It’s World Password Day today, the first Thursday of May.
World Password Day is a day set aside in the IT industry, and other associated sectors, to consider best practices, such as promoting strong password habits and better cybersecurity practices.
Its aim is to encourage people and businesses to consider and reflect, and perhaps take action, on where, when and how their passwords and security access is being used, and it is widely recognised by cybersecurity companies, technology vendors, and IT organisations.
Apparently the concept originated from a security researcher whose idea inspired Intel Security (formerly McAfee) to formally launch World Password Day in 2013.
Today, on World Password Day 2026, we hear the thoughts of Chris Gunner, vCISO at Thrive:
The Importance of Password Hygiene
Chris Gunner comments:
“World Password Day is still certainly a useful reminder on the importance of password hygiene – ensure passwords are unique across different accounts, incorporate a mix of letters and characters and don’t use any personal information. However, the key priority for organisations in today’s cyber landscape, should be reducing dependence on passwords as a single control.
“With evolving phishing and social engineering techniques being used to obtain the credentials of legitimate users and bypass security controls, even a strong password can be undermined if the wider identity and access environment is not properly managed.
“Passwords must therefore complement a broader identity-led strategy. They’re perfect as a first line of defence, but a second identification step is needed so accounts continue to stay protected if a password is breached. Multi-factor authentication requires an additional form of verification such as a code provided to the user via an app or biometric proof before an account can be accessed. Biometric protection in particular is nearly impossible for hackers to get past.
“MFA controls should then be joined by identity governance and endpoint protection so gaps between systems are reduced. A broader Zero Trust and secure access model should revolve around users and devices being verified before access is granted, and then continuously validated thereafter, rather than trusted by default.
“Businesses should also never forget the importance of education. People should be trained to recognise suspicious messages, avoid handing over sensitive information, stay current on threat trends and act as a stronger line of defence alongside controls such as MFA and other security tools.”
