May 1 is World Password Day, a recognition of the need for people to strengthen the passwords they use for the myriad online personal and business accounts, and a reminder that human behavior continues to be the top weakness in cybersecurity, making passwords – while important – a mixed bag.
A growing number of tech companies and executives also use this day to remind the business world of the need to do away with passwords altogether in favor of more advanced – and safer –
authentication technologies, like passkeys and biometric options.
The future of passwords is an ongoing debate that circles around ways to harden passwords and verification, from multifactor authentication (MFA) to password managers in the business world.
That said, passwords don’t appear to be disappearing anytime soon, so the push is on to find ways to strengthen them while planning for the future.
Melissa Bischoping, head of security research at Tanium, notes that passwords used for safe computer access have been around since 1961, and since then they have “evolved in length, complexity, and character requirements. But despite these advancements, they’ve also introduced layers of complexity to the user experience resulting in a more burdensome method of securing identity and file access.”
A Lot of Online Accounts and Passwords
Part of the burden is the sheer number of them, which have gone past what’s reasonable to expect people can remember. Password manager vendor NordPass last year highlighted that since 2020, the average number of passwords that people use for personal accounts jumped almost 70%,
to 168, with the average number of passwords for business accounts averaging 87.
Given that, many users will use easy-to-remember passwords – identity protection company SpyCloud highlighted in a report. It revealed that among the
most common passwords exposed in breaches last year were “123456,” “Admin,” and “qwerty” – and will reuse the same password for multiple accounts, so if a hacker gets ahold of a reused password, they can get access to multiple accounts.
SpyCloud researchers found that 70% of users' data exposed in breaches 2024 was a result of reused, old, and compromised passwords across various accounts.
Hackers Switch Focus to Identities
A key problem is that over the past several years, threat actors moved away from software vulnerabilities as their target of choice to companies’ networks, and then to
identity and credentials, and even that’s evolving.
A 2024 survey by Forrester Advisor revealed 46% of respondents
had their password stolen in the previous year, and 68% had to change their password across multiple accounts after it was compromised.
“Cybercriminals aren’t just stealing individual credentials anymore – they’re able to access vast amounts of users’ exposed identity data, making it easier than ever to slip past security defenses,” SpyCloud researchers emphasize. “With each breach, malware infection, or successful phishing campaign, their playbook expands, giving them new ways to infiltrate organizations with alarming precision.”
Hardening Security
The threat from bad actors makes it imperative for organizations and individuals to ramp up their password hygiene, said
Erik Nordquist, global managed security product director at GTT, a networking and security company.Nordquist called practices like MFA and complex passwords “a critical barrier against unauthorized access and identity compromise. Tools such as password managers can make life easier for users without sacrificing security. And don’t overlook training. Regular reminders, quick refreshers, and building a security-aware culture can go a long way in keeping your network safe.”
Those are all good steps, but with bad actors ramping up their use of AI and automation, such protections aren’t enough, according to
Takanori Nishiyama, senior vice president, of APAC sales and Japan country manager at password management firm Keeper Security.“Hackers today use password-cracking tools – many powered by machine learning – that can guess common patterns and character swaps in a matter of seconds, meaning that being clever isn’t secure anymore,” Nishiyama said. “The more we rely on predictable behavior, the easier we make it for attackers to breach our accounts.”
MFA tools also are increasingly falling victim to the increasingly sophisticated cybercrime operations.
Enter Passwordless
That’s where emerging
passwordless technologies – like
passkeys – are coming into play. Top-tier companies like Microsoft, Google, and Apple have been working with the FIDO (Fast IDentity Online) Alliance to push the adoption of passkeys and other authentication methods that don’t involve passwords.
There is some momentum behind the push. According to FIDO’s
Online Authentication Barometer survey late last year, 20% of the world’s top 100 websites and services, including Amazon, Microsoft, Google, Uber, and Meta-owned WhatsApp, have deployed passkeys, and public awareness of the technology jumped from 39% in 2002 – the first year passkeys were introduced – to 57% last year.
Biometrics – facial recognition, fingerprint scanning, and the like – got its due, with 29% of 10,000 consumers surveyed saying it was most secure.
Passwords at RSA Conference
Kelvin Lim, senior director and head of sales engineering in the APAC region for app security company Black Duck, said the industry is “witnessing passwordless authentication becoming increasingly popular. More services are adopting passkeys, biometric authentication, or token-based authentication.”
This year, World Password Day coincides with the RSA Conference in San Francisco, where authentication is a key focus among several announcements. Included among them was
BeyondTrust launching its Identity Security Risk Assessment service to help organizations shore up weaknesses and manage risk,
Huntress rolling out a managed identity threat detection and response (ITDR) to protect against OAuth application threats, and
RSA unveiling a new feature, Help Desk Live Verify, to protect against social engineering and technical support scams, and several passwordless security offerings.
The 'Identity Renaissance'
Bojan Simic, CEO of identity security firm HYPR, rang an optimistic tone, stressing that the industry is at a “pivotal juncture in identity management and IT security. For the first time, we’re witnessing an actual turning point in the fight against identity-based attacks.” He acknowledged the growing number of data breaches and the use by bad actors of AI and other emerging technologies.
However, Simic also stated the industry is entering the “Identity Renaissance,” noting that almost 46% of organizations have adopted tools like passwordless, passkeys, and phishing-resistant authentication methods, and all could become the “gold standards in authentication by 2027.”
“A transformation is taking place,” he said. “By eliminating passwords and empowering organizations with modern identity verification tools, we are enhancing security and laying the foundation for growth, innovation, and improved user experiences.”
