{"id":16237,"date":"2026-05-18T02:26:07","date_gmt":"2026-05-18T02:26:07","guid":{"rendered":"https:\/\/newestek.com\/?p=16237"},"modified":"2026-05-18T02:26:07","modified_gmt":"2026-05-18T02:26:07","slug":"world-password-day-quotes-from-industry-experts-in-2026","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=16237","title":{"rendered":"World Password Day Quotes from Industry Experts in 2026"},"content":{"rendered":"
\n

For World Password Day 2026, the editors at Solutions Review have compiled a list of comments from some of the leading industry experts.<\/em><\/strong><\/p>\n

As part of this year\u2019s World Password Day<\/a><\/strong>, we called for the industry\u2019s best and brightest in Identity and Access Management<\/a> <\/strong>and the broader cybersecurity market to share best practices, predictions for the future of passwords, and personal anecdotes. The experts featured represent some of the top influencers, consultants, and solution providers with experience in these marketplaces, and each projection has been vetted for relevance and ability to add business value. The list is organized alphabetically by company name.<\/p>\n

World Password Day Quotes from Industry Experts in 2026<\/strong><\/h2>\n
\n

Doug Kersten, Chief Information Security Officer (CISO) at Appfire, and Member of the Advisory Board at SurePeople<\/a><\/strong><\/p>\n

World Password Day reminds us that passwords are still among the most common ways attackers gain access to systems, and also among the most common ways to protect information. Password risk doesn\u2019t usually come from a single weak password; it comes from how those credentials are used across an organization. Employees reuse the same passwords across systems, share access to move work forward, or connect them to new tools that aren\u2019t centrally tracked. Over time, no one has a complete view of where access exists or who owns it.<\/p>\n

That lack of visibility is exactly what attackers exploit. AI is making phishing emails, messages, and even voice calls more convincing, increasing the chance that someone could unknowingly hand over a password that can be used across multiple systems. Password risk lies within everything that the password connects to. The priority now is to reduce how often passwords are used, limit where they can be used, and ensure every system and account has clear ownership. This includes using multi-factor authentication, which requires a password and something you know, have, or are to increase the difficulty of compromising your accounts. When organizations have consistent visibility and control over access\u2014alongside clear governance for how tools and credentials are used\u2014a compromised password is far less likely to escalate into a broader security issue.<\/p>\n

\n

Pierre Mouallem, CISO at Delinea<\/strong><\/a><\/p>\n

\n
\n

World Password Day feels increasingly outdated. Passwords can no longer be relied on as a meaningful line of defense, as they are routinely bypassed through social engineering, and we are seeing an increase in attacks targeting third-party apps<\/a>. The real damage lies in what hackers can access once inside an organization\u2019s system.<\/p>\n

More organizations are deploying AI agents to improve productivity and granting them standing access to their core systems, which\u00a073 percent<\/a> of leaders acknowledge is increasing their security risk. If just one overprivileged account or agent is breached, attackers can move laterally and compromise critical systems.<\/p>\n

Organizations can build true resilience by rethinking access altogether. Adopting ephemeral permissions and just-in-time (JIT) access can ensure privileges exist only when needed and drastically reduce the window of opportunity for attackers. By layering on strict role-based access controls, they can limit both movement and overall exposure.<\/p>\n

Ultimately, organizations\u2019 mindsets must shift toward a model of zero-standing privilege, where no user, device, or agent is inherently trusted, and every access request is continuously verified.<\/p>\n

\n<\/div>\n<\/div>\n

Rishi Kaushal, CIO at Entrust<\/strong><\/a><\/p>\n

\n
\n

Compromised credentials remain the most common attack vector in data breaches, yet according to\u00a0recent research<\/a>, 74 percent of U.S. banking customers continue to rely on passwords as their primary login method. As fraudsters increasingly target authentication flows and account takeover attacks surge, verification strategies must evolve. Security cannot be compromised for convenience when money, accounts, and personal data are on the line.<\/p>\n

The key is to use authentication methods that consumers already trust, like biometrics, to reduce resistance, support adoption, and help create secure experiences that feel familiar rather than disruptive. In practice, biometric authentication should act as a \u201ctrust anchor,\u201d not only verifying identity, but also confirming that the individual attempting to access or transact is the same person who originally opened the account. This continuity of identity is critical for confirming that legitimate account holders, not bad actors, are initiating sensitive actions and is essential as AI-powered fraud techniques become more accessible and harder to detect.<\/p>\n

\n<\/div>\n<\/div>\n

Dan Moore, Sr. Director of CIAM Strategy at FusionAuth<\/strong><\/a><\/p>\n

World Password Day exists because passwords remain the weakest link in most security chains, and that\u2019s still true in 2026, even as passkeys gain momentum. The reality is that the vast majority of applications in production today still rely on passwords as either a primary or fallback credential. That means the basics still matter enormously: checking credentials against breach databases, knowing and following NIST guidelines, and making it easy for users to do the right thing. The industry\u2019s job right now isn\u2019t to declare passwords dead but to manage the transition responsibly while the ecosystem catches up.<\/p>\n

I genuinely wonder how many more World Password Days we\u2019ll observe. Passkeys are now supported across every major platform, and social login, SMS, and email OTPs are mainstream fallbacks. The developer tooling to implement passwordless is never more accessible. We\u2019re not there yet: passwords will be with us for years, embedded in legacy systems and user habits, but the trajectory is clear. The question for businesses isn\u2019t whether to move beyond passwords; it\u2019s how to build their identity infrastructure today in a way that makes that transition smooth when the time comes, or painful.<\/p>\n

\n

Gareth Maclachlan<\/strong>, Chief Operating Officer at\u00a0<\/strong>Gigamon<\/strong><\/a><\/p>\n

The Colonial Pipeline attack remains one of the most defining cybersecurity incidents in recent history due to its real-world impact. A single compromised password allowed attackers to gain access, ultimately forcing the shutdown of the largest fuel pipeline in the United States and disrupting supply across the East Coast. It demonstrated how quickly a seemingly simple access issue can escalate into a national-level business and infrastructure crisis.<\/p>\n

Five years later, organizations are facing the same fundamental challenge, only at a much greater scale and speed. In the past 12 months alone, 65 percent of organizations experienced a data breach, and 83 percent reported AI involvement in those incidents<\/a>. Yet despite increased investment in security tools, only 30 percent of organizations that experienced a breach say they had the visibility needed to respond effectively.<\/p>\n

With the Colonial Pipeline anniversary and World Password Day coinciding, it\u2019s a reminder that AI makes targeted credential harvesting cost-effective, and so the priority is identifying spurious internal traffic to identify when attackers move laterally, interact with data, and evade detection. Or when they use your new AI platform to do the hard work for them. Without that visibility, organizations still discover incidents only after the damage is done.<\/p>\n

\n

Darren Wolner, Vice President of Product Management \u2013 Managed and Professional Services at GTT<\/strong><\/a><\/p>\n

On World Password Day, it\u2019s worth acknowledging that today\u2019s weakest link in enterprise security is rarely the technology, but rather the gap between how fast threats evolve and how quickly organizations can respond. AI is now on both sides of that equation: attackers are using it to compromise credentials at scale, while forward-thinking enterprises are deploying it to predict and neutralize threats in real-time. For defenders, humans must remain in the loop for judgment calls \u2013 there\u2019s no reason they should be subjected to tsunamis of security alerts.<\/p>\n

\n

Stephanie Schneider, Cyber Threat Intelligence analyst at LastPass<\/a><\/strong><\/p>\n

As the notion of digital identity has expanded beyond a single secret or password, the concept of World Password Day increasingly feels antiquated. Perhaps it\u2019s time to reframe it as World Identity Protection Day. Passwords were never the real problem. They were a rudimentary coping mechanism for securing our online world. Today\u2019s attackers know this better than anyone, and they no longer exclusively rely on cracking or guessing passwords. Instead, they can sidestep them entirely by stealing session cookies, OAuth tokens, and authentication artifacts, or by compromising endpoints and trusted access paths. When an attacker logs in using a valid session token from an infected device, the password hasn\u2019t failed\u2014it\u2019s simply been made irrelevant. The real issue is that identity has become the new control level for everything, including cloud access, data, infrastructure, SaaS, and supply chains. And as identities have multiplied and become more distributed, so too has the attack surface.<\/p>\n

Focusing security education narrowly on password strength risks reinforces a false sense of safety that ignores the current reality of the broader identity ecosystem. If World Password Day is meant to raise awareness, then the message needs to evolve. The conversation should be less about memorizing better secrets and more about protecting identities as living, high-value targets that span across users, devices, tokens, services, and sessions. Until we shift that mindset, we\u2019ll keep celebrating a control that attackers have already learned how to bypass.<\/p>\n

\n

Kevin Charest<\/strong>,\u00a0Vice President of Cyber Governance Services at\u00a0<\/strong>Netrio<\/strong><\/a><\/p>\n

World Password Day has been around for more than a decade, but in the last year, the conversation has shifted from stronger passwords to MFA, phishing resistance, and passkeys. While it should probably be renamed \u201cWorld Passkey Day,\u201d the reality is that most people still use passwords for everything. Companies are also not using passkeys at scale, which means security tools are left to make up for the shortcomings of how people actually use passwords.<\/p>\n

To this day, the single biggest issue remains password reuse. With so much breach and security incident data available, attackers often do not need to crack a password; they can take a known password and try it across multiple services and systems. Complexity rules do not fully solve the problem either. Users often just add a few required characters or move from \u201cpassword123\u201d to \u201cpassword124.\u201d Relying on user IDs and passwords as the primary form of security can be the downfall of many companies.<\/p>\n

Until organizations can truly move away from passwords, MFA and detection tools must do more of the work. For SMBs and mid-market enterprises in particular, the challenge regarding passwords is especially tough. If they cannot afford to implement the highest level of security across the entire organization \u2013 which is often true due to limited budgets \u2013 they should at least identify critical roles and apply stronger controls in those areas. At a minimum, financial teams, employees sending or receiving money, and those handling sensitive data, intellectual property, or the company\u2019s \u201ccrown jewels\u201d need a higher level of security.<\/p>\n

However, in the end, the biggest hurdle is not always technology. Culture eats technology for breakfast. Asking users to carry a physical hardware device or adopt a new authentication process can create resistance. At its core, change management is difficult, but necessary. Passwords are still the game for most users, and until that changes, companies need to treat password behavior as a foundational security gap that must be actively managed.<\/p>\n

\n

Anthony Cusimano, Solutions Director at Object First<\/strong><\/a><\/p>\n

\n
\n

The death of the password is closer than we think. Passwords are no longer a secure method of authentication, and the most effective way to protect your accounts and security is to boil the ocean by using a password manager in conjunction with MFA and setting up recovery accounts, each following the previous instructions. Sound like overkill? That\u2019s because it\u2019s the only real way to ensure you can get your accounts back when they are compromised, and they will be compromised. Passwords just aren\u2019t up to snuff when it comes to real data security.<\/p>\n

To truly protect your data against emerging threats such as ransomware, credential theft, and human error, critical data must be stored in an absolute, immutable backup. 89 percent<\/a> of IT professionals say AI-powered cyber-attacks have made them more concerned about the safety of their organization\u2019s data, and the top-ranked defense they\u2019ve identified is increasing backup data security (73 percent). These backups ensure that the data cannot be stolen or manipulated by anyone, including admins who have access to it. Passwords are important, but it is even more critical to have a recovery plan for when passwords fail, because we know they will.<\/p>\n

\n<\/div>\n<\/div>\n

Ashish Jain, CTO at OneSpan<\/strong><\/a><\/p>\n

World Passkey Day is a reminder that there\u2019s a more secure alternative to passwords, which have long been a point of vulnerability. AI is amplifying phishing schemes at scale to target traditional access credentials. Passkeys represent a step towards a more resilient digital infrastructure that emphasizes both security and usability by replacing reusable credentials with cryptographic keys, whether bound to a single device or synced across a user\u2019s trusted platforms. They\u2019re especially valuable for securing high-risk interactions, such as financial transactions, where strong, phishing-resistant authentication is critical.<\/p>\n

FIDO passkeys are the industry standard, backed by the world\u2019s leading technology platforms\u2014Google, Microsoft, and Apple\u2014whose native support has accelerated adoption at scale. Going beyond traditional authentication, passkeys verify user identities and strengthen security across desktops and mobile devices, creating a more secure digital environment. As both cyber threats and passkey adoption grow, I\u2019m confident they will become the underpinning of digital trust and online transactions. The standard exists. The ecosystem is maturing. The window to get ahead of user expectations and regulatory pressure is narrowing fast. The question is no longer whether to adopt passkeys, but how fast you can get them into production.<\/p>\n

\n

Tim Chase, Field CISO & Principal Technical Evangelist at Orca Security<\/strong><\/a><\/p>\n

Passwords used to be the backbone of security, but they are starting to show their age. They were not built for a world where identities include not just people, but also apps, services, and now AI agents acting on their own. That shift makes identity the real control point. It is no longer enough to protect a login. You need to know who or what is accessing your environment, what they are allowed to do, and whether that behavior actually makes sense. Passwords can still play a role, but only as part of a bigger picture. Strong authentication, least privilege access, and continuous monitoring are what actually keep things in check. As AI becomes more embedded in day-to-day operations, the focus must shift from simply securing credentials to managing and understanding every identity in the system.<\/p>\n

\n

John Cannava, Chief Information Officer at Ping Identity<\/strong><\/a><\/p>\n

\n
\n

As AI continues to evolve and cyber-attacks become increasingly sophisticated, much of our digital security still hinges on a single weak point: the password. It\u2019s telling that 39 percent<\/a>\u00a0of people say AI-powered phishing is the threat they fear most, yet\u00a0less than a quarter<\/a>\u00a0feel highly confident in spotting what\u2019s real versus a scam. This gap highlights a growing vulnerability and a critical opportunity to rethink how we secure identities.<\/p>\n

Authentication must evolve to keep pace with today\u2019s threat landscape. Passwordless solutions are rapidly replacing traditional passwords with stronger, more user-centric methods like biometrics, authenticator apps, and digital certificates. These approaches significantly reduce the risk of phishing and credential theft while improving the user experience.<\/p>\n

World Password Day shouldn\u2019t just be about updating passwords. It should spark a broader shift. To stay ahead of modern threats, organizations and individuals need to move beyond passwords and adopt more resilient authentication strategies that put control back in users\u2019 hands.<\/p>\n

\n<\/div>\n<\/div>\n

David Lee, Field CTO at Saviynt<\/a><\/strong><\/p>\n

World Password Day is a good reminder that passwords alone are no longer enough to protect modern organizations. As AI makes it easier for attackers to scale credential-based attacks, the real challenge is ensuring the right users have the right access at the right time. That means organizations need better visibility into who has access to what, and stronger controls to manage and adjust that access as risks change. Ultimately, reducing reliance on passwords starts with taking a more proactive approach to managing identity and access across the business.<\/p>\n

\n

Ravi Soin, CIO\/CISO at Smartsheet<\/strong><\/a><\/p>\n

\n
\n

Every year, World Password Day arrives with the same advice. This year, the conversation needs to shift to the identity challenges that come with AI reshaping how work gets done.<\/p>\n

Passwordless authentication, like multi-factor authentication, biometrics, and passkeys, is rapidly becoming the norm, and for good reason: they\u2019re stronger, faster, and harder to compromise. This progress is real and worth celebrating. But even as authentication improves, with Zero Trust the deeper challenge remains: whether the humans in your environment\u2014and the systems acting on their behalf\u2014are behaving in ways you can actually verify.<\/p>\n

Every day, employees access dozens of apps to do their jobs. Behind them, a growing number of non-human \u2018workers\u2019 like automations and AI agents are operating across your environment, often carrying elevated privileges with far less scrutiny than a human login would receive. Even as AI takes on more of the workload, accountability still sits with people.<\/p>\n

The organizations that get this right will ensure every identity in their environment\u2014human or not\u2014is governed, traceable, and held to the same standard. That\u2019s what modern identity security actually demands.<\/p>\n

\n<\/div>\n<\/div>\n

Craig Savage, Vice President, Cyber Security at Spinnaker Support<\/strong><\/a><\/p>\n

The strategic message for World Password Day is simple: in ERP, strong identity control matters more than strong passwords. The winners will be the teams that combine MFA or passwordless for people, strict governance for non-human accounts, rapid rotation for privileged credentials, and a cleanup plan for legacy access before ECC deadlines force harder decisions.<\/p>\n

A major blind spot is that many ERP authentication paths still bypass modern controls. Even where MFA is enabled for front-door user access, older auth flows, service interfaces, scripted processes, and non-human identities may not inherit the same protections. Oracle\u2019s documentation, for example, notes that some authorization flows do not support MFA. That is exactly the kind of gap attackers look for.<\/p>\n

\n

Jack Cherkas, Global Chief Information Security Officer at Syntax<\/strong><\/a><\/p>\n

World Password Day 2026 brings the usual advice for passwords: longer, unique, never reused. That is no longer enough. Passwords are only one of many credentials now under AI-powered attack. Generative AI has industrialized credential attacks: phishing lures that defeat traditional user training, voice clones that pass help-desk identity checks, and credential stuffing at an industrial scale.<\/p>\n

Credentials remain one of the top initial access vectors year after year, and non-human identities, from AI agents to service accounts, are multiplying, each one holding credentials, each one a potential blast radius. When the next breach occurs, \u201cwe didn\u2019t know who or what had access\u201d will not be an acceptable defense.<\/p>\n

The fix is not novel. For organizations: phishing-resistant multi-factor authentication (MFA) and passkeys, Single Sign-On wired into a disciplined joiner-mover-leaver process, vaulted privileged access, and scoped, logged, revocable credentials for every non-human identity, AI agents included, never a shared service account. For individuals: a password manager, unique passwords or passkeys, and MFA on every account. The password era is ending; the credential era is not. Most breaches still begin with a credential someone forgot to protect, revoke, rotate, or retire. The organizations and individuals that master that unglamorous work are the ones that stay resilient when the next AI-powered attack lands.<\/p>\n

\n

Munu Gandhi, President of Xerox IT Solutions and Chief Technology Officer at Xerox<\/strong><\/a><\/p>\n

World Password Day reinforces a simple reality: identity is the control point in modern cybersecurity. At Xerox IT Solutions, we apply a Zero Trust model, in which every access request is continuously validated through adaptive authentication. The focus is not on more controls \u2013 it\u2019s smarter, contextual access that reduces risk while enabling speed.<\/p>\n

Organizations that build integrated identity frameworks will be better positioned to protect operations, earn client trust, and move with confidence in an increasingly distributed, AI-driven world.<\/p>\n

\n

Thi Nguyen-Huu, CEO of WinMagic<\/a><\/strong><\/p>\n

Organizations should start by recognizing that replacing the password is necessary but not sufficient. Passkeys are real progress, but a passkey ceremony produces an authentication assertion \u2014 not a session key. Whatever follows the login \u2014 usually a cookie or a bearer token \u2014 has no cryptographic continuity with the authentication that created it. Any organization adopting passkeys today should simultaneously ask: What is protecting the session after the tap?<\/p>\n

The deeper step is to rethink what identity means. Most authentication today commits what I call the Three Wrongs: it verifies the wrong identity\u2014a gesture, instead of the real composite of user, device, and conditions. It uses the wrong timing\u2014once at login rather than continuously. And it applies the wrong method\u2014procedural human action at the application layer, when machine-to-machine cryptography at the transport layer could do the job without the user doing anything. IT leaders should be evaluating architectures in which the transaction itself provides identity assurance within the secure channel, so there is no single login moment left to target.<\/p>\n

The hardware to do this is already deployed. Every modern laptop and phone ships with trusted hardware\u2014TPM or Secure Enclave\u2014and mutual TLS has been a standard for twenty-five years. What has been missing is the client-side half: a properly protected, user-bound, policy-bound key inside the endpoint\u2014continuous rather than momentary, available without a gesture. The industry\u2019s own next fixes\u2014Device Bound Session Credentials, DPoP, channel binding\u2014are converging on exactly this direction. But these are patches on a separation that should never have existed. If identity lives in the transport layer from the start, through mTLS with the capable endpoint of today, the problems they are patching simply dissolve.<\/p>\n

\n

Dave Lewis, Global Advisory CISO at\u00a01Password<\/strong><\/a><\/p>\n

The conversation has shifted from \u201chow do we protect passwords\u201d to \u201chow do we manage identity across everything.\u201d That includes humans, but increasingly, AI agents and automated tools are using credentials as well. Most organizations have no visibility into that. We\u2019re at an inflection point where the old perimeter-based security model no longer holds. The answer is to give every identity, human or machine, the right access at the right time, with full accountability. Password managers were step one. The next step is to treat identity security as infrastructure, not as a setting you configure once and forget.<\/p>\n

On passkeys<\/strong><\/em><\/p>\n

The biggest thing people still don\u2019t fully grasp about passkeys: they are phishing-resistant by design. A passkey is a cryptographic key pair; one side stays on your device, the other lives with the website, and they only work together on the exact site they were created for. That means a convincing fake login page gets you absolutely nothing. Data from major deployments<\/a> is compelling: passkeys achieve a 93 percent sign-in success rate (more than double that of traditional methods) and can reduce login-related help desk incidents by up to 81 percent. New interoperability standards, such as the Credential Exchange Protocol, are emerging to enable users to securely transfer passkeys between credential managers, reducing concerns about vendor lock-in. For individuals who want to get started: check if your bank, email provider, or streaming service supports passkeys and enable them today.<\/p>\n

\n

Want more insights like these?\u00a0Register for\u00a0<\/strong>Insight Jam<\/strong><\/em><\/a>,\u00a0Solutions Review\u2019<\/em>s enterprise tech community, which enables human conversation on AI.\u00a0You can\u00a0gain access for free here!<\/a><\/strong><\/h4>\n<\/p>\n

The post World Password Day Quotes from Industry Experts in 2026<\/a> appeared first on Best Identity Access Management (IAM) Software, Tools, Vendors, Solutions, & Services<\/a>.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

For World Password Day 2026, the editors at Solutions Review have compiled a list of comments from some of the leading industry experts. As part of this year\u2019s World Password Day, we called for the industry\u2019s best and brightest in Identity and Access Management and the broader cybersecurity market to share best practices, predictions for the future of passwords, and personal anecdotes. The experts featured… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-16237","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16237","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16237"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16237\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16237"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16237"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16237"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}