Every year on the first Thursday of May is World Password Day and it is often a bit depressing for security experts. Despite years of warnings, data breaches and cybersecurity awareness campaigns, many people still rely on weak, predictable and reused passwords.

The message isn’t getting through

The most commonly used passwords have barely changed in more than a decade. Variations of “123456”, “password”, “qwerty” and other easily guessed combinations continue to appear near the top of global lists year after year. While technology has advanced rapidly, password habits often have not.

For cybercriminals, this creates an easy route into personal and business accounts. Attackers know many users still choose convenience over security, and they actively exploit that behaviour through credential stuffing, brute-force attacks and phishing campaigns.

Copy of Trends image

The danger of weak and reused passwords

A weak password is bad enough. A reused password is often worse.

When one website suffers a breach, stolen usernames and passwords are quickly tested across banking, email, cloud storage and workplace platforms. If the same password has been reused, a single breach can unlock multiple accounts.

For organisations, reused passwords can lead to compromised Microsoft 365 accounts, exposed VPN access, business email compromise and unauthorised access to sensitive data. In many incidents, attackers do not need sophisticated malware. They simply log in with valid credentials.

At Integrity360, we regularly see identity-based attacks remain one of the fastest and most effective ways for threat actors to gain access. As businesses improve perimeter defences, criminals increasingly target users, credentials and authentication weaknesses instead.

Why passwords remain a problem

Passwords place too much responsibility on users. People are expected to create dozens of unique, complex combinations, remember them, update them and avoid writing them down.

That often leads to familiar behaviour:

    • Choosing short or memorable passwords
    • Reusing the same password across multiple services
    • Making only minor changes when prompted to reset
    • Storing passwords insecurely in notes or spreadsheets

Even when organisations enforce password policies, they’re often ignored or circumvented.

The NCSC shift towards passkeys

Recently the UK’s National Cyber Security Centre (NCSC) has now urged people to move away from passwords in favour of passkeys where available, calling it a major shift in long-standing security practice.

Passkeys are a newer form of authentication that remove the need to remember passwords altogether. Instead of relying on a shared secret, they use public key cryptography. One key stays securely on the user’s device, while the matching public key is stored by the service being accessed.

In practice, users often sign in using something already built into their device, such as Face ID, fingerprint recognition or a PIN.

Because there is no password to type in, passkeys can significantly reduce the risk of phishing, password theft and credential reuse. Each passkey is unique to the website or app it is created for, making it far harder for attackers to exploit across multiple services.

The NCSC has described passkeys as a more user-friendly option that can also improve overall resilience.

IR Brochure new

Passkeys are not the whole answer

Passkeys are an alternative but not every platform supports them yet. Users may face recovery challenges if they lose access to devices. Organisations also need clear processes for enrolment, device management and account recovery.

This means businesses should view passkeys as part of a broader identity security strategy rather than a standalone fix.

Integrity360 insight: Identity is the new frontline

At Integrity360, we advise organisations to treat authentication as a critical security control. Whether using passwords, passkeys or a mix of both, the focus should be on reducing identity risk.

That includes:

    • Enabling multi-factor authentication across all critical services
    • Deploying password managers for users where passwords remain necessary
    • Monitoring for compromised credentials on the dark web
    • Detecting suspicious login behaviour through MDR and SOC services
    • Implementing passkeys where supported
    • Training users to recognise phishing attempts

The future will likely be passwordless, but most organisations are still in a transition phase. During that period, attackers will continue targeting weak credentials wherever they find them. If your passwords are still simple, reused or unchanged for years, now is the time to act. Strong unique passwords, MFA and passkeys can dramatically reduce risk.

Passwords may not disappear overnight, but their dominance is ending. The organisations and individuals who modernise early will be far better placed to stay secure.

Need help with your cybersecurity? Contact our experts today.

 

Contact Us

 

FAQs

What is World Password Day?

World Password Day is an annual awareness event focused on encouraging individuals and organisations to improve password security practices and strengthen account protection against cyber threats.

Why are weak passwords still a major cybersecurity problem?

Weak passwords remain one of the easiest ways for attackers to gain unauthorised access to systems and accounts. Many users still rely on reused passwords, predictable phrases or simple combinations that can be cracked using automated tools and credential stuffing attacks.

What is a passkey?

A passkey is a passwordless authentication method that uses cryptographic keys stored securely on a device instead of traditional passwords. Passkeys are designed to improve both security and user experience while reducing the risks associated with stolen or reused passwords.

Are passkeys more secure than passwords?

Yes. Passkeys are generally considered far more secure than traditional passwords because they are resistant to phishing, credential theft and brute force attacks. Unlike passwords, passkeys cannot easily be stolen or reused across multiple services.

How do passkeys work?

Passkeys use public-key cryptography. A private key is securely stored on the user’s device, while a public key is shared with the service being accessed. Authentication occurs locally using biometrics, PINs or device authentication without transmitting a reusable password.

Why are organisations considering moving to passkeys?

Organisations are exploring passkeys because they reduce the risks associated with weak passwords, improve user experience and help lower the likelihood of phishing-based compromise. They can also reduce password reset costs and improve identity security overall.

Can passkeys completely replace passwords?

Not entirely, at least not yet. Many organisations still operate legacy applications and systems that rely on passwords. For most businesses, passkeys currently form part of a broader authentication strategy alongside MFA and identity security controls.

What are the risks of password reuse?

Password reuse creates significant risk because attackers often use credentials stolen from one breach to attempt access across multiple accounts and services. This technique, known as credential stuffing, remains highly effective against organisations without strong authentication controls.

Is multi-factor authentication still important if organisations use passkeys?

Yes. Multi-factor authentication remains an important layer of defence, particularly in hybrid environments where passwords still exist. Strong identity security should combine MFA, privileged access controls, monitoring and modern authentication approaches such as passkeys.

How can organisations improve password security today?

Organisations should enforce strong password policies, deploy MFA, educate users about phishing risks, monitor for credential compromise and move towards passwordless authentication where practical. Identity security and access management should form part of a wider cybersecurity strategy.

How can Integrity360 help organisations strengthen identity security?

Integrity360 Identity Security Services help organisations improve authentication security, reduce identity-based risk and implement modern security controls including MFA, privileged access management and identity governance.