top of page
Search

Time to Lay the Password to Rest: Why World Password Day Should Be Its Last

Updated: May 1

Every year, World Password Day rolls around like clockwork—a well-meaning reminder to change those aging credentials, patch up security holes, and maybe, just maybe, pick something stronger than your dog’s name followed by “123.” But if you ask Drew Perry, Chief Innovation Officer at Ontinue, the day is starting to feel obsolete.


“As positive a day as World Password Day is, I look forward to the day it no longer exists or is at least renamed!” Perry says. “With the rise of passkey support across major platforms and devices, we're finally seeing a shift towards more secure and user-friendly authentication. Passkeys are cryptographic credentials that eliminate the need for passwords entirely, offering phishing-resistant, biometric-based access.”

It’s a bold stance, but it’s one that cybersecurity leaders are increasingly embracing. For decades, passwords have been the brittle first line of defense between users and their data—easy to forget, easier to steal, and notoriously difficult to manage at scale. Even as password managers and multi-factor authentication (MFA) have gained traction, attackers have evolved right alongside them.


In fact, 2024 marked a turning point: stolen credentials surpassed phishing emails as the second most common initial intrusion vector into businesses, according to threat intelligence data. The culprit? A new generation of infostealer malware designed to lurk silently, capturing login credentials the moment they’re typed—no phishing email required.


“We have been saying since the early 2010s that ‘hackers don't hack in, they log in,’ and as time goes on it becomes even more true,” Perry notes. “This enables attackers to simply log in if no other secondary authentication methods are enabled—which, sadly, is often the case.”

The problem isn’t just technical—it’s human. Passwords demand memorization, encourage reuse, and penalize users for small lapses in hygiene. As platforms pile on complexity in an effort to stay ahead—special characters, minimum lengths, mandatory resets—users find themselves locked in a losing battle between security and sanity.


Enter passkeys, a cryptographic, device-tied alternative gaining rapid adoption from tech giants like Apple, Google, and Microsoft. Unlike passwords, passkeys are not shared or stored on servers where they can be breached. Instead, they leverage public-key cryptography and biometric authentication, allowing users to unlock accounts with a fingerprint, face scan, or PIN without transmitting sensitive credentials.


The shift to passkeys could make credential stuffing—a cybercriminal staple—essentially obsolete. And it couldn’t come soon enough. A recent uptick in high-profile breaches and identity theft incidents underscores just how fragile the current password-based ecosystem has become.


“Awareness is key,” Perry emphasizes. “Enable passkeys where possible. We have come a long way. Password manager adoption is rising, multi-factor authentication is available for most critical online services, and people are reusing the same passwords less. But still, hackers are succeeding in their attacks.”


For Perry and other security leaders, the writing is on the wall: World Password Day may soon be celebrating a relic of a bygone era. And perhaps that’s worth celebrating in itself.


“I suggest we lay the password to rest and embrace the passwordless future,” Perry says.

Until then, the advice is simple: If you can ditch the password, do it. And if you can’t, add every layer of protection you can. Because hackers aren’t picking locks anymore—they’re walking right through the front door, key in hand.

bottom of page