guidelines, and making it easy for users to do the right thing. The industry’s job right now isn’t to declare passwords dead but to manage the transition responsibly while the ecosystem catches up.
I genuinely wonder how many more World Password Days we’ll observe. Passkeys are now supported across every major platform, social login, SMS and email OTPs are mainstream fallbacks, and the developer tooling to implement passwordless is never more accessible. We’re not there yet: passwords will be with us for years, embedded in legacy systems and user habits, but the trajectory is clear. The question for businesses isn’t whether to move beyond passwords, it’s how to build their identity infrastructure today in a way that makes that transition smooth when the time comes, or painful.”
What World Password Day Should Actually Mean in 2026
The expert consensus that emerges from this year’s World Password Day is more nuanced than the usual hygiene checklist and more demanding!
For individuals: Use a password manager. Enable MFA on every account and upgrade from SMS where possible. Audit your five most critical accounts this week. Check your recovery routes. Where passkeys are available, use them. Understand that the most personalised-looking phishing email you receive may be the most dangerous one you’ve ever seen.
For organisations: Stop treating access as a one-time configuration. Privileged Access Management isn’t optional. Default credentials on network-facing services need to be audited and rotated, not just the ones you’re monitoring, but the ones you’ve forgotten about. Non-human identities, such as service accounts, AI agents, and API keys, require the same lifecycle management as human accounts. Phishing-resistant MFA needs to be deployed, not just discussed. And the passkey implementation gap needs to be closed.
For sites and service providers: Carry some of the weight your users shouldn’t have to. If you require passwords, provide concrete guidance on creating strong ones. Don’t allow demonstrably weak choices without challenge. Implement passkey support. Stop making security something users have to figure out on their own.
The credential problem is, as Darren Guccione put it, solvable. The technology exists. The frameworks exist. The institutional endorsement from NCSC, CISA and others is clear. What has consistently been lacking is the organisational will to govern access with the same rigour applied to every other critical business function.
Jack Cherkas’ summary is hard to improve upon: “The password era is ending, the credential era is not. Most breaches still begin with a credential someone forgot to protect, revoke, rotate, or retire.” The attackers know that. The question is whether defenders have fully accepted it.
