Today is World Password Day —a perfect time to remind everyone (your users and yourself) that password hygiene still matters in 2025.
If you're not sure what World Password Day is...
Each year on the first Thursday in May, World Password Day is a reminder of the importance of good password hygiene. Mark Burnett first recommended it in his book Perfect Password: Selection, Protection, Authentication . Eight years later, Intel officially recommended that the first Thursday in May be designated as World Password Day, and it has been observed ever since!
Years ago, I remember a Spiceworks Partner was using the tagline “passwords are like underwear .” Part of that was because you should change them often. But is that still the case today?
For years, we’ve heard how we’re shifting toward a passwordless future, especially with the rise of passkeys, biometrics, and hardware tokens. While they are obviously not gone, are passwords actually on their way out?
My assumption is… not quite. Legacy systems and outdated applications will probably still have them for years (and years) to come.
Are you moving away from passwords? If so, what are you moving towards?
- Biometrics
- Hardware tokens
- Passkeys
- Single Sign-On (SSO)
- Smart cards
- Still using passwords but with 2FA or MFA
- One-time passwords (OTP or TOTP)
- Still primarily using trusty ol’ passwords
- Other, tell us below
And it is me, so you know I have to end on a meme… share 'em if you got 'em!
Related
17 Spice ups
alawford
(alawford)
2
If I ever could, I would design a security system that would utilize DNA, heart rate and iris systems. DNA (like police DNA), heart rate (multiple checks to ensure it is a live human being trying to login) and iris systems (checking your eyes etc).
Triple layer of checks and balances. Of course no system is perfect, and this one would have holes. But if I could design a system without passwords, something similar to a triple system that would be relatively easy and pain free for the user (of course, nothing is pain free) 
5 Spice ups
At the rate things are going, it won’t be long.
5 Spice ups
To paraphrase Churchill: “Passwords are the worst form of security. Just like all the others.”
8 Spice ups
So does this mean I need to change my password once a week now?
8 Spice ups
I get so tired of passwords, I said i’d rather just have a hardware token, coworkers thought I was nuts then if loose it you loose access to everything. I don’t see it any different than how would handle a credit card, if I loose it then I have to reset everything or call support. Id rather chance spending 2 hrs on a phone than more than that on stupid passwords and MFA over years.
7 Spice ups
Microsoft no longer recommends regular password updates so, no, passwords are not like underwear (unless you’re someone who never changes your underwear).
The primary goal of a more secure password system is password diversity. You want your password policy to contain lots of different and hard to guess passwords. Here are a few recommendations for keeping your organization as secure as possible.
- Maintain an fourteen-character minimum length requirement
- Don’t require character composition requirements. For example, *&(^%$
- Don’t require mandatory periodic password resets for user accounts
- Ban common passwords, to keep the most vulnerable passwords out of your system
- Educate your users to not reuse their organization passwords for nonwork related purposes
- Enforce registration for multi-factor authentication
- Enable risk based multi-factor authentication challenges
7 Spice ups
@A.E.Neuman AND @tim-smith you should not care because, “What me worry?”
5 Spice ups
Good point. I feel like the more often I have to change my password, the more formulaic it is, so that I can remember all of the changing parts.
6 Spice ups
GDaddy
(GDaddy)
11
so then if i have a crappy password, hackers would leave me alone like i had crappy underwear?
6 Spice ups
Bullet point password requirements are stupid.
Password evaluation should be dynamic and based on calculated difficulty of cracking.
Of course, you might not want to load 800 kB of code into your app for a password evaluation operation that may be used only once, if ever. So you either need to direct to a webview or dynamically load the code on demand.
Better yet would be for the OS or browser to provide the function and allow the app to hook into it when needed.
4 Spice ups
mweed
(MWeed)
13
So, they’re more like toothbrushes. You still change them out every so often, and you don’t share them with others.
9 Spice ups
MSouthworth
(Great and Powerful Admin)
14
This is no longer recommended. The reason is because people are basically lazy when it comes to password security. When presented with creating a password they use a simple name from a child or pet with the number from that child’s or pet’s birth year or day and the special character is almost always " ! " Like Fido2019!
So these people are then required to change that same weak password they change one character… Fido2020!
6 Spice ups
I’m in the process of closing on a home and I was emailing the home insurance agent. He needed my SSN and wanted me to call him. Thanks to CreditKarma/CapitalOne/HaveIBeenPwnd/Google/Microsoft/Et Al, I know that the “bad guys” already have my SSN, and my credit is locked anyhow, so I just emailed it to him. I did request that he delete it and then permanently delete it after that. I know it still exists in backups and logs and probably 50 other “transitory” places, but the people with the skills to get it from those places either already have it or will pay the 0.2 BitCoin to buy it as part of a list.
5 Spice ups
Everyone wants to see them?
5 Spice ups
I almost forgot to add this, but @batmelek posted this in a different topic not too long ago, and I thought it would be perfect for today.
10 Spice ups
That reminds me of the Password Game that @Stay_Dandy posted about a few years ago:
https://neal.fun/password-game/
6 Spice ups
I gave up. Had to do a reverse image search but found the country.
6 Spice ups
