Rethinking passwords on World Password Day

World Password Day serves as a timely reminder of the importance of protecting our digital lives. Part of my role involves spending a great deal of time helping organisations understand that the traditional password, once the cornerstone of online security, is no longer sufficient on its own.

The problem with passwords

We’ve all heard the advice: use complex, unique passwords for every account. Yet even with the best intentions, human nature often wins. Password reuse, weak credentials, and phishing remain among the most common causes of breaches. Attackers know this and continue to exploit it. Passwords aren’t just a nuisance, they can be a liability.

Going ‘passwordless’

Increasingly, businesses and individuals are exploring passwordless authentication, a model that replaces passwords entirely with more secure and user-friendly alternatives. This includes device-based authentication, security keys, or mobile apps that use public key cryptography.

The benefits are stronger protection against phishing and credential theft, reduced IT burden (fewer password reset requests), and a better user experience. In short, better security and happier users.

Multi-factor authentication: A must-have

Whether or not you’re ready to go passwordless, Multi-Factor Authentication (MFA) should already be part of your defence. MFA adds a critical extra layer requiring something you have (such as a phone), something you are (a fingerprint), or something you know (like a PIN).

A password alone is simply no longer enough.

PINs and biometrics

There’s often confusion between PINs and passwords. While both are knowledge-based, PINs can offer enhanced security when used locally, such as unlocking a device protected by a Trusted Platform Module (TPM). They never leave the device and are resistant to many common attacks.

Biometrics, like fingerprint or facial recognition, offer even greater convenience. However, they must be implemented carefully, especially in high-risk environments, to safeguard against spoofing and ensure user privacy.

What about password managers?

Password managers are often recommended as a practical solution for creating and storing strong, unique passwords. Options such as 1Password, Bitwarden, or LastPass offer centralised, encrypted vaults, and can simplify secure access across accounts.

Even built-in managers from Google Chrome and Apple Keychain offer a useful step in the right direction, particularly for individual users and small businesses. However, it’s important to remember these are not without their risks. Breaches have occurred in the past, including high-profile cases involving third-party managers. And browser-based tools, while convenient, may be more susceptible to compromise if a device is infected or poorly secured.

No password manager is breach-proof. The key is to choose one that encrypts data locally, use a strong master password, enable MFA, and apply regular software updates.

Action you can take

Key actions you can take to protect your business and personal data include:

• Enable MFA on every service that offers it—especially email, banking, and cloud accounts.
• Consider moving towards passwordless solutions, particularly for internal systems and employees.
• Don’t rely solely on biometrics, always pair them with a secondary factor.

Even the strongest security measures can be undermined by human error. Ongoing, practical user training ensures security best practices stay front of mind and are applied consistently across your organisation.

Cyber security is never one-size-fits-all, but the direction is clear: fewer passwords, more layers of protection, and smarter authentication.