What is World Password Day? And Why We Still Need It

UPDATE: This post, originally published on May 6, 2021, has been updated to provide a more in-depth look into World Password Day. While the fundamental aspects of the day remain unchanged, this update includes additional insights and detailed explanations to enhance your understanding of the latest technologies and best practices for maintaining strong password security in today’s digital landscape.

Today is World Password Day, which is observed annually on the first Thursday of May. The holiday encourages individuals and organizations to proactively improve their password security by creating strong passwords, adopting better habits, and staying informed about cybersecurity best practices.

On this World Password Day, it’s crucial to reflect on the evolving landscape of cybersecurity and the role that robust password practices play in safeguarding our online identities and personal accounts against cyber threats.

Join us in observing World Password Day as we dive deeper into the holiday and discuss the latest in password hygiene, including an analysis of the most commonly used passwords, the importance of strong passwords, what goes into creating a good password, and password best practices you can start using today.

By taking proactive steps to strengthen passwords and enhance your overall cybersecurity posture, we can collectively build a safer digital environment for everyone.

Let’s continue making cybersecurity a priority to protect what matters most.
 

• Who created World Password Day?
• What is the most common password?
• Why is using a strong password important?
• What makes a good password?
• Top ways you can improve password security

Who created World Password Day?

Established in 2013 by Intel, World Password Day is an annual reminder about the importance of securing the gatekeeper of our cyber identities. Since its inception, the day has taken on a life of its own, with thousands of people, organizations like the National Cyber Security Awareness Alliance, and major tech companies like Google (also a founding underwriter of the FIDO Alliance) sharing tips for creating strong passwords and improving cybersecurity practices.

The evolution of World Password Day reflects the growing recognition of the need for robust cybersecurity measures. Initially focused on promoting strong passwords, the day now also highlights the importance of multi-factor authentication (MFA) and staying informed about best practices in cybersecurity. This shift underscores the ongoing efforts to adapt to the ever-evolving landscape of cyber threats and the need for continuous improvement in digital security practices.

[Read also: Is multi-factor authentication living up to its hype?]

It’s clear that the need for strong, unique passwords has never been more critical. However, many individuals still rely on weak and easily guessable passwords, leaving their accounts vulnerable to cyber threats.

Let’s delve into the most common passwords and explore why these choices pose significant risks to our digital security.

Back to table of contents

What is the most common password?

Despite advancements in technology, weak passwords continue to be a significant vulnerability. Common passwords like “Password1” or using easily guessable personal information, such as birthdays, pet names, children’s names, or favorite sports teams, can be easily guessed by hackers who often monitor social media accounts to gather this information.

Additionally, many frequently used passwords continue to be shockingly simple. According to the 2025 Specops Breached Password Report, the most stolen passwords in 2024 include 123456, admin, and password. The report also highlights that many users tend to use simple base terms like “admin” or “welcome,” which are easily exploited through dictionary attacks.

[Read also: Stop making these four common password mistakes now]

By understanding the risks associated with common passwords and taking proactive steps to strengthen password practices and policies, individuals and organizations can significantly reduce the likelihood of unauthorized access and enhance their overall cybersecurity posture.

In the next section, we’ll explore the importance of using strong, unique passwords and how they can significantly enhance your cybersecurity posture.

Back to table of contents

Why is using a strong password important?

In an era where cyber threats are increasingly sophisticated, a single compromised password can lead to devastating consequences, including identity theft, financial loss, and unauthorized access to sensitive data.

Even with the well-known risks associated with weak passwords, many individuals continue to use them or even reuse the same password across multiple accounts. This practice significantly increases their vulnerability to cybercriminals.

Consider this entrant: “solarwinds123” — that’s the password that a worker created to access a secure server at the network management software company SolarWinds.

We all know the rest: Hackers broke in and launched one of the worst cyberattacks in U.S. history, infecting 300 companies and nine federal agencies, racking up as much as $100 billion in cleanup costs.

Hackers don’t break in, they log in.

According to the IBM X-Force 2025 Threat Intelligence Index, there has also been an 84% increase in infostealers via phishing emails each week. Cybercriminals leveraging AI to scale and make these phishing attacks more effective have made this rise in infostealer malware possible, resulting in millions of stolen credentials becoming available on the dark web.

[Read also: Yes, ChatGPT will turbocharge hacking—and help fight it, too]

Now that we’ve established why using strong passwords is crucial for protecting your digital identity and sensitive information, you might be wondering: what exactly makes a good, strong password? And how can you create one that effectively safeguards your accounts?

Let’s explore the key characteristics of what makes a good password, with practical tips to help you craft passwords that are both secure and manageable.

Back to table of contents

What makes a good password?

Traditionally, people believe that adding alphanumeric characters, such as numbers and #, @, and &, is all they need to do to increase their password security, with some applications even requiring it.

However, what many people don’t realize is that even passwords that meet complexity requirements can still be vulnerable if they are part of a known list of compromised passwords.

For example, a password like “P@ssw0rd!” may seem strong, but if it has been exposed in a data breach, it becomes just as risky as a simple password. Additionally, including these characters can actually result in unnecessary complexity.

It’s always a good idea to assume the worst and check Have I Been Pwned for a list of company data breaches and exposed email addresses.

So, why is having a complex password no longer the primary focus for ensuring security?

The National Institute of Standards and Technology (NIST) recently unveiled a transformative set of guidelines for password security, signaling a departure from traditional practices. These new recommendations, detailed in NIST Special Publication 800-63B, are designed to bolster cybersecurity while enhancing user experience.

[Read also: The new thinking on password security might surprise you]

One of the most significant updates in NIST’s approach is the emphasis on password length over complexity. Moving away from the conventional wisdom of mixing uppercase and lowercase letters, numbers, and special characters, NIST now prioritizes the length of passwords as the key factor in their strength. (However, complexity can still play a role in preventing threats like brute-force attacks.)

Longer passwords are generally more secure and easier for users to remember. We’re moving away from complex rules that often lead to predictable patterns and towards encouraging unique, lengthy passphrases.¹

NIST now recommends a minimum password length of 8 characters, with a strong preference for even longer passwords. Organizations are encouraged to allow passwords up to at least 64 characters to accommodate passphrases.

In another significant update, NIST has eliminated the requirement for mandatory periodic password changes. The institute argues that frequent resets often result in weaker passwords and predictable changes, reinforcing poor password habits. Instead, passwords should only be changed when there is evidence of compromise.

“Forcing users to change passwords regularly doesn’t improve security and can actually be counterproductive,” Turner explained. “It’s more effective to monitor for compromised credentials and require changes only when necessary.”

The new guidelines also stress the importance of checking passwords against lists of commonly used or compromised passwords. NIST advises organizations to maintain an updated blocklist of weak passwords and prevent users from selecting any password on this list.

Additionally, NIST recommends against using password hints or knowledge-based authentication questions, as these can often be easily guessed or discovered through social engineering and phishing.

[Read also: Tanium experts bust common password myths]

These forward-thinking guidelines from NIST are set to redefine what it means to create good passwords that uphold the latest innovations in making password security more robust and user-friendly.

Back to table of contents

Top ways you can improve password security

But it’s not just what goes into creating a password that can help make it more secure; it’s also following good security hygiene that will help improve your password security, including:

Change passwords less frequently, not more

Organizations often prompt workers to change their network-access passwords every 30 to 45 days. However, this approach can be problematic because it may lead to predictable patterns in password changes. For example, users might simply update their passwords from 2024Yankees to 2025Yankees, which doesn’t significantly enhance security. Hackers can easily pick up those tweaks (from monitoring your online accounts and using your team affiliation) until they find the right combination.

It’s better to create and stick to one strong password than to make small changes to a weak one. There is an exception: passwords for system administrators who manage servers or other users with high-privilege accounts should be changed roughly once a month.

Why? User roles like system administrators often have elevated privileges and access to critical infrastructure, making their accounts prime targets for cyberattacks. Regularly changing these passwords helps mitigate the risk of unauthorized access and potential breaches.

In fact, Microsoft describes how part of its defense-in-depth approach to cybersecurity includes guidelines around the use of passwords to ensure privileged accounts not only use highly secure passwords but that they are changed regularly to reduce the risk of credential theft.

Is using a password manager still considered best practice?

Chris Hallenbeck, CISO at Tanium, cautions that while password managers are good tools because they can generate an encrypted password for every application, they, too, require a strong master password.

Layer your security efforts

Traditional security models rely on a secure perimeter, trusting users and devices inside the network. However, this approach has limitations, especially with evolving threats and the rise of remote work and cloud computing.

To address these security gaps, organizations are embracing using least privilege access and Zero-Trust architecture to provide a more robust and adaptive approach to security, ensuring that access to resources is continuously verified and tightly controlled.

The concept of least privilege is simple: Employees should have access only to the applications and databases they need to do their jobs. For example, as organizations move to the cloud, they’ve tended to give many of the systems administrators access to all of the databases in the cloud. It’s best to break up the assignments based on the databases that the systems administrators need. That way, if a cloud database gets exposed, an attacker won’t have access to all the company’s systems.

Zero Trust operates on the principle of “never trust, always verify,” requiring continuous authentication and authorization for every access request. It assumes threats can come from anywhere and emphasizes strict access controls and continuous monitoring.

Learn how Tanium supports Zero Trust

Additionally, combining Zero Trust and least privilege with strong password policies and multi-factor authentication is key to creating a multi-layered defense strategy. MFA enhances security by pairing traditional password logins with third-party authenticator apps that users access via their smartphones. While some may argue that this multi-step process is less than “frictionless,” it has become common for both consumers and workers. Popular authentication apps like Cisco Duo, Google Authenticator, and Authy have become household names, making the process familiar and straightforward.

By integrating zero trust, least privilege, and MFA, organizations can create a comprehensive security framework:

• Zero Trust provides continuous verification
• Least privilege ensures minimal access
• MFA adds extra layers of protection

Together, these approaches help organizations proactively reduce cyber risks, protect sensitive data, and ensure compliance with regulatory requirements.

Rethink the traditional password

The good news is that the landscape of authentication is evolving even further in an attempt to keep pace with evolving threats. Enter passwordless authentication, a method that eliminates the need for traditional passwords altogether. Instead of typing and authenticating passwords, users can rely on passkeys—unique digital keys stored on their devices—or biometric methods such as fingerprint scans and facial recognition. These advanced techniques not only enhance security but also streamline the user experience, making it both secure and convenient.

Are biometrics and passkeys really safer than passwords?

Biometrics and passkeys are indeed considered safer than traditional passwords.

Biometrics, such as fingerprints and facial recognition, provide a unique and hard-to-replicate form of authentication.

Passkeys, which use cryptographic keys stored on devices, offer robust protection against phishing and credential-stuffing attacks. These methods eliminate the need to remember complex passwords and reduce the risk of password reuse.

However, these methods come with their own challenges and leave some authentication experts questioning if they’re really secure.

Biometrics can be compromised if the biometric data is stolen. Additionally, attackers can use AI-generated deepfakes, synthetic fingerprints, and voice cloning to trick biometric authentication systems.

While passkeys offer a robust alternative to traditional passwords, they require widespread adoption and compatibility across devices and platforms. Passkeys are also not entirely immune to attacks. One potential vulnerability is the use of phishing to trick users into revealing their passkey. Additionally, if an attacker gains access to a device where the passkey is stored, they can compromise the device and use it to authenticate themselves.

Although these challenges exist, the upsides are significant: biometrics and passkeys provide a seamless and secure authentication experience, reducing the reliance on solely using traditional passwords to enhance overall cybersecurity.

[Read also: The future is passwordless]

This shift towards passwordless authentication represents a significant evolution in password habits and underscores the importance of embracing new security measures to protect sensitive information in an increasingly interconnected world.

Educate and empower users

One of the most impactful ways to enhance password security is by regularly educating and empowering users about its importance. Providing ongoing training and resources is key to maintaining high standards of password security. Regular workshops, webinars, and interactive training sessions can keep users informed about the latest best practices and emerging threats.

However, this education must go beyond just telling them to create strong passwords; it must involve fostering a deep understanding of why these practices are crucial and how they can protect both personal and organizational data. When users comprehend the risks associated with weak passwords, employees are more likely to take proactive steps to secure their accounts. Additionally, implementing gentle notifications and reminders about password hygiene can reinforce good habits and reduce the likelihood of security breaches.

By investing in user education and empowerment, you create a security-conscious environment where everyone plays a role in protecting sensitive information. This proactive approach not only enhances password security but also builds a resilient defense against the ever-evolving landscape of cyber threats.

Back to table of contents

---

As we celebrate World Password Day, it’s the perfect time to strengthen your cybersecurity posture. Tanium offers comprehensive solutions that enhance password security and overall cybersecurity by providing full visibility and control over your endpoints, ensuring that the devices in your environment are secure and compliant.

Tanium helps identify and remediate vulnerabilities, including those related to password security, and supports the deployment and configuration of security measures, including multi-factor authentication, across your entire environment. This allows for consistent policy enforcement and the detection of compromised credentials in real time, better fortifying your defense against threats.

With Tanium Autonomous Endpoint Management, our advancements in automation capabilities streamline crucial areas like patch management and security workflows, reducing the time and effort required to manage and secure passwords proactively. When incidents occur, you can rapidly quarantine suspect or infected machines, accelerating response times and enhancing your ability to protect sensitive information.

Don’t wait for a breach to act. See how Tanium’s proactive approach to endpoint management and security helps mitigate risks associated with weak or compromised passwords, creating a more resilient IT environment that safeguards your digital assets. Schedule a personalized demo today.