By Dr. Martin Kraemer, CISO Advisor at KnowBe4
World Password Day is no longer just a nudge to pick stronger passwords, it’s a moment to rethink identity. It is a call to stop treating passwords as the perimeter and start treating identity as the perimeter: reduce password reliance, use long unique ones (25+ characters) when you must, adopt phishing‑resistant MFA and passkeys, and make behavioral and risk‑based checks part of every login. Small steps today greatly reduce the chance an attacker can simply “log in as you.”
This day matters because it creates a predictable, global moment to act; not later, not when an incident happens, but now. Regularly scheduled reminders overcome human inertia: people and organizations are far more likely to adopt a password manager, enable phishing‑resistant MFA, update recovery contacts, or audit shared credentials when prompted by a recognizable event. That collective action reduces the pool of easily exploitable accounts, raises the baseline of resilience across services, and makes large-scale automated attacks such as credential stuffing and mass phishing less effective.
The evolving threat landscape
Criminals rarely need to “break in” anymore: they steal credentials via phishing, malware, or breached lists and simply log in, and reused passwords let them pivot across multiple services and platforms. At the same time, advances in AI are improving pattern‑based guessing and cracking tools, with real‑world tests suggesting AI can reduce the effective strength of non-random passwords by roughly two to five characters, and quantum techniques (e.g., Grover’s algorithm) would demand substantially longer random keys to maintain parity – a trend defenders must plan for. Finally, identifying signals and user behavior at the moment of login, such as mouse movement and typing cadence, are increasingly valuable: risk‑based authentication and behavioral biometrics can detect anomalous activity and stop account takeovers before attackers succeed.
A practical 30-minute identity security checklist
The following is a practical 15 to 30 minute checklist and guidance for best practices:
- Install and configure a password manager; import or create unique passwords for your top accounts
- Turn on phishing‑resistant MFA or register a hardware security key/passkey for email, banking, cloud, and primary social accounts
- Secure recovery options: update backup email addresses, phone numbers, and remove old devices from account lists
- Pick your top five accounts (email, banking, main social, cloud storage, work) and secure them first
- Check for breached credentials using manager/breach‑monitoring tools and rotate compromised passwords
- Audit where passwords are stored physically – remove sticky notes; if a written record is necessary for a high‑value admin credential, lock it in a safe
Strengthening password security
To improve password security and stay protected against evolving cyber threats, it is recommended to follow these best practices:
- Best practice: use a password manager to create truly random passwords that are 25+ characters long when possible. Bonus: you don’t have to memorize them.
- If you cannot use a password manager or MFA: create passphrases or a memorable formula, but aim for 25+ characters for human‑created passwords to counter AI-assisted guessing and anticipated quantum risks.
- Prioritize length and uniqueness over predictable complexity rules; AI is strong at pattern discovery, so avoid predictable schemes.
- Where websites limit length, use MFA and passkeys; pressure vendors to support longer passwords and modern authentication standards
Behavioral and organizational controls
- Require phishing‑resistant MFA across sensitive systems
- Deploy Risk‑Based Authentication and behavioral biometrics to detect unusual login rhythms and automatically prompt for extra verification or block access. Identity integrity is continuous, not one‑off.
- Use centralized keys management for service accounts and rotate keys regularly; do not store credentials in shared docs or plaintext.
- Run phishing simulations and training so employees develop “street smarts” at the moment of login.
Common identity security mistakes to avoid
- Reusing passwords across sites, where a breach at one service becomes a door for many
- Relying on SMS‑based MFA when phishing‑resistant options exist
- Ignoring account recovery paths – old phone numbers or emails often provide an easy takeover route
- Leaving written passwords visible – physical security still matters
In conclusion, World Password Day is more than a reminder: it’s a call to reclaim control over your digital identity. Take decisive action now: install a password manager, enable phishing‑resistant MFA or passkeys on your most important accounts, secure recovery routes, and start using 25+ character unique passwords (or let a password manager do it for you).
Every small step you take reduces the chance that an attacker can simply “log in as you” and raises the cost for adversaries targeting everyone else. Make this World Password Day the turning point where you stop defending networks and start defending identities, because in today’s threat landscape, identity is the perimeter and your behavior at login is one of your strongest lines of defense.
