Passwords have long been a staple of security. This World Password Day, cybersecurity leaders are reflecting on the evolution of passwords and considering how much more they can — and will — transform. 

World Password Day

World Password Day is recognized annually on the first Thursday in May. The purpose of this day is to raise awareness for password security and encourage secure password practices. 

Randolph Barr, CISO at Cequence, shares, “World Password Day is a great time to remind people about the importance of maintaining good password practices. Passwords are the most important line of defense for organizational and personal information, which means they are also a top target for threat actors.”

To protect against threat actors, secure password practices are essential.

“The easiest way to keep attackers at bay is to make strong, unique passwords for each account,” says Barr. “One of the most common attack tactics is a brute force attack, which is an authentication-related attack that takes advantage of people who use either generic or shared passwords. By exploiting this weakness, cybercriminals can gain access to an entire organization with one faulty password. Multi-factor authentication is an additional preventive measure that can help protect information; many banking and fintech enterprises make use of the safeguards it brings. Password managers are also helpful, as they store multiple passwords across separate accounts, all protected by one ultra-strong master password.” 

How far passwords have come, and how much farther they have to go

Nicolas Fort, Director of Product Management at One Identity, shares his insights on the evolution of password security, stating, “Passwords have come a long way, from punch-tape reels in 1961 to the world of multi-factor authentication and fingerprint identification we inhabit today. The next leap is already happening — passkeys tied to devices, one-time AI-generated tokens, and even blockchain-backed session receipts.” 

Fort explains a driving force behind this evolution, saying, “It’s no accident that password technology is constantly evolving. Cyberattacks are more frequent, threat actors have more sophisticated tools at their disposal, and as businesses continue to store more and more sensitive data online, regulators are rightly demanding that they keep up. HIPAA, the EU’s NIS2, the UK’s Cyber Resilience Act, DORA and countless other rules and regulations all now demand rock-solid control over user accounts at every single touchpoint. That means audited sessions, behavioral analytics, rotating passwords, and just-in-time credentials – so that no matter how hard attackers try, there’s simply nothing there to steal.”

While passwords and password security measures have evolved, there is still room for improvement. 

David Cottingham, President of rf IDEAS, shares, “While cybersecurity and IT leaders have become more aware of the risks that password-based authentication systems pose for their users and data, action continues to be delayed. All it takes is one vulnerable endpoint to open the door to an account takeover and passwords increase that risk daily. I would urge companies across industries to evaluate their credential strategy and migrate to more secure options before a breach happens so the investment can be made in bolstering security infrastructure and not breach consequences.”

A passwordless future

What does the future of passwords look like? According to Barr, the future may be passwordless instead. 

Barr explains, “While password hygiene and multi-factor authentication remain essential today, the cybersecurity community is clearly moving toward a passwordless future. Even the strongest passwords can be phished or exposed, which is why many Fortune 100 technology companies have transitioned large portions of their workforce to passwordless authentication using mobile authenticators, device-based login, and biometric verification. Additionally, global financial institutions are enabling passkey support and app-based logins, while Fortune 500 retail and consumer platforms are deploying passwordless login options to reduce fraud and improve user experience. To prepare for this future, organizations should begin testing passwordless flows within internal environments, choosing identity platforms that support passkeys and FIDO2 standards. On the individual level, users can explore these capabilities already available in major devices and Android, Google, iOS and macOS (to name a few).”