World Password Day: Have Passwords Become Obsolete?

In a world mired by cyber incidents, another World Password Day has come by as a reminder to secure our digital lives.

First launched by Intel Security in 2013, World Password Day aims to encourage stronger password habits and raise awareness around online security. 

Held annually on the first Thursday of May, the event has evolved from a static reminder to update weak passwords into a wider conversation on the future of authentication – particularly relevant today as governments, businesses and technology providers increasingly push towards passwordless security. 

In the UK, the National Cyber Security Centre has begun promoting passkeys as a safer alternative to traditional passwords, reflecting a growing concern of rise in AI-enabled phishing, credential theft and cyber attacks.

Niall McConachie, regional director UK & Ireland at Yubico says: “Traditional passwords are fundamentally flawed and increasingly vulnerable to compromise – a major concern given they are still the most commonly used authentication method, leaving users highly susceptible to cyber attacks like phishing.” 

He adds that the threat landscape is now increasingly spotted with cyber criminals that rely on AI agents “that can plan, reason and execute multi-stage attacks without human oversight.”

“The clear successor is the passkey, which is now the gold standard for secure, modern authentication in a digital world.” 

Are passkeys the future?

Passkeys replace traditional passwords with device-based authentication methods such as biometrics, PINs or hardware security keys. 

The growing dependence on these is a product of their resistance to phishing because there is no password that can be intercepted or reused by attackers. 

“In its most secure form, a passkey is device-bound – it is not a secret that staff must remember (like a password), but a physical token they possess – such as a hardware security key,” Niall explains. 

“The passkey is stored on the physical device and is resistant to phishing because it cannot be intercepted or stolen by remote attackers, meaning only the key holder can gain access to their accounts. 

The need for phishing-resistant multi-factor authentication is vital for stronger identity protection, as businesses pressure mounts to secure remote workforces, cloud applications and customer accounts.

Weak passwords are still driving cyber attacks

The persistence of weak password habits remains a major concern for cybersecurity professionals. 

“Despite heavy pushes from Apple, Google, Microsoft, CISA and us encouraging stronger authentication methods, compromised credentials remain our most observed root cause in identity-related attacks last year,” notes Jeramy Kopacko, Associate Field CISO Americas at Sophos.  

“Attackers will take advantage of password breaches from popular sites and apps we use as consumers. 

“This is low-hanging fruit to obtain with a strong history of success in cyber-attacks. This allows for spray and pray attempts or building a dictionary of your password history.”

As a consumer, World Password Day still brings an opportunity to improve basic cyber hygiene by using password managers, enabling multi-factor authentication and reviewing account security settings. 

For businesses, however, the conversation is increasingly focused on long-term identity strategies and reducing dependence on passwords entirely. 

Rebranding World Password Day

With passkey adoption being the new norm across governments and major technology platforms, World Password Day is now as much about the future of authentication as it is about passwords themselves.

“World Password Day is in desperate need of a rebrand,” argues Ev Kontsevoy, CEO at Teleport. 

“Passwords are broken. The industry knows this. Every static credential – every password, API key, private key or any secret of any kind – is a persistent risk. 

“This risk tends to grow exponentially as you scale. These things linger in config files, get shared and passed around, get stolen or sold.

“The real question is NOT about how to make passwords stronger or how to rotate them more frequently. It’s how to eliminate secrets from computing infrastructure entirely and replace them with a strong identity based on hardware root of trust.”

“As long as we keep this celebratory attitude towards passwords, we’re optimising for the wrong outcome," Ev points out. "It’s time to move on to something that reflects where security is heading, not where it’s been.”