World Password Day 2026: Are security leaders questioning the password model?

Every year on the first Thursday of May, the security industry marks World Password Day with a familiar chorus: use longer passwords, enable multi-factor authentication (MFA), stop reusing credentials. 

The advice is sound. And yet, according to the 2025 Verizon Data Breach Investigations Report, stolen credentials remained the most common initial access vector, present in 22% of all confirmed breaches and 88% of basic web application attacks.

Something is clearly not adding up.

Employees are exhausted by login fatigue. Security teams spend considerable time on password resets and credential management. And attackers have largely stopped trying to crack passwords; they simply steal them, buy them, or phish them from users who are overwhelmed.

This is why the more important question for security leaders in 2026 is not “how do we create stronger passwords?” It is “why are we still so dependent on them?”

World Password Day this year is best understood not as a reminder to add more symbols to your credentials, but as a prompt to rethink enterprise authentication itself. 

The industry is gradually moving toward a model built on passkeys, phishing-resistant MFA, password managers, and identity-first security thinking, and that shift deserves serious attention from every CISO and security leader.

Passwords were designed for a much smaller digital world

The password, as a concept, is older than most people realize. 

In 1961, researchers at the Massachusetts Institute of Technology built passwords into the Compatible Time-Sharing System (CTSS) to let users protect their personal files on a shared mainframe. The problem being solved was modest: keep one researcher’s work separate from another’s on a single machine.

That origin matters. Because the environment that gave birth to password security barely resembles the one that security leaders are responsible for today.

In the early decades of computing, identity footprints were small. Employees accessed a limited number of internal systems, usually on-premises, behind a physical perimeter. Remote access was an exception, not a baseline. The concept of a vendor ecosystem with dozens of third-party integrations, each requiring its own credentials, simply did not exist.

And as we know, the modern environment looks nothing like that. 

According to BetterCloud’s research, companies now use an average of 106 SaaS applications. Add hybrid work, multi-cloud infrastructure, third-party vendor access, service accounts, and AI-powered phishing attacks that can convincingly impersonate internal communications, and the identity surface area that security teams must defend has expanded by orders of magnitude.

And yet the authentication model has barely changed. Companies are still asking humans to navigate an enterprise-scale identity problem that passwords were never built to handle. 

Each new system added to the stack is another credential to create, store, rotate, and eventually forget. Every forgotten password is a reset ticket. Every reset ticket is a cost.

Several security leaders now argue that the core problem is not weak passwords alone, but rather the overreliance on passwords themselves. The question worth asking on World Password Day 2026 is whether that dependence is still justifiable.

Why traditional password strategies keep failing

Despite years of updated policies, mandatory training, and increasingly strict requirements, the same failure patterns keep reappearing inside organizations. The reason, according to many security leaders, has less to do with employee negligence and more to do with how those policies are designed in the first place.

1. Complexity rules often create insecure behavior

There is a pattern that plays out in organizations of every size and every industry. 

A security team introduces a new password policy: 12 characters minimum, mandatory special characters, and a 90-day reset cycle. Compliance rates look acceptable on paper until someone finds the sticky note.

Complexity mandates rarely improve enterprise password security as intended. Without the right tooling and behavioral support in place, employees predictably fall back on workarounds such as:

• Cycling through minor password variations, adding a number or symbol to meet the new requirement
• Reusing the same credentials across personal and work accounts to reduce memory load
• Writing passwords down because the requirements have made them impossible to remember
• Sharing accounts to avoid being locked out of a critical system at the wrong moment
• Storing credentials in Excel spreadsheets because a centralized password manager was never provided

As  Lisa Ventura, a cybersecurity leader and Fellow of the Chartered Institute of Information Security, comments, “Most teams still rely on policies that tell people what not to do, slap complexity rules on them, force 90-day resets, and then wonder why staff are writing credentials on sticky notes or cycling through the same password with a number at the end.

That approach has never worked, and the data proves it. Behavior does not change through restriction alone.”

Most enterprise password policies are designed as governance documents rather than behavioral tools. They define what employees must not do, without addressing the usability friction that makes compliant behavior difficult. 

When security asks too much of human memory and offers no viable alternative, the system ends up creating the high risk it was designed to prevent.

2. Password fatigue is now an operational problem, too

The consequences of this model extend well beyond the security team. Password management has become a significant operational cost center that is rarely accounted for in security budgets. 

According to a February 2025 CIO analysis of Forrester research, companies spend an average of $87 per password reset, which amounts to $795 per employee annually when accounting for IT labor, ticketing overhead, and lost productivity while employees wait to regain access, including:

• Forgotten credentials and account lockouts
• Mandatory reset cycles that employees cannot keep pace with
• Shared account access disputes requiring IT intervention
• Authentication failures on legacy systems with no self-service recovery

Ben Rothke, Senior Information Security Manager at Experian, agrees and shares that, “Information security teams spend way too much time dealing with password resets, forgotten passwords, and more.” 

For large enterprises and mid-sized firms where support queues are already stretched, this volume represents a recurring, scalable drain on security team capacity. Time spent on credential administration is time not spent on threat detection, risk management, or building toward a stronger authentication posture. 

Password management has become an authentication tax on operational productivity, and for security leaders working with constrained resources, that cost is increasingly difficult to justify.

3. What password dependence actually looks like inside enterprises

The theoretical risk of poor password hygiene is well documented. The practical reality, on the other hand, is more mundane, and in many ways more dangerous, precisely because of how normalized it has become. 

Common scenarios inside enterprise environments include:

• Contractors sharing credentials across project tools because provisioning individual accounts takes time, no one has
• Admin passwords for legacy systems are stored in shared spreadsheets because those systems predate modern credential vaults
• VPN access relies on a single static password because the infrastructure investment to upgrade has not been prioritized
• Employees approve MFA prompts with minimal attention because the volume of daily requests has made the friction invisible

Wendy Nather, security strategist and advisor at 1Password, urged companies on the same, sharing, “I would encourage teams to be thoughtful and secure about how they share passwords. We all know you're sharing them, and often there's a good reason to do so. Just do it the same secure way each time, document it in the same centralized place, and for heaven's sake, stop putting them in Excel spreadsheets.” 

Most password-related risk inside enterprises today does not come from employees choosing weak passwords. 

It comes from the operational complexity of managing credentials at scale, layered with the human tendency to find the path of least resistance.

The industry is trying to move beyond passwords

Many security practitioners are no longer treating passwords as the centerpiece of enterprise authentication. The conversation has shifted from how to make passwords stronger to how to make organizations less dependent on them altogether. 

The momentum behind that shift is no longer theoretical. It is measurable and accelerating.

1. Passwords are becoming secondary

Ben Rothke, Senior Information Security Manager at Experian, also commented on this directional change, saying, “Rather than having passwords be the lead actor in information security defense, make them a bit player. What needs to be done is to use phishing-resistant, multi-factor authentication as the default, and treat passwords as secondary. ” 

The technologies enabling this transition are no longer niche or experimental. The modern authentication stack available to companies today includes:

• Passkeys, cryptographic credentials tied to a user’s device that are phishing-resistant by design and require no memorization
• Hardware security keys, including FIDO2-compliant tokens that provide device-bound authentication for high-privilege accounts
• Biometric authentication, using fingerprint or facial recognition to verify identity at the device level
• Device trust models, where access decisions are based on the security posture of a verified endpoint rather than a credential
• Adaptive authentication, which evaluates contextual signals such as location, device, and behavior before granting access

The regulatory and standards ecosystem is now firmly aligned behind this transition. 

At CYBERUK 2026 in Glasgow, the UK’s National Cyber Security Center published a technical report formally recommending passkeys over passwords, concluding that passkeys are at least as secure as, and in most cases more secure than, the strongest password combined with two-step verification. 

Enterprise adoption is following. According to the FIDO Alliance's State of Passkey Deployment in the Enterprise report, 87% of organizations surveyed have either deployed passkeys or are actively deploying them, a 14% point increase from 2022. 

The future of authentication is shifting from something users remember to something users possess or are inherently. That shift has been discussed for years. What is different now is that the infrastructure, the standards, and the ecosystem support to act on it are all in place.

2. Password managers are becoming baseline infrastructure

Even in environments where full passwordless authentication is not yet achievable, the minimum expectation is shifting. Employees should not be required to memorize dozens of credentials just to function productively. When that is the reality inside an organization, the architecture itself is creating risk, not managing it.

Password managers address this problem by:

• Generating and storing unique, complex credentials for every system and service
• Enabling secure, auditable credential sharing for teams and contractors
• Supporting credential lifecycle management, including rotation and revocation
• Reducing the surface area of human memory as a security dependency
• Vaulting sensitive credentials such as service account passwords and admin keys in a secure, auditable location with access controls 

When employees no longer need to remember passwords, the behavioral workarounds that policies have failed to eliminate largely disappear. The sticky note problem is not a discipline problem. It is an infrastructure gap, and password managers close it.

But even as passwords become less central to authentication, another question is beginning to emerge for security leaders: what happens to everything that identity now connects to?

If Passwords are dead, Is MFA too?

The short answer is no. But the longer answer matters considerably more for security leaders making authentication decisions in 2026.

Attackers have adapted. As password-only authentication became less viable and MFA adoption grew across enterprises, threat actors shifted their techniques specifically to work around it. 

The methods now in active use include:

• MFA fatigue attacks and push bombing, where users are overwhelmed with repeated approval requests until they click accept out of frustration
• SIM swapping, which redirects SMS-based one-time codes to attacker-controlled numbers
• Adversary-in-the-middle phishing, which intercepts authentication sessions in real time before the user realizes anything is wrong
• Session hijacking, which bypasses MFA entirely by stealing authenticated session tokens after a legitimate login

Hence, MFA remains essential. An organization without it is meaningfully more exposed than one with it. The critical distinction that security leaders need to draw, however, is between legacy MFA implementations and phishing-resistant MFA built on modern standards.

MFA: Tiering and applicability in the current environment

Not all MFAs sit at the same level of assurance. A useful way to think about it in tiers:

1. SMS and email OTP sit at the bottom. They are better than nothing, but are vulnerable to SIM swapping, interception, and adversary-in-the-middle attacks
2. Authenticator app TOTP codes sit in the middle. They are more resistant than SMS but are still susceptible to real-time phishing and session hijacking
3. FIDO2 hardware security keys and device-bound passkeys sit at the top. They are cryptographically bound to the legitimate origin and are resistant to phishing by design

This tiering is not just an industry opinion. NIST SP 800-63B-4, the updated Digital Identity Guidelines, formally classifies SMS and PSTN-based OTP as a restricted authenticator, the only method in that category, and requires organizations continuing to use it to meet additional conditions and maintain a migration plan.

The consequences of getting this wrong at scale are well documented. The 2024 Snowflake breach, in which attackers accessed multiple enterprise customer environments because MFA was not enforced on the platform, illustrated precisely how a gap in authentication enforcement can become a multi-organization incident.

For CISOs, the practical implication is straightforward. What matters is which kind of MFA is deployed, where, for which user populations, and whether continuous compliance monitoring is in place to verify that enforcement is actually holding. 

The distinction between traditional and phishing-resistant MFA is not a matter of degree. It is a difference in the underlying architecture.

Traditional MFA methods share a common vulnerability: they rely on a code or confirmation that travels through a channel an attacker can intercept, redirect, or manipulate in real time.

Phishing-resistant MFA works differently. Rather than relying on a shared secret or a code transmitted across a channel, it uses cryptographic mechanisms that are bound to a specific device and a specific legitimate origin. An attacker intercepting the authentication attempt receives nothing they can use.

This is precisely where platforms like Scrut help security teams close the gap between policy intent and operational reality.

What CISOs should rethink this World Password Day?

Security leaders are gradually moving away from measuring security maturity solely by password complexity. The shift that is underway, however inconsistently it is happening across industries, is toward authentication resilience and a deliberate reduction in how much human behavior the security architecture depends on to function correctly.

1. Audit where passwords still create enterprise risk

Before any organization can reduce its reliance on passwords, it needs an honest picture of where they still live in its environment and what risk each poses. The areas most commonly overlooked in standard password audits include:

• Legacy applications that predate modern identity infrastructure and cannot support SSO, MFA, or passwordless authentication without significant re-engineering
• Shared admin credentials are used across teams or shifts, where individual accountability is impossible to establish, and credential rotation is inconsistent
• Vendor and contractor access, where third parties often authenticate through channels that fall outside the organization’s standard identity governance controls
• Service accounts and non-human identities, which frequently carry elevated privileges and are managed manually with infrequent rotation
• Privileged workflows such as break-glass access, emergency admin accounts, and deployment pipelines, where password hygiene is often deprioritized in the name of operational speed

Each of these represents an authentication attack surface that complexity policies alone cannot address. The risk is structural, not behavioral.

2. Stop measuring maturity through password complexity alone

Some of the most widely adopted password practices in enterprise security are not just ineffective. They actively create the conditions for the workarounds documented in earlier sections of this article.

Forced 90-day password resets, for instance, do not improve security in environments where attackers move laterally within hours of initial access. What they reliably produce is a predictable cycle of minor password variations and increased helpdesk volume. 

Similarly, excessive complexity rules without supporting tooling shift the burden entirely onto human memory, which is not a security control.

Modern authentication strategy replaces these practices with approaches that are both more secure and more usable:

• Risk-based authentication, which adjusts verification requirements based on contextual signals such as device, location, and behavior, rather than applying the same friction to every login
• Continuous verification models that do not treat a single successful login as an open session indefinitely
• Context-aware access controls that evaluate whether a given access request is consistent with established patterns before granting it
• Identity intelligence that surfaces anomalies across user activity, rather than relying on periodic policy enforcement

3. Reduce human dependency wherever possible

The practical roadmap for most enterprise security teams does not require a complete architectural overhaul on day one. It requires a set of deliberate, sequenced decisions that shift accountability away from individual behavior and toward architecture.

Practical starting points include:

• SSO adoption to consolidate the credential surface area and reduce the number of individual authentication events employees manage daily
• Enterprise password managers are a baseline for any system that cannot yet support passwordless or SSO
• MFA is deployed across all user-facing systems, with a clear internal distinction between phishing-resistant and legacy implementations
• Passkey pilots for high-risk user populations, starting with privileged accounts and users with access to sensitive data
• Phishing-resistant MFA as the enforced standard for any administrator, executive, or vendor with elevated access

Lisa Ventura’s challenge to security leaders is worth returning to here. 

She mentions, “World Password Day is a useful moment to pause and ask whether your team is being set up to succeed or set up to fail. If your current approach puts the burden entirely on individual employees without giving them the tools, the training, or the genuine understanding to carry it, then the policy is the problem, not the people.”

The goal is not to design systems that require humans to behave perfectly under every condition. The goal is to design systems that remain secure even when humans behave imperfectly, because they inevitably will.

The goal is an authentication model that does not need World Password Day

World Password Day began as a reminder to practice better password hygiene. In 2026, it is becoming something more significant: a prompt for security leaders to question whether password-centric thinking still belongs at the center of authentication strategy.

The organizations leading this transition are not measuring success by password strength scores or reset compliance rates. They are measuring it by how little their security posture depends on passwords in the first place.

The best passwords, as it turns out, are the ones your users never need to remember.

The goal for every security leader is to make World Password Day, eventually, an irrelevant occasion.

If World Password Day prompts one action, let it be this: audit whether your current authentication controls are being enforced the way your policies say they are. Scrut gives security leaders continuous visibility into access controls, MFA coverage, and third-party authentication risk, without waiting for the next audit to find out what slipped.

Talk to the Scrut team today!