Cybersecurity experts are using World Password Day to warn that traditional passwords no longer provide reliable protection against increasingly automated attacks. Leaders from Reolink, Accenture, WatchGuard Technologies and KnowBe4 say organisations and consumers must rethink how they secure digital identities.
Their comments underscore the scale of the problem in Australia, where credential theft and account leaks remain common. Recent reporting shows 1.1 million accounts were leaked in Australia in the first quarter of 2026. Specialists say that exposure, combined with advances in artificial intelligence and malware, is eroding the value of password strength alone.
Nick Nigro, Vice President of Sales at Reolink Australasia, said the move away from factory-set credentials on consumer devices is part of that broader shift.
"As we mark World Password Day, it's worth remembering that passwords are fundamental to our digital safety. With recent reports showing Australia logged 1.1 million leaked accounts in Q1 2026 alone, it's clear that safeguarding our personal data has never been more critical.
"At Reolink, we believe your security system should be safe from the moment you plug it in. That's why we support the Australian Government's recent mandate to remove universal default passwords across consumer smart devices. Instead of relying on risky factory defaults, we require users to create their own unique passwords during setup," Nigro said.
He added that basic hygiene still matters for households managing a growing number of online accounts.
"Managing multiple logins can feel like a chore, but basic habits can drastically improve your digital safety. Since longer equals stronger, always use at least ten characters. Avoid real words, obvious names and birthdays. Instead, rely on random combinations of letters, numbers and symbols. If tracking these complex codes seems daunting, a password manager can securely generate and store them for you. Finally, always enable two-factor authentication (2FA). While it might require an extra step at login, that unique code sent to your phone provides a major additional layer of defence.
"Ultimately, the motivation for using strong, unique passwords is the same reason we use home security systems: safety, protection and peace of mind," he said.
While consumer advice still focuses on stronger logins, enterprise security leaders are increasingly blunt about the limits of passwords as a technology. Vik Desai, Global Cybersecurity Strategy and Risk Lead at Accenture, said artificial intelligence has changed the economics of credential theft.
"AI has turned every amateur hacker into an industrial-scale threat, and a 65-year-old technology - the password - is what's standing between them and your bank account, your medical records and your business systems. Passkeys are the solution, replacing passwords entirely with a secure credential tied to your device, such as your smartphone or laptop. The technology isn't the holdup. We are," Desai said.
Others argue attackers have already adapted by focusing on stolen logins rather than technical exploits. Anthony Daniel, Managing Director for Australia, New Zealand and the Pacific Islands at WatchGuard Technologies, said criminal groups now use valid credentials to slip past conventional defences.
"This World Password Day, the conversation needs to move beyond password strength to the growing reality that most credentials are already exposed and circulating online.
"Across Australia, where cybercrime is reported every six minutes, attackers are increasingly bypassing traditional intrusion methods altogether. Instead of breaking in, they are logging in with stolen credentials acquired through phishing and infostealer malware, allowing them to operate without triggering conventional security alerts.
"WatchGuard's latest threat intelligence shows how this shift is being enabled. Today, 96% of malware arrives over encrypted channels, while 23% is designed to evade traditional signature-based detection, making credential theft harder to spot and easier to scale.
"For Australian organisations, this changes the role of identity entirely. A valid login can bypass legacy controls, leaving businesses exposed if they lack visibility beyond the point of access.
"The focus now needs to shift from password strength to post-login detection. Multi-factor authentication remains essential, but it must be paired with continuous monitoring and behavioural analysis to identify when legitimate credentials are being misused. The question is no longer whether passwords will be compromised, but how quickly organisations can detect and respond when they are," Daniel said.
KnowBe4 specialists say organisations now need to treat identity as the new perimeter around critical services. They point to artificial intelligence and future quantum techniques as factors that further weaken short, predictable passwords.
"If you cannot use a password manager or MFA, create passphrases or a memorable formula, but aim for 25+ characters for human-created passwords to counter AI-assisted guessing and anticipated quantum risks," said Kawin Boonyapredee, APJ CISO Advisor at KnowBe4.
He said organisations should move beyond individual behaviour and embed identity-focused controls into infrastructure.
"Behavioural and organisational controls require phishing-resistant MFA across sensitive systems," Boonyapredee said.
He added that poor handling of machine identities and service accounts also creates risk.
"Use centralised key management for service accounts and rotate keys regularly. Do not store credentials in shared documents or plaintext," he said.
KnowBe4's advisers frame World Password Day as a prompt for concrete action on identity security, rather than awareness alone.
"World Password Day 2026 is a call to stop treating passwords as the perimeter and start treating identity as the perimeter: reduce password reliance, use long unique ones (25+ characters) when you must, adopt phishing-resistant MFA and passkeys, and make behavioural and risk-based checks part of every login. Small steps today greatly reduce the chance an attacker can simply 'log in as you'.
"This day matters because it creates a predictable, global moment to act - not later, not when an incident happens, but now. Regular reminders overcome human inertia: people and organisations are far more likely to adopt a password manager, enable phishing-resistant MFA, update recovery contacts or audit shared credentials when prompted by a recognisable event. That collective action reduces the pool of easily exploitable accounts, raises the baseline of resilience across services, and makes large-scale automated attacks such as credential stuffing and mass phishing less effective," Boonyapredee said.