World Password Day faces calls to move beyond passwords

Cybersecurity leaders are urging organisations to rethink their reliance on passwords as World Password Day returns. They argue that traditional credentials no longer match the scale and nature of modern digital risks.

Vendors and security executives point to the rapid spread of artificial intelligence, the growth of non-human identities, and the persistence of basic credential theft as signs that the annual awareness day no longer reflects today's threats. Their comments highlight a broader shift toward continuous authentication, tighter access controls, and stronger governance for both people and machines.

Pierre Mouallem, Chief Information Security Officer at privileged access specialist Delinea, said conventional passwords are now a weak line of defence as attackers focus on exploiting the access behind them.

"World Password Day feels increasingly outdated. Passwords can no longer be relied on as a meaningful line of defense as they are routinely bypassed through social engineering, and we are seeing increased attacks through third-party apps. The real damage lies in what hackers can access once inside an organization's system."

"More organizations are deploying AI agents to improve productivity and granting them standing access to their core systems, which 73% of leaders acknowledge is increasing their security risk. If just one overprivileged account or agent is breached, attackers can move laterally and comprise critical systems."

"Organisations can build true resilience by rethinking access altogether. Adopting ephemeral permissions and just-in-time (JIT) access can ensure privileges exist only when needed and drastically reduce the window of opportunity for attackers. By layering on strict role-based access controls, they can limit both movement and overall exposure."

"Ultimately, organizations' mindsets must shift toward a model of zero standing privilege where no user, device, or agent is inherently trusted, and every access request is continuously verified."

Mouallem's comments reflect a wider industry push away from static entitlements. Security teams increasingly favour access models that grant short-lived permissions and continuously verify users, devices, and software agents.

The expansion of AI-driven systems is also reshaping how experts view identity. Executives warn that agent-based automation is creating large numbers of new machine identities, often with broad, persistent access to critical data and workflows.

Mark Molyneux, Field Chief Technology Officer for North Europe at data protection and cyber resilience firm Commvault, said organisations must treat AI agents as first-class identities rather than background automation.

"Password Day is about protecting digital identities, and we are witnessing an unprecedented expansion of digital identities. AI agents are no longer supporting actors but autonomous participants in business processes - each requiring authentication, authorisation, and oversight at scale that traditional systems were never designed to handle."

"Agent-based systems do not just expand the attack surface - they fundamentally reshape it. Vulnerabilities such as prompt injection, model poisoning, and data manipulation target not only code, but the decision-making logic itself, creating a new class of risks that traditional security frameworks are ill-equipped to mitigate."

"AI agents must be managed as critical digital identities - requiring continuous monitoring, strict access control, and strong governance from the outset, rather than being treated as simple plug-and-play automation within existing systems. Without proper lifecycle governance, monitoring, and clear access boundaries, AI agents can quickly evolve from productivity tools into scalable security risks that amplify vulnerabilities across the organisation."

"Treating AI agents as fully governed digital identities - with defined privileges, oversight, and lifecycle controls - is essential to turning autonomy into a security asset rather than a rapidly expanding liability."

Other security leaders argue that the industry should move away from passwords altogether, citing a rise in AI-enabled credential theft and the continued success of phishing and social engineering campaigns.

Minh Nguyen, Vice President of Identity Security at Entrust, described passwords as a legacy mechanism that no longer matches the sophistication of current threats.

"Passwords are a relic. Designed for a simpler digital era, they were never built to withstand today's sophisticated threat landscape. Yet compromised passwords remain the leading cause of data breaches, enabling account takeover attacks through phishing, malware, and social engineering. As fraud techniques grow more organised, targeted, and increasingly AI-driven, continuing to rely on passwords is a risk organisations can no longer afford."

"On World Password Day, the focus should be on moving beyond credentials to methods that bring enhanced security and convenience. By using authentication methods consumers already trust, such as biometrics, organisations are strengthening security in a way that feels familiar to users rather than disruptive. Most importantly, biometrics enable continuity of identity, confirming that the person accessing or transacting on an account is the same individual who opened it. That continuity is essential for protecting accounts, money, and personal data as fraud becomes harder to detect and easier to scale."