Experts call for end to password reliance on World Password Day
Industry experts have weighed in on the state of password security and authentication practices on World Password Day, highlighting the ongoing challenges and potential future of access management.
Bob Wambach, Vice President, Portfolio and Strategy at Dynatrace, addressed the changing effectiveness of passwords within modern digital security.
"Passwords were once the cornerstone of digital security. But today they have become a growing risk, often exploited by sophisticated attackers. Static credentials alone can no longer defend the complexity of modern digital ecosystems."
Wambach argued for more integrated forms of security. "Strengthening security today means thinking differently. Organisations need the ability to see risks in real time, understand vulnerabilities across their environments, and respond before attackers can exploit them."
"AI-powered observability and automated insights are helping businesses move from reactive defence to proactive resilience, embedding protection into every user experience, application and infrastructure," he added.
"On this World Password Day, the focus must shift from relying on passwords alone to building integrated, intelligent security. Digital trust depends on seeing more, understanding faster and acting earlier, at the speed of modern threats."
Morey Haber, Chief Security Advisor at BeyondTrust, critiqued the concept of a day set aside to celebrate passwords, describing it as "cybersecurity's most ironically misguided celebration." He stated: "As a yearly event, it is a reminder of our collective failure to promote good password hygiene and highlight bad habits and silly mistakes."
"Despite endless warnings and breaches demonstrating password fragility, we have decided to dedicate a day to celebrate the weakest link in cyber defence; us – human beings. So, on May 2nd, we will recognise that as humans, we are fundamentally inept at password management and reuse secrets, refuse complexity, forget, and share passwords creating a lucrative opportunity for threat actors to capitalise on our flaws."
Haber advocated for a shift away from password reliance: "Therefore, for future celebrations, I would like to propose that World Password Day focus on marking a proactive pivot toward biometrics and passwordless authentication options, so we can ultimately change the narrative of identity attack vectors."
"Instead of promoting stronger passwords and a day when everyone should rotate their passwords, perhaps we should promote a technological revolution and replace passwords with modern solutions that can minimise our own human weaknesses: biometrics, MFA, and passkeys for everyone."
Patrick Harding, Chief Product Architect at Ping Identity, also questioned the ongoing use of passwords.
"Passwords have long been a security crutch – and in today's digital landscape, they're quickly becoming a liability. Users continue to rely on weak, repurposed credentials, making them easy targets for sophisticated cyberattacks fuelled by AI."
Harding cited consumer and IT leader concerns. "Recent data shows that 87% of consumers are concerned about identity fraud, yet many still depend on outdated methods to secure their most sensitive data. Even worse, 48% of IT leaders admit they're not confident their current defences can withstand AI-driven attacks. That should be a wake-up call."
"With the rise in phishing, credential stuffing, and deepfake scams, it's time for organisations to retire traditional passwords altogether."
He called for organisations to adopt passwordless solutions: "In the spirit of World Password Day, we must double down on access solutions that eliminate the guesswork and the risk. Passwordless authentication, like biometrically protected passkeys and secure device-based login, not only strengthens security but also improves the user experience."
"Organisations must embrace a future where identity is both frictionless and fundamentally more secure."
Rafa López, Evangelist & Solutions Engineer at Check Point Software Technologies, described persistent user reliance on passwords due to their familiarity, despite known risks. "Despite security advances, people still trust what they know — and passwords feel familiar. But that familiarity comes at a price. Passwords are easily guessed, forgotten, shared, or stolen. Check Point notes that poor password hygiene — such as reusing passwords, writing them down, or using personal data — continues to be a major weak link in corporate and personal security. Even worse, phishing attacks — many AI-generated — continue to steal login credentials at scale, despite the presence of two-factor authentication (2FA). The rise in AI-powered phishing and deepfake attacks only makes password-based systems more vulnerable."
López suggested several organisational actions. "Organisations should: Pilot passwordless systems using biometrics, tokens, or Passkeys. Use tools like Check Point Harmony to prevent password reuse and phishing. Enforce Privileged Access Management (PAM) solutions and Zero Trust architectures. Educate teams not just on stronger passwords — but on phasing them out altogether."
He added: "Check Point emphasises password length, diversity, and uniqueness but is also aligned with the need to explore post-password approaches. World Password Day shouldn't just be about creating stronger passwords. It should be a prompt to imagine a future without them. The tools exist. The threats demand it. The only thing missing is our willingness to let go."
Ezzeldin Hussein, Senior Director, Solutions Engineering at SentinelOne, reflected on World Password Day as a moment to consider shared responsibilities in password security.
"World Password Day is a reminder that password security is a shared responsibility. Organisations and individuals must adopt best practices such as using complex, unique passwords, enabling multi-factor authentication (MFA), and leveraging password managers to enhance security. Cyber hygiene starts with small habits—changing default passwords, avoiding reuse, and staying vigilant against phishing attacks."
He continued, "Let's take this day to educate, implement stronger security measures, and advocate for passwordless authentication methods like biometrics and passkeys. A secure password is the first step toward a more resilient digital future."
Companies must take a "holistic approach" to cloud security as threats become more complex and fast-moving, according to Phil Swain, Chief Information Security Officer at Extreme Networks.
"Since cloud technology is integral to operations, security strategies should focus on protecting valuable business assets regardless of where data and operations reside," said Swain. He advised that the first step in strengthening security is "understanding what is critical to achieving business goals and designing protections and controls accordingly."
Swain warned that businesses must move faster to detect and respond to attacks. "With AI shortening attack cycles, security teams must shift from responding in days or weeks to hours or minutes," he said. "Rapid detection, alerting, and response mechanisms are essential to staying ahead of evolving threats."
He also stressed the importance of employee training: "No matter how many security controls are in place, human error remains a major vulnerability." Swain added that organisations must "focus on educating employees to minimise these risks while maintaining productivity."
To reduce the risk of ransomware and other threats, Swain recommended a combination of technical defences. These include "multi-layered email scanning, behavioural monitoring software, and a comprehensive Zero Trust strategy" with features such as "continuous reauthentication, micro-segmentation, endpoint security hygiene checks, and data movement monitoring."
"The network serves as a central intelligence hub," he said, "bringing insights together to strengthen security defences."
