World Password Day is an annual observance dedicated to promoting better password habits and raising awareness about the importance of cybersecurity. It typically falls on the first Thursday of May each year. The day serves as a reminder for individuals, organizations, and businesses to review and strengthen their password practices to enhance their online security.
Started by Intel in 2013, World Password Day has gained traction globally as cybersecurity concerns have escalated with the increasing prevalence of online threats such as hacking, data breaches, and identity theft. On this day, various organizations, cybersecurity experts, and government agencies often share tips, resources, and best practices for creating strong, unique passwords, utilizing password managers, enabling two-factor authentication, and staying vigilant against phishing attempts.
The overarching goal of World Password Day is to empower individuals and businesses to take proactive steps in safeguarding their digital identities and sensitive information against cyber threats, ultimately contributing to a safer and more secure online environment.
Nearly half (49%) of incidents cited in Verizon’s 2023 Data Breach Investigations Report (DBIR) involved compromised passwords. You are a step ahead when you implement good password hygiene practices both at home and work.
Chandramouli Dorai, Lead – Cybersecurity Solutions, Zoho Corp.
“As we mark the World Password Day this year, organizations must reassess their digital security posture starting from securing browsers to implementing multi-factor authentication. When it comes to password security, best practices such as avoiding the use of obvious, non-unique, and recycled passwords can significantly lower the risk of data breaches. Similarly, changing passwords on a regular basis and implementing robust password management software can help businesses safeguard their digital identities and assets. Biometric passwords are also emerging as the preferred choice for businesses handling critical and sensitive data, and are becoming a common practice across the globe. Empowering all stakeholders through continuous awareness and training programs is an equally important aspect of digital security to identify and address security loopholes even before any cyberattacks take place.”
Chern-Yue Boey, Senior Vice President, Asia-Pacific, SailPoint
“With as many as 4,000 password attacks occurring per second globally, the vulnerability of user passwords has become more pronounced with a tenfold increase in attacks in the past year alone. Despite years of industry discourse on the perils of weak passwords, organisations continue to underestimate the risks associated with relying solely on passwords to safeguard valuable information – with login and access passwords serving as the Achilles heel exploited by hackers to breach corporate networks.
Passwordless solutions have emerged as a promising alternative, incorporating technologies such as biometrics, authenticator apps and tokens. However, it remains crucial for organisations to recognise that these alone do not ensure security. Malicious actors often also exploit weaknesses in business systems lacking least privileged access controls – especially in today’s dynamic threat landscape, where compromised identities often serve as the primary trigger for majority of data breaches.
The consequences of this oversight are costly, making businesses susceptible to a barrage of attacks once cyberattackers get one foot in the door. In fact, IDC’s recent report found that a staggering 59% of enterprises in APJ have fallen victim to ransomware attacks, with 32% ultimately paying the ransom. Furthermore, the advent of AI has exacerbated the risk for businesses, empowering even novice cybercriminals with accessible means to launch even more complex and sophisticated threats.
Instead of viewing passwordless authentication as a standalone solution, organisations should seamlessly integrate it with a robust identity security framework. Given that organisations are set to manage up to 10% more identities over the next 3 years, it is critical for organisations to have the capability to manage access levels across all identities within the entire IT ecosystem. A unified, integrated identity security approach gives organisations full visibility into their identity landscape, enabling them to swiftly detect and prevent unauthorised attempts to access privileged information or systems, and detect any irregular activities early as a reliable fail-safe.”
Fabio Fratucello, CTO International, CrowdStrike.
“Compromised passwords and user identities are as good as gold for today’s cyber attackers. According to CrowdStrike’s Global Threat Report 2024, 75% of attacks used to gain initial access are now malware-free. Adversaries are moving away from malware and malicious attachments, and toward more subtle and effective methods such as credential phishing, password spraying, and social engineering. With stolen identities, the adversary can then log in with legitimate credentials. The market for stolen identities continues to grow: In 2023, CrowdStrike observed a 20% jump in access broker advertisements selling valid credentials. Additionally, as organizations increasingly move operations to the cloud, adversaries are exploiting gaps in protection, evidenced by a 75% increase in cloud intrusions last year. Attackers leverage identity-based techniques to gain access, persist, and escalate privileges in cloud environments. These trends highlight the fact that identities are primary enablers of modern attacks, and protecting them is crucial. Organizations are encouraged to adopt tools and solutions for multi-factor authentication (MFA), encryption, password managers, and advanced identity threat protection.”
Nicholas Miles, Staff Research Engineer at Tenable
“Passwords are a commonly employed mechanism of access control for computing systems. They also play a role in securing OT environments. But first, let’s talk about how OT systems are typically secured.
“The Purdue Model is the most common way an ICS network is architected and secured. It relies heavily on segmentation and takes a layered approach where the most sensitive components directly attached to equipment run at the lowest layers and are the most protected. Typically, each layer is on a separate LAN or VLAN, and firewalls control access between the layers.
“Surprisingly, the most sensitive devices running at the lowest layers – programmable logic controllers (PLCs), often have the weakest access controls. Historically, this has been due to the fact that they’re protected behind multiple layers of firewalls and only someone physically onsite is able to access them directly. However, emerging malware threats like Stuxnet, CrashOverride, Pipedream, Havex, and BlackEnergy demonstrate the ability to breach even air-gapped systems. This can be accomplished by infecting a technician’s laptop which is later connected to the network containing PLCs.
“It’s therefore becoming more and more important to make sure every piece of equipment – including PLCs is protected with the strongest possible access controls. If available, cryptographic keys provide the best access control. You cannot guess or brute force a properly generated cryptographic key and cryptographic keys are a lot easier to manage and control, including the ability to easily and rapidly revoke them if compromised.
“If asymmetric cryptographic access controls are unavailable on a PLC, passwords should be used following best practices. This includes periodic password rotation and minimum complexity requirements. Of course these passwords need to be properly stored and secured.
“Gateways and systems such as HMIs (Human Machine Interfaces) running at higher layers should be protected by multifactor authentication, and every interaction should be logged and monitored.
“For this World Password Day, remember that relying on a single password for access control carries the most risk, especially in an OT environment. With some OT devices, that might be the only security mechanism a device supports. However, where possible, it’s best to use cryptographic controls and multifactor authentication and rotate and protect your passwords!”
Sanjay Khera, Head of Marketing at Eventus Security:
“World Password Day serves as a timely reminder of the critical role strong and unique passwords play in fortifying our defenses against cyber threats. A single weak password can serve as a gateway to massive data breach. At Eventus Security, we advocate for holistic security strategies that go beyond traditional password protection, helping people and businesses stay safe from evolving threats online. Let’s start with a small proactive step today by reviewing and reinforcing our password credentials and following best practices. Even the smallest step can mitigate substantial risks.”
Christopher Budd, Director – Threat Research, Sophos
“This year’s ‘World Password Day’ really needs to be ‘World Password and MFA (Multifactor Authentication) Day.’ As we saw in both our 2024 Annual Threat Report and our most recent Active Adversary report, attackers are zeroing in on companies’ data—and credentials to privileged systems are some of a company’s most valuable assets.
The recent attack against Change Heathcare is an unfortunate reminder that the right set of passwords—coupled with a lack of MFA—can have devastating consequences. In the case of Change Healthcare, that’s all the ransomware attackers needed to take whole systems offline and exfiltrate massive amounts of patient data.
Going forward, enabling MFA everywhere possible for companies is not just important—it’s essential.”
