World Password Day this year feels different, and there are several reasons why…
Security groups and technology companies spent years telling people to create longer passwords or to add symbols and avoid reusing the same codes but now, the conversation has turned toward removing passwords from daily life completely.
Steve Shoaff, SVP of Transformation at Imprivata, thinks the old system no longer makes sense for modern security.
He said, “Today is World Password Day – a reminder of one of the most outdated and frustrating conventions still embedded in modern technology. Passwords have long been a necessary part of digital security, while at the same time being one of its biggest liabilities.
“Bad password habits have been around for so long that continuing to blame users just isn’t productive. The real problem is that the model itself is broken and increasingly unnecessary for the majority of our logins.”
Shoaff believes password free logins are getting close. He said, “That’s why I’m hopeful this may be one of the last remaining World Password Days. The industry is moving toward a future where passwords fade into the background – or disappear entirely -replaced by stronger, smarter authentication methods built on cryptography, trusted devices and identity-bound access.”
What Is Replacing Passwords?
The UK’s National Cyber Security Centre announced that passkeys should now become the first login choice for consumers when websites and apps offer them. The NCSC, which is a part of GCHQ, said passwords no longer offer enough protection against modern cyber crime.
Passkeys let people sign into accounts using a phone, fingerprint or facial scan instead of typing passwords manually. The NCSC says that passkeys are usually more secure than even very good and complicated passwords used with two step verification. The organisation also said most cyber crime against individuals begins when criminals steal login details.
Google data released through the NCSC showed that more than 50% of active Google users in the UK already have at least one passkey registered. Large online services including Google, eBay and PayPal already support the technology.
Jonathon Ellison, Director for National Resilience at the NCSC, said, “Adopting passkeys wherever you can is a strong step towards a safer, simpler login experience and I am pleased that we can now support uptake.”
He also said, “The headaches that remembering passwords have caused us for decades no longer need to be a part of logging in where users migrate to passkeys – they are a user-friendly alternative which provide stronger overall resilience.”
Shoaff believes the biggest gain comes from removing human memory from security systems. He said, “The goal shouldn’t be better passwords or password managers. It should be a world that no longer asks people to manage passwords at all.”
More Experts Answer: Is This The End Of World Password Day?
As more professionals recommend passkeys over passwords, the question of whether World PassWord Day is still a relevant title is being discussed. More experts weigh in…
Our Experts:
- Niall McConachie, Regional Director (UK & Ireland), Yubico
- Jeff Watkins, Chief AI Officer, NorthStar Intelligence
- Terry Lewis, Founder and CEO, RoboShadow
- Jon Kane, Senior Director, Europe & META Channel, Forcepoint
- Kamran Bahdur, Chief Information Officer, FLR Spectron
Niall McConachie, regional director (UK & Ireland), Yubico
“Traditional passwords are fundamentally flawed and increasingly vulnerable to compromise – a major concern given they are still the most commonly used authentication method3, leaving users highly susceptible to cyber attacks like phishing. This reality is even more alarming amid the increasing sophistication and evolution of AI-powered threats. Cyber criminals are no longer simply using AI to write phishing emails; they are deploying autonomous agents that can plan, reason and execute multi-stage attacks without human oversight.
“In response to the evolving threat landscape, users must move away from passwords towards stronger, more resilient technologies. The clear successor is the passkey, which is now the gold standard for secure, modern authentication in a digital world. This shift is gaining momentum globally and is being embraced across industries. For example, the UK Government is already in the process of adopting passkeys for its digital services, citing the superior security and protection they provide4.
“In its most secure form, a passkey is device-bound – it is not a secret that staff must remember (like a password), but a physical token they possess – such as a hardware security key. The passkey is stored on the physical device and is resistant to phishing because it cannot be intercepted or stolen by remote attackers, meaning only the key holder can gain access to their accounts. They also manage logins across all users’ platforms and devices – meaning attackers can’t use AI to get around the wall of defence the physical key provides.
“With phishing-resistant multi-factor authentication (MFA) available to all, there’s no need to continue using insufficient authentication methods like passwords to keep online accounts secure. This World Passkey Day, it’s time for the widespread use of hardware-backed passkeys to take off and for passwords to be left in the past.”
Jeff Watkins, Chief AI Officer, NorthStar Intelligence
“As the world moves away from the venerable password towards more secure passkeys, World Password Day may eventually become an artefact of the past: remembered fondly, perhaps, but with a sense of wonder that it was ever needed in the first place.
“For years, we put the burden of password security on end users. That may have been tolerable in a simpler digital world, but today people are expected to secure dozens of services, accounts, and devices, often while being told to create long, unique, complex passwords that they must never reuse and, ideally, never write down. That was never a realistic human-centred security model.
“Passkeys change that equation. They shift authentication away from something users must remember, manage, and repeatedly defend towards something more secure by design. In that sense, passkeys are not just a better password; they are a recognition that passwords were always asking too much of people.
“World Password Day may persist for longer than we expect, though. Security is still too often treated as a cost centre rather than a value generator, and passwords will not disappear overnight. Legacy systems, poor implementation, user habits and uneven adoption mean we are likely to live in a hybrid world for some time yet.
“Will we see a “World Passkey Day” take its place? I’m not convinced. If passkeys are implemented properly, they should feel almost invisible. We tend not to create awareness days for security controls that simply work in the background. We do not have a World SSO Day or a World MFA Day, though Global Encryption Day exists, so I would not rule it out entirely.
“Will anyone miss passwords when they are gone? I suspect not. I am already looking forward to the eventual obituary:
“The password, source of countless cybersecurity breaches, born in the early days of computing and dragged unwillingly into the modern internet age, quietly slipped away last night in the year 2045. We tried making them longer. We tried making them more complex. We tried stopping people from writing them down. We tried stopping people from reusing them. We even tried password managers. But in the end, the password simply did not fit the way humans live online. Loved by hackers, hated by everyone trying to remember whether they needed a capital letter, a number, a symbol and the name of their first pet. No flowers.”
Terry Lewis, Founder and CEO, RoboShadow
“World Password Day 2026 Needs a Reset to “Cyber Discipline Day”
“World Password Day made sense when passwords were the front line of security, but in 2026, that’s no longer the case.
“Today, most organisations already have access to enterprise‑grade security by default. Multifactor authentication is widely available, passkeys are native to modern devices, and hardware‑backed protections like TPM are standard. The issue, therefore, isn’t about technology; it’s about discipline, and whether organisations use it consistently.
“In the AI era, attackers aren’t manually guessing passwords. They’re using automation to continuously scan, probe and enumerate environments at scale. Whether it’s a weak credential, an exposed API key, or a forgotten device, anything visible will eventually be tested.
“The real shift is that enumeration is no longer silent and organisations can detect it.
“Modern security tooling, including SIEM and SOC capabilities, is now more accessible than ever. That means organisations can see when accounts are probed, when credentials are tested, and when unusual authentication patterns emerge, even in environments using MFA or passkeys. AI hasn’t broken security, but it dramatically increases the volume and persistence of these attempts. It creates constant background noise from systems being tested, credentials being tried and access points being explored.
“The organisations that win aren’t those with the most complex or longest password policies; they are the ones that can see this activity, understand it, and respond to it quickly.
“In 2026, security isn’t about better passwords. It’s about cyber discipline and having the everyday operational habits that keep environments clean, visible and resilient.”
Jon Kane, Senior Director, Europe & META Channel, Forcepoint
“When I first started in cyber, I worked with someone who had ‘Tipp-Exed’ their passcode onto the back of their 2 factor authentication device! This certainly wasn’t acceptable then but shows that security is not just about the tech; its policy and education too. The rise of social engineering threats and phishing scams – which rely on human error – are forcing users to rethink their passwords and broader security strategy.
This World Password Day, organisations need to rethink the ways they secure their networks, not just technology but also how it is used. Recent guidance from the NCSC recommends moving from passwords to passkeys and other biometric identity methods – a reflection of the changing nature of our identity security landscape.”
Kamran Bahdur, Chief Information Officer, FLR Spectron
“I would certainly not say World Password Day is coming to an end, as passwords will not disappear overnight just because a newer, more secure authentication method has appeared. Many systems and applications will continue to rely on them for years to come until passwords are fully phased out. This means they will still need to be maintained, and best practices regarding passwords will still need to be upheld.
“The transition to the passkeys will continue, however, and will only accelerate as phishing attacks become increasingly sophisticated. As much as passkeys provide a much stronger defence against traditional password-based attacks, I am sure attackers will continue to find ways around them in some form. It is even plausible we will see another layer of authentication introduced as major threat actors shift their attention away from dwindling classic combinations of passwords and MFA.
“I think World Password Day is here to stay even if the original meaning of it shifts towards newer and more secure authentication methods.”
