The first week of May is dedicated to the importance of passwords, a reminder to us of the security of a very important aspect of our online existence: our login details. As the world becomes increasingly networked, with our online presence holding precious personal, financial and professional information, protecting our passwords is not just common sense but essential. Much too often, in our haste or ease, we don’t value enough the importance of having robust, unique passwords for all our online accounts. We use trivial sets that are easy to remember but easy for attackers to work out as well. Or, worse, we use the same password on many sites, creating a vulnerable chain in which, if one weak link is snapped, it leaves our whole digital trail at risk.
The consequences of weak or re-used passwords are severe: identity theft, breach of bank and credit card account access, invasion of privacy, loss of precious data and reputation damage. Within an ever-evolving cyber threat landscape that includes advanced phishing attacks, brute force, and credential stuffing, relying on unsuitable passwords means leaving your front door unlocked to burglars.
World Password Day reminds us that our safety online starts right at home. It’s a call to begin more responsible, proactive practices for our credentials. But what precisely does it imply, in concrete terms, to have good passwords? Let us begin first by saying what the password needs to do. A good password should be long, complex and unique. It must be a perfect mix of upper and lower case numbers and characters, with nothing else, no words, names, dates of birth, or any other readily accessible information. Setting all that up for each person’s account may look like a big challenge, but fortunately, there are great assistants for easily doing it: password managers.
The most important day in security
These safe applications enable us to create and store complicated passwords in an encrypted form, making it possible for us to open our accounts using a single master password. Other than good passwords, two-factor authentication (2FA) or multi-factor authentication (MFA) is a minimum level of security. Additional security measures include a second factor other than the password, which is required to be able to access the account being used, e.g., a one-time token sent to our phone, fingerprint or face scan.
Even when it is still possible to obtain our password without possessing the second type of authentication, no thief will ever be able to access our account. On World Password Day of May 1ST, it is important to remember that protecting our passwords is a small gesture that can make a big difference in safeguarding our digital life. Sixty-five per cent of users use the same passwords on multiple sites, if not all of them, according to a Google and Harris poll in February 2019.
The most violent attacks have shifted from CPUs to high-speed GPUs, some of which can guess over a million password combinations per second, meaning that what once took years to crack can now be done in minutes using AI-powered tools. In fact, more than 24.6 billion username-password combinations circulate in cybercrime markets. Malware such as Lumma, MaaS platforms, info stealers, session cookie stealing, and Phishing-as-a-Service (PhaaS), which have MFA tokens and cryptocurrency wallets in their sights, are spreading via Telegram bots, making the theft of logins such as bank accounts, email, cloud, encryption, corporate VPNs, and social media scalable and profitable.
The WebAuthn protocol
The WebAuthn protocol, which uses access keys or passkeys, generates a pair of cryptographic keys, one public and one private when a new account is created. The keys are stored locally (the public one on the site server and the private one on the user’s terminal, together with the site name and user ID). To log in, the server sends a request for digital authentication, which is only fulfilled if the user is physically in possession of a device and can prove possession of the private key, e.g. through biometric verification. Authentication, therefore, is still based on two factors, which means that they do not depend on knowledge of anything but rather on the physical possession of the device and the biometric peculiarities of the user. Unfortunately, however, the theft of session cookies is an attack vector that can bypass WebAuthn.
On World Password Day 2025, Clusit, the Italian Association for Information Security, calls for the rapid replacement of traditional combinations of alphanumeric signs and symbols with multi-factor authentication (MFA) and biometrics. “Passwords are a risk that must be overcome,” says Alessio Pennasilico of Clusit’s scientific committee. “Cybercriminals only need a few seconds to crack even the most complex passwords, thanks to the use of advanced algorithms and the wide availability of databases of compromised credentials.”
The Clusit Report shows that in Italy last year, phishing and social engineering-based attacks soared by 35 per cent compared to the year before. “Solutions such as biometrics and MFA – now within everyone’s reach, free of charge – are now “information hygiene” practices and must be considered the minimum base below which it is extremely dangerous to entrust our digital lives, whether personal or professional,” explains Luca Bechelli, of the Clusit Steering Committee. Liveness detection (the verification that the detection of biometric characteristics in real-time directly from the person and not from reused digital material) hinders spoofing attempts, i.e. falsification through images or videos. “Today, entrusting multi-factor authentication services and biometrics with our digital security is the only possible form of security,” concludes Alessio Pennasilico.
A passwordless world
According to Gartner, 60 per cent of enterprises will abandon passwords by 2025, eliminating them in most use cases. “We need to move away from the dependence on passwords and shared secret codes. Passwords or passkeys are now the most robust solution for creating a future without passwords, phishing and hopefully large-scale security breaches,” says Chester Wisniewski, Director, Global Field CISO at Sophos. Google, Microsoft (with over a billion users) and Shopify are busy launching Passkeys, encrypted cryptographic keys linked to biometric or device-based authentication.
Singapore and India are implementing passwordless digital identity systems to access banking, insurance, and healthcare. Relying solely on passwords is now anachronistic: more advanced solutions, such as biometric authentication and passwordless, which, on the one hand, simplify access for the user and, on the other, raise the level of protection, must be adopted. Companies must pilot passwordless systems by exploiting biometrics, tokens or passkeys. They must also learn how to prevent password reuse and phishing. Continuous training, simulations, privileged access management solutions (PAM), and Zero Trust architectures are not so many ways to set up strong passwords but to reimagine a password-free future.
