Every year on the first Thursday of May is World Password Day and it is often a bit depressing for security experts. Despite years of warnings, data breaches and cybersecurity awareness campaigns, many people still rely on weak, predictable and reused passwords.

The message isn’t getting through

The most commonly used passwords have barely changed in more than a decade. Variations of “123456”, “password”, “qwerty” and other easily guessed combinations continue to appear near the top of global lists year after year. While technology has advanced rapidly, password habits often have not.

For cybercriminals, this creates an easy route into personal and business accounts. Attackers know many users still choose convenience over security, and they actively exploit that behaviour through credential stuffing, brute-force attacks and phishing campaigns.

The danger of weak and reused passwords

A weak password is bad enough. A reused password is often worse.

When one website suffers a breach, stolen usernames and passwords are quickly tested across banking, email, cloud storage and workplace platforms. If the same password has been reused, a single breach can unlock multiple accounts.

For organisations, reused passwords can lead to compromised Microsoft 365 accounts, exposed VPN access, business email compromise and unauthorised access to sensitive data. In many incidents, attackers do not need sophisticated malware. They simply log in with valid credentials.

At Integrity360, we regularly see identity-based attacks remain one of the fastest and most effective ways for threat actors to gain access. As businesses improve perimeter defences, criminals increasingly target users, credentials and authentication weaknesses instead.

Why passwords remain a problem

Passwords place too much responsibility on users. People are expected to create dozens of unique, complex combinations, remember them, update them and avoid writing them down.

That often leads to familiar behaviour:

• Choosing short or memorable passwords
• Reusing the same password across multiple services
• Making only minor changes when prompted to reset
• Storing passwords insecurely in notes or spreadsheets

Even when organisations enforce password policies, they’re often ignored or circumvented.

The NCSC shift towards passkeys

Recently the UK’s National Cyber Security Centre (NCSC) has now urged people to move away from passwords in favour of passkeys where available, calling it a major shift in long-standing security practice.

Passkeys are a newer form of authentication that remove the need to remember passwords altogether. Instead of relying on a shared secret, they use public key cryptography. One key stays securely on the user’s device, while the matching public key is stored by the service being accessed.

In practice, users often sign in using something already built into their device, such as Face ID, fingerprint recognition or a PIN.

Because there is no password to type in, passkeys can significantly reduce the risk of phishing, password theft and credential reuse. Each passkey is unique to the website or app it is created for, making it far harder for attackers to exploit across multiple services.

The NCSC has described passkeys as a more user-friendly option that can also improve overall resilience.

Passkeys are not the whole answer

Passkeys are an alternative but not every platform supports them yet. Users may face recovery challenges if they lose access to devices. Organisations also need clear processes for enrolment, device management and account recovery.

This means businesses should view passkeys as part of a broader identity security strategy rather than a standalone fix.

Integrity360 insight: Identity is the new frontline

At Integrity360, we advise organisations to treat authentication as a critical security control. Whether using passwords, passkeys or a mix of both, the focus should be on reducing identity risk.

That includes:

• Enabling multi-factor authentication across all critical services
• Deploying password managers for users where passwords remain necessary
• Monitoring for compromised credentials on the dark web
• Detecting suspicious login behaviour through MDR and SOC services
• Implementing passkeys where supported
• Training users to recognise phishing attempts

The future will likely be passwordless, but most organisations are still in a transition phase. During that period, attackers will continue targeting weak credentials wherever they find them. If your passwords are still simple, reused or unchanged for years, now is the time to act. Strong unique passwords, MFA and passkeys can dramatically reduce risk.

Passwords may not disappear overnight, but their dominance is ending. The organisations and individuals who modernise early will be far better placed to stay secure.

Need help with your cybersecurity? Contact our experts today.