Making a password easy to remember or using the same one in multiple places could put holes in your security. Over the past 10 years, 31% of data breaches were linked to stolen credentials via weak, reused or stolen passwords. If we want to safeguard ourselves from these attacks, implementing password best practices and protection is necessary.
In honor of World Password Day, we have compiled a list of professionals’ insights on the best password practices. We hope you find their thoughts enlightening.
Reputable Password Managers
From what I’ve observed in the SaaS industry, password managers have become incredibly sophisticated and secure, especially when combined with biometric authentication – I personally use one to manage over 200 unique passwords across our development environments. While no system is completely foolproof, I’ve found that reputable password managers with end-to-end encryption actually provide better security than trying to remember complex passwords manually.
As someone who’s built security-focused WordPress plugins, I’ve seen firsthand how AI-powered attacks are getting scarier – they’re now smart enough to guess patterns in how people modify their common passwords. From my experience leading dev teams, I’ve found password managers like Bitwarden to be a game-changer, especially when combined with biometric authentication on company devices. While I used to be skeptical, I now believe passwordless login systems using fingerprints or face ID are actually more secure than traditional passwords, since my teams have had zero compromises since implementing them last year.
Joshua Odmark, CIO and Founder, Local Data Exchange
Password managers are a game changer. When used right, they’re far more secure than relying on memory or storing passwords in browsers. They generate strong passwords and keep them encrypted — just make sure the manager itself is protected with a strong master password and two-factor authentication.
Vishal Shah, Sr. Technical Consultant, WPWeb Infotech
Password managers are essential security tools. At tekRESCUE, we’ve rescued numerous clients after breaches, and those using password managers consistently experience fewer compromises. The tradeoff of memorizing one complex master password versus dozens of weak ones is a no-brainer for security.
Randy Bryan, Owner, tekRESCUE
Protect Against AI-driven Cyberattacks With Password Security
I believe that password security remains a critical issue. Common mistakes include using weak or reused passwords, which make accounts vulnerable. Strong, unique passwords for each account are essential. While changing passwords frequently isn’t as necessary if they are strong, multi-factor authentication (MFA) should be used to enhance security.
Password managers are safe and very useful for managing complex passwords. Biometrics and passwordless logins offer greater convenience and security, but are not entirely risk-free. Looking ahead, AI-driven cyberattacks will increase, making it essential for companies to adopt strong encryption, MFA, and continuous employee training on best practices for password security.
Amit Doshi, Founder & CEO, MyTurn
Emerging threats in 2025 include sophisticated phishing attacks, credential stuffing, and AI-driven brute-force techniques using advanced machine learning algorithms. Increased risks around biometric data also demand secure management practices to prevent exploitation.
To protect passwords effectively, companies should implement strong security measures, including complex password policies, multi-factor authentication, regular audits, and proactive monitoring. Advanced cybersecurity tools that detect unusual activities or compromised credentials are crucial.
Employees should receive interactive, scenario-based training emphasizing real-world threats. Regular awareness sessions, simulated phishing exercises, and clear guidance on password management can significantly reduce risks and strengthen overall cybersecurity.
Adrian Ghira, Managing Partner & CEO, GAM Tech
As a cybersecurity professional and founder of a document intelligence startup, I’ve seen that password habits are still stuck in the past. People reuse passwords, skip multi-factor authentication (MFA) if not forced to implement, and assume password managers are risky, when in fact they’re one of the safest tools available if used correctly. In 2025, phishing and session hijacking are getting more sophisticated with advancements in AI, which means security needs to be proactive and layered. Companies should prioritize reviewing their MFA policies to make sure it’s not creating loopholes. MFA is a great step, but it’s not a silver bullet. If companies don’t audit how and where MFA is used, they can still be compromised through SIM swapping, or simply by an attacker compromising both a corporate email and then their less secure personal email being used as the MFA.
Ian Garrett, Co-Founder & CEO, Phalanx
In 2025, AI-driven phishing and credential stuffing attacks remain major emerging threats. Companies must not only encrypt passwords properly but also monitor for breaches, encourage MFA adoption, and educate users about recognizing phishing attempts.
Sergiy Fitsak, Managing Director, Fintech Expert, Softjourn
When to Change Your Passwords
I discovered that enforcing password changes every 60 days can actually backfire, leading employees to use weaker, more predictable passwords like ‘Summer2024!’ or just adding numbers sequentially. Instead, I now recommend implementing multi-factor authentication and only requiring password changes when there’s suspicious activity or a known breach – this approach has significantly improved both security and user compliance in our organization.
Andrew Dunn, Vice President of Marketing, Zentro Internet
The advice on frequent password changes has shifted. Instead of scheduled changes, focus on creating strong passwords and changing them only if compromised, or you suspect suspicious activity. It’s like changing the locks on your house – you wouldn’t do it every month, but you would if you lost a key.
Steve Fleurant, CEO, Clair Services
Rather than focusing on arbitrary password change periods, companies should invest in multifactor authentication with context-aware controls. We implemented this for a membership association with 50,000+ members, triggering additional verification when access patterns change. Their unauthorized access attempts dropped by 83% in three months while reducing user frustration from constant password resets.
Warren Davies, Director & Owner, BeyondCRM
Biometrics and Passwordless Logins
With Safeguards Biometric authentication and passwordless login options (such as security keys) dramatically reduce password fatigue. Layering these with Multi-Factor Authentication (MFA) ensures that even if they fail, accounts stay secure.
James Bowers II, Chief Security & Compliance Architect, Input Output
Biometrics and passwordless login systems are changing how we approach security and convenience. Biometric methods like fingerprint and facial recognition add extra protection, though no system is completely foolproof. Passwordless options, using tools like multi-factor authentication (MFA) or cryptographic keys, make it harder for hackers to succeed with phishing or stolen credentials. Still, companies must ensure these solutions are strong and secure against new threats.
Robbert Bink, Founder, Crypto Recovers
As for passwordless login systems, such as biometric authentication, they are gaining traction but not without concern. These systems are much more convenient and can be more secure when implemented correctly, provided user data is stored and transmitted securely. However, they also carry unique risks, such as the potential for biometric spoofing or data breaches if sensitive biometric data is compromised. The emerging threat landscape around password security in 2025 points to an increase in cyber-attacks targeting multifactor authentication (MFA) protocols, which makes it important for organizations in our sector to remain vigilant and regularly update their security practices.
Allan Murphy Bruun, Co-founder and Director of Business Development, SimplerQMS
Phishing-resistant authentication will become the standard. Most major operating systems currently support passkey authentication. Apple has supported passkeys since iOS 16 for iPhones and macOS Ventura for Macs. Google rolled out a passkey functionality for Chrome on Android, Windows, and macOS. We expect to see greater passkey adoption in the coming years as Microsoft, Apple, and Google continue to encourage user adoption as we progress towards a password less future.
In the US Federal Government Zero Trust strategy, agencies are encouraged to pursue greater use of password-less multi-factor authentication as they modernize their authentication systems.The key benefits of passkey over passwords includes:
-
- Improved Security: Passkeys offer a strong defence against phishing vulnerabilities. Unlike passwords or passphrases, they cannot be guessed, reused, or stolen, making them highly resistant to phishing attacks.
- Simplified Accessibility: Logging in with a passkey is quick and user-friendly. Methods like facial recognition, fingerprint scanning, or PIN ensure a hassle-free experience.
- Enhanced Protection from Breaches: Passkeys eliminate risks associated with server-stored passwords. Even during a data breach, hackers cannot access passkeys.
- Advancing a Password-Free Digital World: Passkeys support the vision of a future without passwords, paving the way for a more seamless and secure online experience.
Having stated the above, passwords are not going away soon as it will take time for websites and applications to support passkey authentication. In the interim, we will continue to see passwords increasingly supplemented by other forms of authentication such as biometrics and MFA.
Kelvin Lim, Senior Director, Head of Sales Engineering (APAC), Black Duck
Employee Training That Builds Stronger Habits
Employee training should move past just “make strong passwords” and show real-world attack examples. Teaching people how breaches happen — and how attackers think — builds much stronger habits than just handing out a policy document.
Vipul Mehta, Co-Founder & CTO, WeblineGlobal
Working with dozens of ERP implementations, I’ve noticed that password reuse across business systems is still the biggest security weakness – just last month one of our clients had three accounts compromised this way. We now require all our consulting clients to use enterprise password managers and enforce 2FA, which has cut security incidents by about 90% in the past year. For employee training, I’ve found that sharing real examples of breaches and their consequences works better than generic security policies – it makes the risks feel more real and personal.
Karl Threadgold, Managing Director, Threadgold Consulting
Regarding training effectiveness, we’ve abandoned annual cybersecurity seminars in favor of simulated phishing campaigns with immediate feedback. This approach reduced password-related security incidents by 67% across our healthcare clients. The key is making training interactive rather than theoretical—have employees practice creating strong passphrases during sessions and test them immediately.
Joe Dunne, Founder & Owner, Stradiant
With new threats emerging in 2025–especially AI-enhanced phishing and credential attacks–it’s more important than ever to combine technology with training. That’s why we help companies build a culture of cybersecurity through layered protections, practical tools, and everyday language that makes tech feel a little less intimidating.
Eric Van Overmeiren, Lead IT System Administrator, GO Technology Group
Security Beyond the Password
Companies should enforce zero-trust security policies and apply the principle of least privilege. They should only give users the level of access they need and frequently audit the users and their privileges within systems. Two-factor authentication should be mandatory, as should very strong, very long, and truly random passwords using the maximum number of available characters. Session length limits should be short and no longer than necessary.
Dan Knauss, Sr. Solution Architect, Multidots
Organisations should implement modern authentication standards (FIDO2/WebAuthn), offer passkey support, enforce MFA, maintain proper password storage, monitor for compromised credentials, and implement risk-based authentication that considers login context.
Harman Singh, Director, Cyphere
World Password Day is a timely reminder: passwords are only as strong as the device they’re stored on. As cybercriminals adopt a mobile-first attack strategy, mobile devices have become the front door to corporate access—and a primary target. Through mishing (mobile-targeted phishing), malware, and other tactics, attackers are stealing credentials by compromising the mobile endpoint. Strong passwords matter, but without securing the device, they’re not enough. Organizations need mobile-specific protection that can detect and stop threats before credentials—and critical data—are exposed.
Kern Smith, VP of Global Solutions at Zimperium
Related News:
National IT Service Provider Day
Cloud Environment Advice for Cloud Security Day
More Security News
