World Password Day 2026: Eight security experts on the end of the password era, AI-driven attacks, and why passkeys are no longer optional.
May 7 is World Password Day. Normally an occasion to remind everyone that passwords should be at least 16 characters long, mixing upper and lowercase letters, digits, and special characters. Normally. Because eight security experts agree on one thing: in 2026, that message misses the mark — not because it’s wrong, but because passwords are simply the wrong tool for the job they’re supposed to do.
Attackers don’t break in anymore — they log in
“Hackers don’t break in anymore — they just log in.” Patrick Fetter, Lead Sales Engineer and Cyber Security Evangelist at Check Point Software, cuts to the chase. The threat landscape has evolved into an industrialized Cybercrime-as-a-Service (CaaS) economy, fueled by generative AI. A 16-character password is useless if infostealer malware extracts it directly from the browser cache, or an employee pastes it into an uncontrolled AI chatbot.
The numbers back this up: The Verizon Data Breach Investigations Report 2025 analyzed more than 22,000 security incidents and found that stolen credentials were the initial attack vector in 22% of confirmed breaches — rising to 88% for web application attacks. Rich Greene, Instructor at the SANS Institute, adds that an IBM X-Force report recorded an 84% year-over-year increase in infostealer malware spread via ordinary phishing emails. This isn’t sophisticated zero-day exploitation. It’s commodity malware.
The dark web has professionalized — and prices are alarmingly low
What gets harvested from compromised devices lands on the market fast. According to Fetter, the dark web has undergone a major platform shift: while traditional forums increasingly serve credibility purposes, buyers are funneled into private Telegram channels and automated bots for instant transactions. A hacked Facebook account goes for around $45; a Gmail login for $60–65. Verified online banking accounts with high balances can fetch over $1,170. The most lucrative market belongs to Initial Access Brokers (IABs): according to Rapid7, average IAB base prices sit around $2,700 — with administrative access commanding over $113,000.
Add to that: infostealer malware subscriptions like LummaC2 or RedLine cost between $100 and $1,024 per month, making mass password harvesting cheaper than ever for even novice cybercriminals.
AI makes phishing alarmingly effective
AI doesn’t just lower the barrier to entry — it dramatically improves attack quality. Personalized AI-driven phishing-as-a-service packages are sold on Telegram for under $100 a month. The result: AI-generated phishing emails achieve click-through rates of up to 54%, compared to roughly 12% for traditional phishing, according to a Brightside AI study. The most common trick remains the fake IT request for a password reset or a fraudulent VPN portal — now perfectly worded, typo-free, and highly targeted.
Tomer Bar, Associate VP of Security Research at Semperis, explains the mathematical core of the problem: a ten-character password sounds secure — the full search space covers around 5.4×10¹⁹ combinations, meaning a brute-force attack would theoretically take 1,700 years. But people don’t create truly random passwords. They fall back on predictable patterns: capital letter up front, a year in the middle, a special character at the end. Experienced attackers exploit exactly this predictability. The effective search space shrinks to roughly 100 trillion combinations — which a high-end GPU can exhaust in minutes.
Passkeys: the technology is ready — but so are the hurdles
The good news: Alternatives exist. Alexander Summerer, Head of Authentication at Swissbit, explains why passkeys matter: they’re based on asymmetric cryptography, inherently phishing-resistant — cryptographically bound to a specific domain — and simply cannot be used on spoofed sites. Sven Kniest, VP Central & Eastern Europe at Okta, adds that passkey logins are on average 20% faster, and since no password exists, there’s nothing to steal, keylog, or brute-force.
According to the FIDO Alliance, 69% of consumers now own at least one passkey. Google reports over 800 million passkey-enabled accounts and 2.5 billion passkey sign-ins. This is no longer theoretical. That said, Rich Greene urges pragmatism: legacy infrastructure, local Active Directory, shared workstations, and older devices without TPM or biometric hardware pose real challenges. Account recovery, credential delegation in large organizations, and cross-platform interoperability remain unsolved. “The direction is right, but the path will be messy for many organizations,” says Greene.
AI agents as a new identity challenge
A fundamentally new dimension is emerging: Mark Molyneux, Field CTO at Commvault, points to the “identity tsunami” created by AI agents. McKinsey reportedly grew from 40,000 to 65,000 units in two years — the difference: 25,000 AI agents. Each requires a managed identity, access rights, and credentials — all of which must be protected as rigorously as human accounts. Shadow AI agents introduced by business units without IT oversight are particularly dangerous. Molyneux calls for backup, recovery, and integrity assurance that keeps pace with AI capabilities.
What organizations need to do now
Expert recommendations converge on a few clear actions: adopt passwordless authentication and FIDO2; implement an identity-centric zero trust model combining EDR with ITDR; control the AI browser vector — traditional DLP tools fail when employees paste sensitive data into ChatGPT; and continuously monitor the dark web and Telegram to intercept traded credentials before IABs resell them to ransomware groups.
Martin Zugec, Technical Solutions Director at Bitdefender, delivers the sharpest verdict: “World Password Day should be renamed — to World Password Replacement Day.” Passwords didn’t fail because users are careless. They failed because requiring people to memorize dozens of complex credentials that must constantly change exceeds human cognitive capacity. The result: “Password1!” on a Post-it note.
Bottom line: passwords aren’t dead — but they’re no longer sufficient. Every passkey that replaces a password eliminates an attack surface. Security teams should deploy fewer passwords, implement phishing-resistant MFA everywhere, and move toward passwordlessness — as pragmatically as possible, as quickly as responsible.
Carolina Heyder is a business analyst and moderator with extensive experience in the German and international IT market. She has worked for many years at renowned European trade publishers such as WEKA Fachmedien, Vogel IT Medien, Springer, and Aspencore. She creates content for both web and print media and is an expert in front of the microphone and camera. Thanks to her fluency in German, English, and Spanish, as well as her Chilean roots, she brings a global and intercultural perspective to topics such as cybersecurity, artificial intelligence, digital transformation, sustainability, and other key areas of the IT sector.