Cybersecurity experts warn of password risks as day nears

Cybersecurity experts warn of password risks as World Password Day nears. The annual awareness event comes amid rising concern over credential theft and the slow adoption of phishing-resistant authentication.

Security executives say the industry is still failing to address basic weaknesses in how organisations and individuals manage digital credentials, despite a decade of public campaigns on password hygiene. The focus is shifting from password strength to access governance, multi-factor authentication and wider use of passkeys. Even so, most users and companies still rely on traditional passwords.

Darren Guccione, chief executive officer and co-founder of Keeper Security, said the discussion returns every year, yet attackers continue to exploit the same gaps in poorly governed access. He described credentials as the primary entry point in enterprise breaches and argued that password policies alone do not address how logins are stored and shared in complex environments.

"Every year, World Password Day generates the same conversation. And every year, attackers walk straight through the same open doors. Credentials remain the most exploited entry points in enterprise breaches - not because the risk is unknown, but because access is still not being controlled with the rigour the threat demands. A compromised password doesn't just unlock an account. It hands an attacker a foothold for lateral movement, data exposure and, in many cases, full environment takeover. Password strength alone is not the issue. The real exposure sits in how credentials are stored, shared and governed across users, systems and service accounts. This is where Privileged Access Management (PAM) becomes critical. Enforcing least privilege, rotating credentials, removing standing access and introducing visibility over how credentials are used changes the risk profile entirely. Passkeys are gaining serious institutional momentum. The UK's National Cyber Security Centre (NCSC) and US agencies including CISA are actively pushing phishing-resistant authentication aligned with FIDO standards - and adoption is already visible across public services. The direction is set. Even so, most organisations remain in hybrid environments where passwords persist. Governance does not disappear in that model. It expands to both passkeys and traditional passwords in parallel. Strong passwords still matter. But without control over who can use them, when and under what conditions, they offer a false sense of security. Organisations that treat access as a one-time configuration rather than a continuously managed risk are not protected. The credential problem is solvable. What is lacking is the will to govern access with the same discipline we apply to every other critical business function," said Darren Guccione, Chief Executive Officer & Co-Founder, Keeper Security.

Guccione also highlighted growing support for passkeys from national cyber agencies and regulators. He said most organisations will operate hybrid models for some time, extending governance demands across both passwords and passkeys rather than removing the need for oversight.

Other specialists see the same pattern at the individual user level, where password reuse and phishing remain persistent problems. Consumer-facing attacks now combine automation, stolen data and convincing social engineering, undermining traditional advice on spotting crude scams.

Anne Cutler, vice president of global communications at Keeper Security, said many users do not consider the risk until an account is compromised. By then, they often discover that password reuse links multiple services, financial information and personal data through a single breach.

"Most people don't think about their passwords until something goes wrong. By then, the damage is usually already done. A breached email does not just expose one account - when passwords or variations of passwords are reused, it opens everything attached to them: password resets, linked services, saved payment details, the list goes on. It unravels faster than you might expect. What makes this so frustrating is how little effort it takes on the attacker's side. Credentials stolen from one platform get tested automatically across hundreds of others within seconds. And AI has made the front end of that process genuinely difficult to defend against. A phishing message, fake login page and impersonation are not crude scams anymore. They are convincing, personalised and increasingly automated. The good news is that the defence is not complicated. A password manager eliminates the reuse problem entirely, giving each account a strong, unique credential - whether it's a traditional password or a phishing-resistant passkey - that is generated and stored without you having to think about it. Paired with built-in multi-factor authentication, you remove the two entry points attackers rely on most. The threats have gotten smarter. Fortunately, so have the tools," said Cutler.

Industry attention is also turning to how mid-market businesses and managed service providers address password risk with tighter budgets and smaller security teams. These organisations often sit between consumer-grade protections and large enterprise programmes, yet face many of the same attackers.

Kevin Charest, vice president of cyber governance services at Netrio, said the broader debate now includes phishing resistance and passkeys. Still, he warned that most people and companies continue to depend on passwords and rely on security tools to compensate.

"World Password Day has been around for more than a decade, but in the last year the conversation has shifted from stronger passwords to MFA, phishing resistance and passkeys. While it probably should be renamed "World Passkey Day," the reality is that most people still use passwords for everything. Companies are also not using passkeys at scale, which means security tools are left to make up for the shortcomings of how people actually use passwords. To this day, the single biggest issue remains password reuse. With so much breach and security incident data available, attackers often do not need to crack a password; they can take a known password and try it across multiple services and systems. Complexity rules do not fully solve the problem either. Users often just add a few required characters or move from "password123" to "password124." Relying on user IDs and passwords as the primary form of security can be the downfall of many companies. Until organizations can truly move away from passwords, MFA and detection tools must do more of the work. For SMBs and mid-market enterprises in particular, the challenge regarding passwords is especially tough. If they cannot afford to apply the highest level of security across the entire organization - which in many cases is true, due to limited budget - they should at least identify critical roles and apply stronger controls in those areas. At a minimum, financial teams, employees sending or receiving money, and those handling sensitive data, intellectual property or the company's "crown jewels" need a higher level of security. However, in the end, the biggest hurdle is not always technology. Culture eats technology for breakfast. Asking users to carry a physical hardware device or adopt a new authentication process can create resistance. At its core, change management is difficult, but necessary. Passwords are still the game for most users, and until that changes, companies need to treat password behavior as a foundational security gap that must be actively managed," said Charest.