For World Password Day 2026, the editors at Solutions Review have compiled a list of comments from some of the leading industry experts.
As part of this year’s World Password Day, we called for the industry’s best and brightest in Identity and Access Management and the broader cybersecurity market to share best practices, predictions for the future of passwords, and personal anecdotes. The experts featured represent some of the top influencers, consultants, and solution providers with experience in these marketplaces, and each projection has been vetted for relevance and ability to add business value. The list is organized alphabetically by company name.
World Password Day Quotes from Industry Experts in 2026
World Password Day reminds us that passwords are still among the most common ways attackers gain access to systems, and also among the most common ways to protect information. Password risk doesn’t usually come from a single weak password; it comes from how those credentials are used across an organization. Employees reuse the same passwords across systems, share access to move work forward, or connect them to new tools that aren’t centrally tracked. Over time, no one has a complete view of where access exists or who owns it.
That lack of visibility is exactly what attackers exploit. AI is making phishing emails, messages, and even voice calls more convincing, increasing the chance that someone could unknowingly hand over a password that can be used across multiple systems. Password risk lies within everything that the password connects to. The priority now is to reduce how often passwords are used, limit where they can be used, and ensure every system and account has clear ownership. This includes using multi-factor authentication, which requires a password and something you know, have, or are to increase the difficulty of compromising your accounts. When organizations have consistent visibility and control over access—alongside clear governance for how tools and credentials are used—a compromised password is far less likely to escalate into a broader security issue.
Pierre Mouallem, CISO at Delinea
World Password Day feels increasingly outdated. Passwords can no longer be relied on as a meaningful line of defense, as they are routinely bypassed through social engineering, and we are seeing an increase in attacks targeting third-party apps. The real damage lies in what hackers can access once inside an organization’s system.
More organizations are deploying AI agents to improve productivity and granting them standing access to their core systems, which 73 percent of leaders acknowledge is increasing their security risk. If just one overprivileged account or agent is breached, attackers can move laterally and compromise critical systems.
Organizations can build true resilience by rethinking access altogether. Adopting ephemeral permissions and just-in-time (JIT) access can ensure privileges exist only when needed and drastically reduce the window of opportunity for attackers. By layering on strict role-based access controls, they can limit both movement and overall exposure.
Ultimately, organizations’ mindsets must shift toward a model of zero-standing privilege, where no user, device, or agent is inherently trusted, and every access request is continuously verified.
Compromised credentials remain the most common attack vector in data breaches, yet according to recent research, 74 percent of U.S. banking customers continue to rely on passwords as their primary login method. As fraudsters increasingly target authentication flows and account takeover attacks surge, verification strategies must evolve. Security cannot be compromised for convenience when money, accounts, and personal data are on the line.
The key is to use authentication methods that consumers already trust, like biometrics, to reduce resistance, support adoption, and help create secure experiences that feel familiar rather than disruptive. In practice, biometric authentication should act as a “trust anchor,” not only verifying identity, but also confirming that the individual attempting to access or transact is the same person who originally opened the account. This continuity of identity is critical for confirming that legitimate account holders, not bad actors, are initiating sensitive actions and is essential as AI-powered fraud techniques become more accessible and harder to detect.
Dan Moore, Sr. Director of CIAM Strategy at FusionAuth
World Password Day exists because passwords remain the weakest link in most security chains, and that’s still true in 2026, even as passkeys gain momentum. The reality is that the vast majority of applications in production today still rely on passwords as either a primary or fallback credential. That means the basics still matter enormously: checking credentials against breach databases, knowing and following NIST guidelines, and making it easy for users to do the right thing. The industry’s job right now isn’t to declare passwords dead but to manage the transition responsibly while the ecosystem catches up.
I genuinely wonder how many more World Password Days we’ll observe. Passkeys are now supported across every major platform, and social login, SMS, and email OTPs are mainstream fallbacks. The developer tooling to implement passwordless is never more accessible. We’re not there yet: passwords will be with us for years, embedded in legacy systems and user habits, but the trajectory is clear. The question for businesses isn’t whether to move beyond passwords; it’s how to build their identity infrastructure today in a way that makes that transition smooth when the time comes, or painful.
Gareth Maclachlan, Chief Operating Officer at Gigamon
The Colonial Pipeline attack remains one of the most defining cybersecurity incidents in recent history due to its real-world impact. A single compromised password allowed attackers to gain access, ultimately forcing the shutdown of the largest fuel pipeline in the United States and disrupting supply across the East Coast. It demonstrated how quickly a seemingly simple access issue can escalate into a national-level business and infrastructure crisis.
Five years later, organizations are facing the same fundamental challenge, only at a much greater scale and speed. In the past 12 months alone, 65 percent of organizations experienced a data breach, and 83 percent reported AI involvement in those incidents. Yet despite increased investment in security tools, only 30 percent of organizations that experienced a breach say they had the visibility needed to respond effectively.
With the Colonial Pipeline anniversary and World Password Day coinciding, it’s a reminder that AI makes targeted credential harvesting cost-effective, and so the priority is identifying spurious internal traffic to identify when attackers move laterally, interact with data, and evade detection. Or when they use your new AI platform to do the hard work for them. Without that visibility, organizations still discover incidents only after the damage is done.
Darren Wolner, Vice President of Product Management – Managed and Professional Services at GTT
On World Password Day, it’s worth acknowledging that today’s weakest link in enterprise security is rarely the technology, but rather the gap between how fast threats evolve and how quickly organizations can respond. AI is now on both sides of that equation: attackers are using it to compromise credentials at scale, while forward-thinking enterprises are deploying it to predict and neutralize threats in real-time. For defenders, humans must remain in the loop for judgment calls – there’s no reason they should be subjected to tsunamis of security alerts.
Stephanie Schneider, Cyber Threat Intelligence analyst at LastPass
As the notion of digital identity has expanded beyond a single secret or password, the concept of World Password Day increasingly feels antiquated. Perhaps it’s time to reframe it as World Identity Protection Day. Passwords were never the real problem. They were a rudimentary coping mechanism for securing our online world. Today’s attackers know this better than anyone, and they no longer exclusively rely on cracking or guessing passwords. Instead, they can sidestep them entirely by stealing session cookies, OAuth tokens, and authentication artifacts, or by compromising endpoints and trusted access paths. When an attacker logs in using a valid session token from an infected device, the password hasn’t failed—it’s simply been made irrelevant. The real issue is that identity has become the new control level for everything, including cloud access, data, infrastructure, SaaS, and supply chains. And as identities have multiplied and become more distributed, so too has the attack surface.
Focusing security education narrowly on password strength risks reinforces a false sense of safety that ignores the current reality of the broader identity ecosystem. If World Password Day is meant to raise awareness, then the message needs to evolve. The conversation should be less about memorizing better secrets and more about protecting identities as living, high-value targets that span across users, devices, tokens, services, and sessions. Until we shift that mindset, we’ll keep celebrating a control that attackers have already learned how to bypass.
Kevin Charest, Vice President of Cyber Governance Services at Netrio
World Password Day has been around for more than a decade, but in the last year, the conversation has shifted from stronger passwords to MFA, phishing resistance, and passkeys. While it should probably be renamed “World Passkey Day,” the reality is that most people still use passwords for everything. Companies are also not using passkeys at scale, which means security tools are left to make up for the shortcomings of how people actually use passwords.
To this day, the single biggest issue remains password reuse. With so much breach and security incident data available, attackers often do not need to crack a password; they can take a known password and try it across multiple services and systems. Complexity rules do not fully solve the problem either. Users often just add a few required characters or move from “password123” to “password124.” Relying on user IDs and passwords as the primary form of security can be the downfall of many companies.
Until organizations can truly move away from passwords, MFA and detection tools must do more of the work. For SMBs and mid-market enterprises in particular, the challenge regarding passwords is especially tough. If they cannot afford to implement the highest level of security across the entire organization – which is often true due to limited budgets – they should at least identify critical roles and apply stronger controls in those areas. At a minimum, financial teams, employees sending or receiving money, and those handling sensitive data, intellectual property, or the company’s “crown jewels” need a higher level of security.
However, in the end, the biggest hurdle is not always technology. Culture eats technology for breakfast. Asking users to carry a physical hardware device or adopt a new authentication process can create resistance. At its core, change management is difficult, but necessary. Passwords are still the game for most users, and until that changes, companies need to treat password behavior as a foundational security gap that must be actively managed.
Anthony Cusimano, Solutions Director at Object First
The death of the password is closer than we think. Passwords are no longer a secure method of authentication, and the most effective way to protect your accounts and security is to boil the ocean by using a password manager in conjunction with MFA and setting up recovery accounts, each following the previous instructions. Sound like overkill? That’s because it’s the only real way to ensure you can get your accounts back when they are compromised, and they will be compromised. Passwords just aren’t up to snuff when it comes to real data security.
To truly protect your data against emerging threats such as ransomware, credential theft, and human error, critical data must be stored in an absolute, immutable backup. 89 percent of IT professionals say AI-powered cyber-attacks have made them more concerned about the safety of their organization’s data, and the top-ranked defense they’ve identified is increasing backup data security (73 percent). These backups ensure that the data cannot be stolen or manipulated by anyone, including admins who have access to it. Passwords are important, but it is even more critical to have a recovery plan for when passwords fail, because we know they will.
World Passkey Day is a reminder that there’s a more secure alternative to passwords, which have long been a point of vulnerability. AI is amplifying phishing schemes at scale to target traditional access credentials. Passkeys represent a step towards a more resilient digital infrastructure that emphasizes both security and usability by replacing reusable credentials with cryptographic keys, whether bound to a single device or synced across a user’s trusted platforms. They’re especially valuable for securing high-risk interactions, such as financial transactions, where strong, phishing-resistant authentication is critical.
FIDO passkeys are the industry standard, backed by the world’s leading technology platforms—Google, Microsoft, and Apple—whose native support has accelerated adoption at scale. Going beyond traditional authentication, passkeys verify user identities and strengthen security across desktops and mobile devices, creating a more secure digital environment. As both cyber threats and passkey adoption grow, I’m confident they will become the underpinning of digital trust and online transactions. The standard exists. The ecosystem is maturing. The window to get ahead of user expectations and regulatory pressure is narrowing fast. The question is no longer whether to adopt passkeys, but how fast you can get them into production.
Tim Chase, Field CISO & Principal Technical Evangelist at Orca Security
Passwords used to be the backbone of security, but they are starting to show their age. They were not built for a world where identities include not just people, but also apps, services, and now AI agents acting on their own. That shift makes identity the real control point. It is no longer enough to protect a login. You need to know who or what is accessing your environment, what they are allowed to do, and whether that behavior actually makes sense. Passwords can still play a role, but only as part of a bigger picture. Strong authentication, least privilege access, and continuous monitoring are what actually keep things in check. As AI becomes more embedded in day-to-day operations, the focus must shift from simply securing credentials to managing and understanding every identity in the system.
John Cannava, Chief Information Officer at Ping Identity
As AI continues to evolve and cyber-attacks become increasingly sophisticated, much of our digital security still hinges on a single weak point: the password. It’s telling that 39 percent of people say AI-powered phishing is the threat they fear most, yet less than a quarter feel highly confident in spotting what’s real versus a scam. This gap highlights a growing vulnerability and a critical opportunity to rethink how we secure identities.
Authentication must evolve to keep pace with today’s threat landscape. Passwordless solutions are rapidly replacing traditional passwords with stronger, more user-centric methods like biometrics, authenticator apps, and digital certificates. These approaches significantly reduce the risk of phishing and credential theft while improving the user experience.
World Password Day shouldn’t just be about updating passwords. It should spark a broader shift. To stay ahead of modern threats, organizations and individuals need to move beyond passwords and adopt more resilient authentication strategies that put control back in users’ hands.
David Lee, Field CTO at Saviynt
World Password Day is a good reminder that passwords alone are no longer enough to protect modern organizations. As AI makes it easier for attackers to scale credential-based attacks, the real challenge is ensuring the right users have the right access at the right time. That means organizations need better visibility into who has access to what, and stronger controls to manage and adjust that access as risks change. Ultimately, reducing reliance on passwords starts with taking a more proactive approach to managing identity and access across the business.
Ravi Soin, CIO/CISO at Smartsheet
Every year, World Password Day arrives with the same advice. This year, the conversation needs to shift to the identity challenges that come with AI reshaping how work gets done.
Passwordless authentication, like multi-factor authentication, biometrics, and passkeys, is rapidly becoming the norm, and for good reason: they’re stronger, faster, and harder to compromise. This progress is real and worth celebrating. But even as authentication improves, with Zero Trust the deeper challenge remains: whether the humans in your environment—and the systems acting on their behalf—are behaving in ways you can actually verify.
Every day, employees access dozens of apps to do their jobs. Behind them, a growing number of non-human ‘workers’ like automations and AI agents are operating across your environment, often carrying elevated privileges with far less scrutiny than a human login would receive. Even as AI takes on more of the workload, accountability still sits with people.
The organizations that get this right will ensure every identity in their environment—human or not—is governed, traceable, and held to the same standard. That’s what modern identity security actually demands.
Craig Savage, Vice President, Cyber Security at Spinnaker Support
The strategic message for World Password Day is simple: in ERP, strong identity control matters more than strong passwords. The winners will be the teams that combine MFA or passwordless for people, strict governance for non-human accounts, rapid rotation for privileged credentials, and a cleanup plan for legacy access before ECC deadlines force harder decisions.
A major blind spot is that many ERP authentication paths still bypass modern controls. Even where MFA is enabled for front-door user access, older auth flows, service interfaces, scripted processes, and non-human identities may not inherit the same protections. Oracle’s documentation, for example, notes that some authorization flows do not support MFA. That is exactly the kind of gap attackers look for.
Jack Cherkas, Global Chief Information Security Officer at Syntax
World Password Day 2026 brings the usual advice for passwords: longer, unique, never reused. That is no longer enough. Passwords are only one of many credentials now under AI-powered attack. Generative AI has industrialized credential attacks: phishing lures that defeat traditional user training, voice clones that pass help-desk identity checks, and credential stuffing at an industrial scale.
Credentials remain one of the top initial access vectors year after year, and non-human identities, from AI agents to service accounts, are multiplying, each one holding credentials, each one a potential blast radius. When the next breach occurs, “we didn’t know who or what had access” will not be an acceptable defense.
The fix is not novel. For organizations: phishing-resistant multi-factor authentication (MFA) and passkeys, Single Sign-On wired into a disciplined joiner-mover-leaver process, vaulted privileged access, and scoped, logged, revocable credentials for every non-human identity, AI agents included, never a shared service account. For individuals: a password manager, unique passwords or passkeys, and MFA on every account. The password era is ending; the credential era is not. Most breaches still begin with a credential someone forgot to protect, revoke, rotate, or retire. The organizations and individuals that master that unglamorous work are the ones that stay resilient when the next AI-powered attack lands.
Munu Gandhi, President of Xerox IT Solutions and Chief Technology Officer at Xerox
World Password Day reinforces a simple reality: identity is the control point in modern cybersecurity. At Xerox IT Solutions, we apply a Zero Trust model, in which every access request is continuously validated through adaptive authentication. The focus is not on more controls – it’s smarter, contextual access that reduces risk while enabling speed.
Organizations that build integrated identity frameworks will be better positioned to protect operations, earn client trust, and move with confidence in an increasingly distributed, AI-driven world.
Thi Nguyen-Huu, CEO of WinMagic
Organizations should start by recognizing that replacing the password is necessary but not sufficient. Passkeys are real progress, but a passkey ceremony produces an authentication assertion — not a session key. Whatever follows the login — usually a cookie or a bearer token — has no cryptographic continuity with the authentication that created it. Any organization adopting passkeys today should simultaneously ask: What is protecting the session after the tap?
The deeper step is to rethink what identity means. Most authentication today commits what I call the Three Wrongs: it verifies the wrong identity—a gesture, instead of the real composite of user, device, and conditions. It uses the wrong timing—once at login rather than continuously. And it applies the wrong method—procedural human action at the application layer, when machine-to-machine cryptography at the transport layer could do the job without the user doing anything. IT leaders should be evaluating architectures in which the transaction itself provides identity assurance within the secure channel, so there is no single login moment left to target.
The hardware to do this is already deployed. Every modern laptop and phone ships with trusted hardware—TPM or Secure Enclave—and mutual TLS has been a standard for twenty-five years. What has been missing is the client-side half: a properly protected, user-bound, policy-bound key inside the endpoint—continuous rather than momentary, available without a gesture. The industry’s own next fixes—Device Bound Session Credentials, DPoP, channel binding—are converging on exactly this direction. But these are patches on a separation that should never have existed. If identity lives in the transport layer from the start, through mTLS with the capable endpoint of today, the problems they are patching simply dissolve.
Dave Lewis, Global Advisory CISO at 1Password
The conversation has shifted from “how do we protect passwords” to “how do we manage identity across everything.” That includes humans, but increasingly, AI agents and automated tools are using credentials as well. Most organizations have no visibility into that. We’re at an inflection point where the old perimeter-based security model no longer holds. The answer is to give every identity, human or machine, the right access at the right time, with full accountability. Password managers were step one. The next step is to treat identity security as infrastructure, not as a setting you configure once and forget.
On passkeys
The biggest thing people still don’t fully grasp about passkeys: they are phishing-resistant by design. A passkey is a cryptographic key pair; one side stays on your device, the other lives with the website, and they only work together on the exact site they were created for. That means a convincing fake login page gets you absolutely nothing. Data from major deployments is compelling: passkeys achieve a 93 percent sign-in success rate (more than double that of traditional methods) and can reduce login-related help desk incidents by up to 81 percent. New interoperability standards, such as the Credential Exchange Protocol, are emerging to enable users to securely transfer passkeys between credential managers, reducing concerns about vendor lock-in. For individuals who want to get started: check if your bank, email provider, or streaming service supports passkeys and enable them today.
Want more insights like these? Register for Insight Jam, Solutions Review’s enterprise tech community, which enables human conversation on AI. You can gain access for free here!
The post World Password Day Quotes from Industry Experts in 2026 appeared first on Best Identity Access Management (IAM) Software, Tools, Vendors, Solutions, & Services.