Passwords cling on to celebrate another World Password Day

Last year we asked the question whether it was time to make World Password Day a thing of the past. But despite the rollout of passkey technology from giants like Google, passwords are still here a year on.

There's no doubt that the use of passwords is in decline, but they are proving more tenacious than many people predicted. Here are some expert views on the role of passwords in the wider digital security landscape.

"The more rules there are, the less likely people are to follow them," says Mark Stockley, senior threat intelligence researcher at Malwarebytes. "Organizations must consider the long list of password policies they're asking users to follow, from at least 14 characters -- not forgetting punctuation and at least one uppercase letter -- to unique passwords for each and every account. It's far more productive to encourage more impactful security strategies, such as multi-factor authentication (MFA) and an account lockout policy. By requiring additional verification steps such as these, it enhances account protection and guards' users against compromised credentials."

Craig Davies, CISO at Gathid says:

World Password Day serves as a vital reminder of the importance of proactive digital security. While strong passwords remain a foundation of protection, they alone are no longer sufficient. World Password Day isn't just about changing your passwords. It's about building a smarter, more secure approach to your digital life.

Start by making unique passwords your rule of thumb and make sure you use a password manager. Any password used in multiple places creates a significant security risk, particularly if compromised. Additionally, activate multi-factor authentication (MFA) wherever possible for a crucial extra layer of protection. Opt for a dedicated authenticator app on your phone for enhanced security over SMS-based codes. And remember to never share your authentication codes.

Finally, keep an eye out for passkey login options. This emerging passwordless standard, which major companies like Google and Apple already support, replaces traditional text-based passwords with a unique digital key linked to your device, making it far tougher for hackers to crack. Whenever a website offers a passkey option, make the switch for enhanced protection.

"It is fantastic to see the UK pioneering new legislation to help crack down on the myriad cybersecurity issues caused by IoT devices, and this can only make homes and small businesses more secure, while creating greater challenges for the criminals exploiting them," says Matt Aldridge, principal solutions consultant at OpenText Cybersecurity. “It's also great to see that the government is in line with the industry on promoting cyber hygiene, it's crucial that we remain vigilant and proactive in securing our digital footprints."

Passkeys are still the future, thinks Carla Roncato, vice president of identity at WatchGuard Technologies. "On this World Password Day, we should all pause and think about how we can adopt passkeys. Passkeys represent a significant industry shift in identity security, moving away from traditional credentials of usernames and passwords to a more secure 'no knowledge' approach to authentication that is a vastly better user experience. As a form of passwordless authentication, passkeys aim to eliminate the inherent risk factors of traditional credentials."

This echoed by Jason Keenaghan, director of product management, IAM at Thales. "If we need an awareness day, it's time to re-brand and highlight the importance of passkeys. Using cryptographic techniques, passkeys are harder to crack -- making them far more secure. They're also automatically generated and can be safely stored on devices, making it easier for the consumer and eliminating the need to create long, complex passwords or phrases. Finally, passkeys enable greater privacy by granting authentication without handing over sensitive information -- reducing the risk of data breaches."

We'll leave a final word to Morgan Wright, chief security advisor at SentinelOne:

There was a time when moats protected castles, and knights in shining armor on horseback defended the kingdom. There was also a time when passwords protected the most valuable of secrets. Like moats and knights, that era has passed.

Identity is the new perimeter. Subscribing to the antiquated notion that a password is the first and last line of defense has been eclipsed by the modern threat environment. If your security depends solely on the strength of a password, you are going to be disappointed in quick fashion.

There will be those who cling to their passwords and reject modern approaches, like biometrics and advanced authentication techniques and technology. They will become a footnote in digital history, referred to only in anecdotes that start with "Back in my day…"

If William Shakespeare were alive today, his great poem Caesar may have started differently.

"Friends, Romans, countrymen, lend me your ears; I come to bury passwords, not to praise them."

Even Shakespeare knew passwords were a problem.

Image credit: deepchand32/depositphotos.com