37 World Password Day Quotes from Industry Experts in 2024
For World Password Day, the editors at Solutions Review have compiled a list of comments from some of the top leading industry experts.
As part of World Password Day (May 2) we called for the industry’s best and brightest in Identity and Access Management to share their World Password Day best practices, predictions for the future of passwords, hot takes, and personal anecdotes. The experts featured represent some of the top Cybersecurity solution providers with experience in these marketplaces, and each projection has been vetted for relevance and ability to add business value.
37 World Password Day Quotes from Industry Experts in 2024
Neil Jones, Director of Cybersecurity Evangelism at Egnyte
For password security leaders, a growing area of concern is how biometric data needs to be stored within their organizations, and who should have access to it. With the growing availability of Artificial Intelligence (AI) technology and the expanding volume of biometric data, there is a growing risk that users’ identities could be “cloned.” As such, password leadership requires a company’s ongoing attention and significant investment.
On the flip side, companies that aren’t on the password security forefront generally adopt a wait-and-see approach, until a password compromise results in an unfortunate data breach. For password security followers, we see commonplace utilization of weak passwords, including perennial weak passwords like 123456, password, and qwerty. And, such companies frequently over-rely on email or text-based confirmation codes, which can easily be compromised.
The good news is that any company can progress from a password security follower to a leader, by taking several essential steps. Adopt best practices like MFA, password rotation, and lockout policies, educate users about the significance of password safety, and remind users that passwords should never be shared with anyone, including their most trusted business colleagues.
Lorrie Cranor, Director of CyLab Security and Privacy Institute at Carnegie Mellon University
With so many passwords that people have, it’s really hard for individuals to have unique, strong passwords for every account. But reusing passwords is extremely dangerous. One of the best things you can do to help protect your sensitive information is to use a password manager and have it randomly generate passwords for you.
Stuart Wells, CTO at Jumio
World Password Day reminds us of the critical vulnerabilities of relying solely on password-based authentication. Passwords are easily guessed, cracked and reused across multiple accounts, making them a prime target for cybercriminals. Traditional authentication methods measures like knowledge-based authentication (KBA) and SMS-based two-factor authentication (2FA) are no longer sufficient in protecting against increasingly sophisticated attacks.
To protect users in an increasingly connected world, organizations must adopt more robust and reliable methods of passwordless authentication. Biometric authentication offers a more secure and intuitive experience, ultimately reducing the impact of hacks and online fraud. Smartphone users are well-acquainted with biometric authentication, which paves the way for businesses to introduce passwordless authentication alternatives. Using biometrics at account creation and on an ongoing basis not only offers better protection against account takeover fraud but also eliminates the need to remember complex passwords and initiate password resets, which we all find annoying. It also discourages password sharing, which can inadvertently lead to data breaches and more compromised accounts.
In an age of AI-assisted cyberattacks, World Password Day needs to become World Passwordless Day. The password has outlived its usefulness, and we need stronger ways of protecting ourselves online.
Scott Algeier, Executive Director at IT-ISAC
Unfortunately, password reuse remains very common, which is a tremendous security concern. If an attacker were to receive or guess the password that is used across multiple accounts, they would have access to all accounts that are associated with that password. But creating and rotating complex and unique passwords across dozens and even hundreds of accounts is a common hurdle and stress point. Tools such as password managers are helpful, but also have risks – if someone acquires the master password for the password manager, then they will have access to each of the unique passwords in the password manager. But even password managers cannot defend against the reality that attackers have developed capabilities to bypass and compromise passwords.
Multi-factor authentication (MFA) is an enhanced security practice, since it combines something you know (a password) with something you have (often a phone). However, the most common form of MFA – where a code is sent to your phone – can be bypassed by attackers, which has led to the development of other tools such as authenticator apps and hardware tokens. Hardware tokens are physical devices – often USB devices – and cannot be stolen digitally by crafty threat actors. This physical element accomplishes what MFA sought out to do: pair something you know (a password) with something you have (a hardware token). While hardware tokens are increasingly being adopted by organizations, their level of integration into common services is still rolling out. Experience has shown that attackers will look for ways to bypass this newest level of security.
Chris Simmons, VP of Savvy Security
Companies have, on average, at least four times more SaaS apps than what is centrally managed by an internal IT department. In fact, centralized identity is certainly a goal, but decentralized identity is the key to achieving better security and privacy. It’s critical to consider the world outside of the centralized management solution, as the risk in shadow identities is far greater than the risks within centralized identity.
When it comes to the future of passwords, I believe that passkeys and other passwordless technologies will rise in adoption, but, in general, passwords are like UPC bar codes — they’re here to stay in one form or another.
AJ Lindner, Solutions Architect at One Identity
World Password Day presents organizations with an opportunity as good as any to re-evaluate the security of their authentication protocols and review password policies to ensure they align with current standards.
These practices include increasing organization passwords to a minimum length of 8 to 13 characters; removing composition rules and complexity requirements; only requiring password changes when there is evidence of a compromise; and comparing all passwords against values that are commonly-used, expected, or compromised, then rejecting those passwords in case of a match.
So even when passwords are still a necessary evil, there’s no excuse not to complement them with a strong second factor wherever possible, even if certain applications are unable to support it. Most modern applications support federation protocols like Security Assertion Markup Language (SAML), OpenID Connect (OIDC), and the RADIUS networking protocol, and also enable the ability to easily implement multifactor authentication.
Dr. Mohamed Lazzouni, CTO at Aware
We know that changing ingrained systems can often be very difficult, and passwords are no exception. Having been the de facto form of authentication since the beginning of the computing era, there are many reasons for passwords’ longevity, including the fact they are inexpensive and easy to implement. But passwords’ weaknesses are obvious, with an estimated 80 percent of breaches being the direct result of stolen and/or weak passwords.
More recently, password management systems have been encouraged as a way to promote good password hygiene, supposedly making them less prone to theft or misuse. However, last year’s hack of LastPass, a major password manager, dramatically changed this landscape and raised a vital question: if a major password provider can be breached, why are we still relying on non phishing-resistant, outdated authentication techniques like passwords anyway?
The aim of World Password Day – “fostering good password habits that help keep our online lives secure”: – is commendable. But with cloud-based biometric authentication within reach for even the smallest organizations – combined with the adoption of decentralized identity techniques meaning there’s no central repository of biometric data to hack – we believe the best type of password hygiene for today is actually the elimination of passwords altogether.
Jasson Cassey, CEO of Beyond Identity
In a year where we’ve seen the devastating consequences of relying on passwords and human perfection, the FIDO Alliance’s progress with Passkeys is a game-changer. It’s not just about eliminating passwords; it’s about fundamentally shifting how we approach authentication. Passkeys bound to devices recognize that humans are fallible, and they’re designed to work with that reality, not against it. That’s the kind of innovative thinking we need to turn the tide against adversaries.
For years, we’ve been talking about the need to move beyond passwords, but it always seemed like a distant dream. The FIDO Alliance’s progress with Passkeys is making that dream a reality. And it couldn’t come at a better time. With the escalating costs and frequency of identity breaches, we need a solution that doesn’t just patch the holes in our current system but builds a new, more secure system from the ground up. Passkeys bound to devices are that solution.
World Password Day is a reminder of how far we’ve come, but also how far we still have to go. The FIDO Alliance’s Passkey initiatives are a major milestone on that journey. They’re not the end of the road, but they’re a critical turning point. They’re proof that we can innovate our way out of the password problem, that we can build systems that are secure, usable, and resilient. And in a year where we’ve seen just how vulnerable our current systems are, that journey is more important than ever.
Adam Brown, Managing Consultant at Synopsys Software Integrity Group
In the age of biometric authentication, traditional passwords are not a good form of authentication anymore – even ‘leet’ speak passwords such as P@55w0rd are in every attacker’s dictionary. Organizations can ensure the security of their users’ passwords by educating them on the benefits and ease of using passphrases over passwords. Yes, they take a little longer to type but they are just as easy to remember and have a much better resistance to password busting techniques.
When it comes to balancing the need for strong, complex passwords, but being able to remember them easily, memorable phrases are essential, but it’s also important not to reuse them. All it takes is one service provider to have poor data and password storage methods and that passphrase is out there in the wild along with your email address and other personal data, therefore attackers then have access to any other sites you use that same passphrase on. Password managers can help here such as the one built into Apple devices or third party providers who will charge a very small sum each year for use.
With the rise of cyber threats, one innovation we can anticipate is passwordless, which is on the rise – and we are at the mercy of our technology providers for the rate of adoption. Third party authentication providers are making this easy for technology providers to adopt.
My top five password safety practices:
- Use passphrases, different for each site / service.
- Use a password manager with a strong and long passphrase to access.
- Where available, use multifactor authentication (such as fingerprint / FaceID), and use token utilities such as google authenticator, where you are asked for a 6 digit pin that generates every 30 seconds.
- Enable multifactor authentication on websites, which is common in banking where there will be a call to your phone with a unique pin.
- Be very aware of scams, especially when someone is asking you for your password or if there is any unusual or fishy behavior related to access to a service you use.
Nick Hyatt, Director of Threat Intelligence at Blackpoint Cyber
Consider the simple password. One seemingly insignificant phrase, but one that holds so much power. As we approach World Password Day, perhaps we should give the password the attention we may have been neglecting. When was the last time you changed your banking password? Was it years ago? How complex was it? There are quite a few threats to our little friend the password today, including increases in data breaches and password cracking technology. It’s a reality that if you have an online presence, your data has been posted by malicious actors. This includes your passwords, no matter how complex. Looking at password cracking technology, the advancements in generative AI have boosted password cracking capabilities exponentially. So what can be done to help our poor little friend the password?
Multi-factor authentication (MFA) is the most critical and primary way of bolstering your account security. It’s 2024 – enable MFA wherever you can. With the proliferation of authentication apps, there’s no reason not to enable MFA. While there are limitations with certain types of MFA, and there are attacks that focus on MFA, having something is better than nothing. If you want to take it to the next step, hardware authentication devices like the Yubikey can add another layer of protection. Beyond even that, biometric authorization (like Windows Hello) can completely remove passwords from the equation. MFA, in combination with using a password manager that will create unique, complex passwords for each of your accounts, is the easiest and most effective way to reduce risk to your accounts. Passwords aren’t going anywhere in 2024, or even beyond, but we can do little things to improve our password security!
Anna Pobletts, Head of Passwordless at 1Password
For many decades, passwords have been key to both unlocking and securing our digital lives. However, as new technologies have emerged and threats have become more pervasive and sophisticated, World Password Day this year may call for a slightly different focus.
Human error accounts for more than three in four breaches, showing up in the form of weak or reused passwords and outdated authentication methods. While many people continue to rely on passwords today to secure their digital information, the reality is passwords aren’t keeping pace with the speed of technology and are only causing people more login friction.
Over the last two years, passkeys have gained traction with early adopters, including some large consumer brands. Passkeys raise the bar for security by eliminating the need for humans to generate, remember, and manage strong and unique passwords for each of their accounts. On top of that, the experience of using passkeys is comparable to what most people already expect when unlocking their devices – think Face or Touch ID. Passkeys also effectively remove the threat of phishing because there’s no credential for bad actors to target in the first place.
For the first time, passkeys have shown that security and user experience don’t have to be mutually exclusive. The combination is so compelling that even the federal government recently suggested incorporating passkeys into our digital identities across different devices.
So this World Password Day, let’s celebrate and say thanks to the password, while also making space to embrace the passkey.
Ken Carnesi, CEO of DNSFilter
First and foremost, don’t send passwords in slack and over email! While that might seem like a no brainer, you’d be shocked how often it happens. Ultimately the most safe/secure way to do it is by sharing passwords with your team/others via a password manager. At DNSFilter, we use 1password as our password management and sharing program—it allows for several levels of secure access and manages complex passwords, which helps for a team that is growing as quickly as ours. This way if a provider get’s breached and leaks your password, the bad actor only has access to that one service. We also enforce two factor authentication wherever possible, and highly recommend using Authy for your employees’ authenticator.
Having these types of tools in your organizational toolkit are vital as threat actors target password management (as LastPass saw in 2022). I’d recommend teams make sure they use complex passwords that can be stored in a password manager as well as a master password that is easy for you to remember, but has a little complexity to it. It needs to be something you won’t forget. Password managers are vital for many companies, but the risks associated with any kind of breach can have cascading effects.
In addition to these recommendations, using a Single Sign-On will allow users to sign into different software systems using a single identity.
Neeraj Methi, Vice President, Solutions of BeyondID
We all should assume our passwords are out there on the dark web, no matter how complex or creative we get with the passwords we create. The number and frequency of data breaches mean our passwords are getting into bad actors’ hands.
Given this challenge, we must eventually leave passwords behind. While we are not there yet, passwordless capabilities are here and being used already. It serves two very important purposes: 1) It’s much more secure; 2) It’s a better user experience.
Shaun McAlmont, CEO of NINJIO
World Password Day is a great opportunity to reassess user credential hygiene. There are a number of solutions that promise a “passwordless future”, but the password is still a key security feature for billions of access points and will be for some time. And we know that people don’t always follow best practices – reusing passwords across accounts is a common mistake that people know they should avoid, but they do it anyway. It’s what made the 23andMe password spraying attack successful.
In light of the cyberattack techniques we’ve seen, this is the guidance we’ve sent to end-users as a reminder this year for World Password Day:
- Keep Passwords Private. Do not share your passwords with other people, especially in writing. Each person should always use their own credentials.
- Do Not Reuse. Do not use the same password for separate accounts. One data breach could compromise everything!
- Consider Passphrases. Having trouble coming up with a complex word? Consider a phrase instead, including numbers and symbols.
- Call For Backup. No password is 100 percent secure. Strengthen your security by adding a second layer, like multi-factor authentication.
Greg Crowley, CISO at eSentire
For most people, when they think of securing their accounts, they automatically think of passwords. However, passwords are an inherently weak security control. The industry has to keep adding on to password requirements to make them more secure. Debates rage over the importance of password length, complexity, and unique password rotation. The fact is, all passwords are susceptible to being stolen. For a minute, we tricked ourselves into believing we finally found a way to secure passwords and thwart the threat actors with multi-factor authentication (MFA). MFA does, however, add some friction to the user authentication process and there are multiple ways attackers can bypass its protection. So, while it’s an improvement (and recommended), the case for passwordless authentication is still a valid one.
A passwordless future is alluring, and in most estimations, more secure than any password requirement. After all, in a true passwordless environment there would be no passwords to steal via social engineering attacks or breaches, right? The problem is passwords are so ingrained into everything we do that they will likely never go away completely (at least not in my lifetime). However, their role will diminish and many newer companies, with no legacy infrastructure, will be able to achieve this potential nirvana. In place of passwords, the authentication process will rely on mechanisms such as hardware or token-based authentication, something the authorized user already has. The tech giants are working together to create a standard for passwordless authentication but like all advances in security, it too will have vulnerabilities which threat actors will find new and creative ways to exploit.
Patrick Harding, Chief Architect at Ping Identity
As threat actors become more sophisticated and lean on new technology like artificial intelligence, most users underestimate the risks associated with relying on passwords to protect valuable information. On top of that, a whopping 48 percent of IT decision-makers are not confident they have technology in place to defend against AI attacks. Traditional passwords make organizations vulnerable to these types of attacks, leaving the door open for hackers to access critical data. Consumers have also become increasingly frustrated with remembering multiple, complex passwords and often choose to reuse the same password on various sites, increasing security risks even further.
The good news is there are more secure alternatives that provide better digital experiences for the user. Passwordless authentication replaces traditional passwords with more seamless and secure methods and helps enterprises reduce risk and stop threats at scale. This World Password Day, let’s focus on moving towards a passwordless future that offers better and safer digital experiences while educating organizations about technology that strengthens security.
Steve Winterfeld, Advisory CISO at Akamai
Identity management continues to get more complex every year with account takeovers becoming ever more sophisticated, but in many cases we are still dependent on passwords. Part of the reason is that moving to passwordless identity management can be difficult, but the reality is the continued use of passwords is causing more friction and increasing risk at a rate that is becoming intolerable. So what is the fix? Move to identity management that replaces passwords with Fast IDentity Online 2 (FIDO2) standard based 2FA / MFA. By adopting an established industry standard we are following best practices for our company and our customers. The time to walk away from the technical debt of passwords is here!
Russ Kennedy, Chief Product Officer at Nasuni
World Password Day serves as an annual reminder that passwords are often the first line of defense against unauthorized access to an organization’s sensitive information. The strength and uniqueness of passwords are essential components of cyber hygiene practices, in addition to employing single-sign on and two-factor authentication practices.
However, it’s important to recognize that password security is just one piece of the puzzle. Equally important is the protection of file data and the ongoing vigilance against the growing threat of ransomware attacks. With cyber threats constantly evolving, adopting a holistic strategy to cybersecurity, which includes regularly updating passwords, employing data backup and encryption methods to secure files, and implementing robust ransomware protection measures, becomes imperative in safeguarding our digital assets and privacy.
Deepak Taneja, CEO and Co-Founder of Zilla Security
Identity security and governance is top of mind for most CISOs. In a recent multi-city CISO event that Zilla Security participated in, 70+ percent of the CISOs indicated that identity was their highest priority for the next 12 months. This is no surprise since the majority of data breaches stem from access vulnerabilities.
One of the tenets of identity security is password management and authentication, which are critical to protecting an organization’s digital identities. On World Password Day, we are reminded of the importance of adopting strong, unique passwords to protect against identity threats, in addition to proactively and continuously managing permissions for every identity – human or machine – across every application in the enterprise.
Pranava Adduri, CEO and Co-Founder of Bedrock Security
Most modern breaches involve credentials – whether for initial access or for use in lateral movement. For consumers, secure passwords, MFA, and proper system hygiene will help reduce the likelihood of compromise. Using passwordless options, like hardware tokens, makes it even more secure, albeit less practical.
For enterprises, the challenge is that not all credentials belong to humans. Enterprises will have 20%+ of their credentials being used by machines or applications. Going passwordless alone here may not help. Many attacks use legitimate credentials. so the ultimate protection is examining the proactive and real-time use of data and protecting that. Protecting the data with proactive measures, such as reducing overly permissioned credentials, isolating sensitive data, and using AI reasoning methods to watch and stop real-time data security and compliance issues, is the most secure method of protection for enterprises.
Jeff Reich, Executive Director at the Identity Defined Security Alliance (IDSA)
Regardless of what we are hearing, the password is not dead yet. No longer in the spring of its youth, we’re still a couple of steps away from it needing life support. My time in this field spans six decades, people have been saying the password is going away for nearly five of those. The password still offers a mighty service and is usable, to a degree. We will always face the challenges of social engineering, weak passwords, leaked passwords, and overused passwords. Many systems are unable to process anything but a password for authentication.
Rishi Kaushal, Chief Information Officer at Entrust
Identity continues to be the most targeted attack vector by bad actors with nearly two-thirds of data breaches caused by compromised credentials and AI is only accelerating new types of attacks. Our passwords should be an extension of our identities. You wouldn’t share your social security number with just anyone, so why are your passwords any different? This World Password Day, we must look beyond typical password measures like alphanumerics and seek to improve how we are securing our data – taking a “never trust, always verify” approach to our accounts.
Too many organizations either still rely on a single-factor authenticator like the password or enable relatively weak multi-factor authentication (MFA) with an over-reliance on one-time passcodes. Instead, we need to encourage implementations like phishing-resistant MFA technology, which requires more authentication than just a click or a compromised password to put you at risk – it is also a key foundation for organizations implementing Zero Trust principles. Another option is incorporating identity verification with authentication processes, adding biometric checks as step-up authentication. Organizations and consumers must work together to ensure their data is safe, and the combination of the right tools and mindsets will allow them to do just that.
Dave Spencer, Director of Product Management at Immersive Labs
Bad actors are constantly searching for the weakest link in an organization’s security posture. That weak link is often poor password management. Employees take the path of least resistance, which usually means satisfying the complexity requirements of passwords in the easiest way to remember possible. Most people attempt to pick strong, unique passwords for the numerous platforms they use which, unfortunately, only gives the illusion of security. In reality, this approach leaves numerous access points for attackers to infiltrate. With inadequate password hygiene being a common contributing factor in cyber incidents where credential stuffing and phishing attacks can expose corporate data as well as personal users, it’s clear that both organizations and individuals need to reassess their password strategies.
Rather than hope to keep data secure with only passwords, tools like multi-factor authentication (MFA) and password managers provide an added layer of protection, requiring bad actors to do extra work and limiting the avenues they can use to gain access to the sensitive information. But beyond implementing these tools, users need to know why these solutions are being utilized. A baseline knowledge of cybersecurity is necessary as we see more and more attacks targeting those who least suspect it. When we create a culture that prioritizes cyber resilience rather than finding out who to blame, we are more inclined to report malicious attempts at password stealing and other attacks.
However, it’s crucial to choose your MFA method wisely. Push fatigue has become prevalent, where users mindlessly tap a button on their phone to authenticate, potentially authorizing requests without proper verification. This tendency to habitually tap away without confirming the legitimacy of the request can often happen, especially at the beginning of the day or post-lunch breaks.
Frederik Mennes, Director of Product Management & Business Strategy at OneSpan
Today, organizations face a more threatening array of security concerns than ever before, and the average CISO faces immense pressure to safeguard the business. Traditional authentication such as passwords no longer offer effective protection against current threats. At the same time, more secure products like digital signatures combined with public key certificates in a public key infrastructure (PKI) often present implementation or usability challenges. In this setting, passwordless authentication emerges as a viable alternative, providing defense against evolving threats combined with enhanced usability.
Passwordless authentication methods have the capability to mitigate security risks by eliminating vulnerabilities associated with password-based credentials. It’s the case because passwordless products do not rely on static passwords. Instead, they generate dynamic authentication codes that have a limited lifetime and can be used only once, or are based on unique human biometric characteristics, such as fingerprints.
Passwordless authentication has advanced in reducing the risk of breaches, allowing CISOs to build future-ready and adaptable systems for their organizations. Phishing-resistant passwordless authentication systems such as those based on FIDO standards can also eradicate the threat of phishing. With such products, they can safeguard corporate data, resources, and the wider workforce, while enabling a flexible workforce without compromising security. This can ensure a secure and user-friendly environment for dispersed workforces for 2024 – and well beyond.
Yiftach Keshet, Vice President & Identity Security Expert at Silverfort
For businesses to improve and think more broadly about securing identities, there needs to be a perspective shift in how the most crucial entry point is protected— passwords. Securing passwords with Multi-Factor Authentication (MFA) and not reusing passwords is basic security hygiene, yet we should continue doing it. However, it’s 2024. Organizations need to take the conversation beyond passwords for human identities and start talking about how to successfully protect the other tools attackers use, such as command line tools, PowerShell, and machine-to-machine communication. I’d like to get to a place where CISOs demand strong MFA protections for their non-human identities and the critical resources MFA can’t secure.
World Password Day serves as a reminder that identity gaps throughout the identity infrastructure continue to cause many major breaches. If a hacker successfully steals a password, it’s easy for them to move discreetly throughout an environment and even use identity infrastructure as a gateway to access cloud assets and environments. Recent research found that 67% of organizations sync their on-prem passwords to the cloud. While this is convenient and can help boost employee productivity, it also dramatically increases risk by creating a gateway for cybercriminals to jump from on-prem to the cloud and wreak havoc on an entire organization’s network.
Security leaders should ask themselves how they can secure the identity infrastructure that often leads to compromise. When organizations start having more conversations about the forgotten resources that go unprotected and how to secure them, we’ll advance security to a place that can actually stop an attacker in their tracks.
Joe Richard, Associate Director of Program Management at Nightwing (formerly Raytheon)
As digital infrastructures grow more interconnected and complex, an organization’s priceless data and mission-critical systems are increasingly vulnerable to cyberattacks. An effective cybersecurity strategy requires multiple layers of defense spanning networks, endpoints, data, and user access.
Passwords are often viewed as the first layer of defense, serving as the primary means for authentication and access control. Frequently, poor practices and prioritization of convenience over security leave this layer susceptible to multiple attack vectors such as brute force attacks, phishing campaigns, and social engineering.
We all share responsibility for fortifying this layer of defense; however, organizations must assume that advanced attackers will eventually find a way inside the security perimeter. Beyond password discipline, organizations should embrace zero-trust principles to continuously authenticate every user, device, and application attempting to access DT resources. Organizations should also include cyber resiliency measures to adapt, withstand, and recover from potential attacks.
As users, and as stewards of our organization’s security, we must all pay attention to our cyber hygiene by making sure our passwords are secure, complex, and regularly updated. It’s up to each of us to do all we can to bolster this first layer of defense to prevent criminals from accessing networks, stealing sensitive information, and undermining systems.
Viktoria Ruubel, Managing Director of Digital Identity at Veriff
In the past year alone, there has been a 71 percent increase in attacks that use stolen passwords. As the digital landscape continues to evolve, passwords are no longer the most secure method to protect their data. In fact, two-thirds of consumers feel facial recognition software provides easier and safer access to online accounts than passwords. Consumers would accept a longer sign-up process involving the use of an ID document and a selfie if it means better identity and personal data protection.
Relying on legacy approaches like two-factor authentication or knowledge-based authentication (using knowledge of a mother’s maiden name, for example) can expose an organization to bad actors. Passwords are vulnerable to data breaches and malware, and two-factor authentication is susceptible to device compromise and social engineering.
We must improve how accounts are secured, like pairing passwords with biometric technology. A report found that 38.5% of respondents believe facial recognition and biometrics are the most secure method for protecting their accounts and information. In addition, biometric data is hard to steal and cannot be forgotten like a password. When you add biometric facial authentication on top of password protections, sign-in becomes secure and seamless.
While there is no one-size-fits-all solution to combating fraud, this World Password Day we should seek solutions that can complement and augment existing security measures.
Doug Kersten, CISO at Appfire
Today, malicious threats are much less predictable and, therefore, more difficult to defend against. While passwords were once the key to safeguarding private information, attackers have perfected countless techniques to access them.
Regardless of whether you’re using a professional or personal device, it’s essential that your passwords are unique, difficult to guess, and not used across a variety of devices or platforms. World Password Day is a great reminder to stop and think about the last time you audited the passwords you’re using, where you’re storing that information and whether that information is easily accessible, and to take the time to change the passwords you use frequently or you know have been compromised in data leaks.
Many internet browsers are improving their password protection practices, sharing with users their security blind spots. However, responsibility remains with the user to take the next step to change compromised passwords. Always think in terms of something you are — your user name; something you know — your password and something you have — a device or software that provides a second factor, such as biometrics or authentication codes from common and free authenticator apps like Google or Microsoft Authenticator. Using these in a thoughtful way will greatly reduce the impact of a password compromise and make for a very happy World Password Day.
Felix Vargas, Chief Technology Officer at AHEAD
Identity verification has taken a new meaning over the last few years. Strong, continuously changing passwords, Multi-Factor Authentication (MFA), centralized single sign-on (SSO), and posture checking have been foundational elements of any Identity and Access Management strategy. However, as evidenced by recent cyber attacks, including MGM, Uber, and countless others, these measures are insufficient. In conversations with CISOs and security practitioners over the past few years, three IAM trends bubble to the top of the priority list: Zero Trust Architecture (ZTA), Security Service Edge (SSE), and phish-resistant authentication methods.
COVID paved the way for SSE platforms to become the new normal in a world driven by remote work. In early 2022, the White House released an executive order for government agencies to adopt CISA’s Zero Trust Maturity Model 2.0 comprehensively. The private sector followed suit, with a renewed focus on ZTA, emphasizing phish-resistant or password-less authentication methods, including FIDO2 (Fast IDentity Online 2). FIDO2 is an open authentication standard developed by the FIDO Alliance, enhancing security by using cryptographic credentials resistant to phishing, aiming to replace passwords with passkeys for more secure and user-friendly online authentication. Imagine a world where a simple device you carry, and a fingerprint scan give you secure access to everything you need. First released in 2018, FIDO2 is not a new technology, but the prevalence of biometrics scans and the increase in browser and vendor support have made FIDO2 a key IAM trend in 2024 and beyond.
My hot take? Password Day will eventually become Passkey Day as FIDO2 adoption increases.
Antonio Sanchez, Principal Evangelist at Fortra
Poor password hygiene has been a common vector for criminals to make entry into a business or the life of a consumer. We all want a safer and more secure experience, but most will resist it if it means adding friction to the experience. For businesses, the friction is generally more accepted because employees will abide by password policies as a condition of their employment and because there are enforcement mechanisms. However, studies show there are still pockets of poor password hygiene that exist in pockets of organizations such as sharing server passwords and sending them in cleartext communication. There is also increased sophistication of cybercriminals and their ability to harvest credentials.
The consumer market prefers convenience and it’s this perception that leaves them vulnerable. Password managers are great but not everyone is tech-savvy enough to use them no matter how simple they market themselves. MFA is better than not having it, but many entities make this optional as they don’t want to take the risk of losing a customer due to an experience that adds additional friction.
Whether it’s a business or a consumer, there needs to be continued education about identity and authentication. I expect an increased adoption of biometrics along with Captcha and other authenticators. However, I expect we will never truly get rid of passwords as there are instances where they make sense. I do expect us to prioritize a combination of other authentication processes as we look into the future.
Pete Nicolette, Field CISO at Check Point Software
Strong passwords are more than just a recommendation; they are a critical defense mechanism. Despite our advanced defenses, Check Point Research found that organizations in the United States had an average of 791 cyber-attacks per week during the month of March. This frequent targeting underlines the need for stringent password practices. By reinforcing our password security, we protect not just our data but maintain the integrity and trust of our entire organization.
Kumaravel Ramakrishnan, Technology Director at ManageEngine
Passwords, despite their shortcomings, will continue to be a mainstay for the foreseeable future. It is too early to call alternate tools of authentication a permanent replacement for passwords, as they are still at a nascent stage. In addition, these new controls will require significant investments, pose collaboration challenges, and will need to be free of errors and biases. The goal for individuals and enterprises will be to address immediate authentication challenges while exploring passwordless options for the future.
Anthony Cusimano, Technical Director at Object First
This World Password Day, it might be more apt to prepare for passwords’ funeral than a day of celebration. Google, Microsoft, and Apple, amongst many other tech giants, have all begun to look at passkeys and password-less accounts in the future, and passwords will likely be nothing but a fun memory in years to come. Although passwords are about as good as a paper door for any hacker worth their salt, that doesn’t mean that we should let slide the best practices that made passwords secure in the first place.
Protect your digital security by sticking to the following guidelines:
- Mash that keyboard. The more human your password is, the more likely brute force attempts will crack it fast. Use a combination of letters, numbers, and special characters – the uglier the password, the more secure.
- Do not reuse passwords. No exceptions.
- With additional security practices like multi-factor authentication, face ID login, and password apps, always take advantage of the services at your disposal and make sure to opt for more security when it’s offered.
Morey Haber, Chief Security Officer at BeyondTrust
For World Password Day, we should all take a brief moment and memorialize all of our deceased passwords. While that may sound a bit cheeky, consider all the passwords we had to update due to lack of basic complexity, breach notifications, password reuse, and even basic guess ability. Over the years we have learned how easy it is to compromise simplistic passwords and have been forced to remember passphrases and use personal password managers with multifactor authentication to secure our even most basic authenticated access. Remembering how simple passwords previously were to where we are today should be a part of memorial and a history lesson in cyber security.
So for password day, remember were we have been and were we are going. Passwords using birthdays and our pets names are no longer acceptable anywhere and at any time. Passwords today need to be complex, barely human readable, not easy to verbally communicate, and sufficiently complex that even manual entry is prone to error. Passwords should be managed by a personal password manager or privileged access management and solution and protected with biometrics, multi-factor authentication, or two-factor multifactor authentication applications to ensure that even the most complex password alone cannot be used to compromise a system. The passwords of years past are dead. And we should remember them. They were simple, whimsical, immortalized our pets, and today bare no resemblance to modern counterparts. If we encounter one of these memories today in practice, we should immediately consider replacing it with a password that takes the necessary steps to mitigate the most basic of cyber security attacks– a password compromise.
Shiva Nathan, Founder & CEO of Onymos
As we observe World Password Day this year, it is important to recognize that traditional passwords are far from being obsolete. While passkeys from major players like Apple, Google, and Microsoft are gradually being integrated into various software, applications, and technologies, a complete transition to this authentication method will require significant time and effort – especially in terms of generating consumer buy-in and usage. The software, application, and technology providers that leverage various authentication methods will also have to ensure that they not only address the updates from these companies but also provide the authentication methods their users are still demanding. Additionally, we are also seeing new trends related to multifactor authentication. Software and technology products have already been leveraging this authentication method for years, but threat actors are becoming more advanced — and MFA is becoming more vulnerable. This underscores the need for additional security measures that will augment and fortify MFA, including biometrics and trusted authenticator applications.
Rishi Bhargava, Co-Founder of Descope
One of the stated goals of World Password Day is to raise awareness of strong passwords among end users and promote good password behaviors. I think this day should have another goal– paving the way for end-users to steadily wean off passwords altogether.
The security and UX benefits of most passwordless methods over passwords is clear– as evidenced by most new apps of today supporting passwordless methods like magic links, social login, and passkeys. Increased adoption from end-users will start a virtuous cycle of even more applications going passwordless (or at least offering these methods as alternatives).
Apart from using World Password Day as a trigger to update one’s passwords, end-users should adopt other achievable goals– like migrating at least one of their accounts per month away from passwords, or committing to go passwordless while creating any new account in the future.
Dylan Border, Director of Cyber Security at Hyland
Passwords are the backbone of our digital identity. World Password Day gives us a yearly reminder to reflect on their significance in our daily personal and professional lives, but also a warning that passwords are a common weak point when it comes to securing your personal data and identity. After all, if your tax returns, medical records, and bank account are simply your pet’s name and your favorite number, that’s putting a lot of pressure on that same outdated password you’ve used all these years to keep you secure.
Instead of reusing your credentials, consider two common ways to massively increase your odds of protection. First, use a password manager. There are a number of these tools, ranging from free and built into your web browser, to paid subscriptions that offer identity monitoring and other premium features. But the biggest benefit is that they offer you a secure place to store your unique credentials and they provide a password generator function, so you no longer need to think of a unique password yourself.
The second recommendation is to use Multi-factor authentication (MFA or 2FA) for all your accounts. Enabling this will mean that when someone attempts to access your account with your credentials, you must also provide an additional authorization before gaining access – commonly through a text message, phone call, biometrics, or code generator app. By adding this extra layer of security, you’ll easily know if someone’s logging into your account that’s not you, and you’ll have the opportunity to quickly take action.
Cyber-attacks and data breaches can be scary, but they aren’t magic. These situations generally start from compromising something that was exploitable online, and one of the easiest exploits is gaining access to someone’s credentials. By making an attacker jump through more hoops before they can access your information, you’ve added an extra level of deterrence. This makes you a more complicated and less attractive target to compromise, and adds assurance to yourself and your business that your credentials remain secure by aligning with these best practices.