World Password Day

🔒  World Password Day 2026

 

Today, the first Thursday of May, is World Password Day, first established in 2013 by Intel to address the critical need for strong credential security. In a world where technology is increasingly integrated into our daily lives, passwords remain one of the primary lines of defence against cyber attacks. But the advice is changing fast, and 2026 brings some of the most significant shifts yet.

 

✅  The Basics. Do These Now •   Use three random words to create a password that is long enough and strong enough •   Turn on two-step verification (2SV) or multi-factor authentication (MFA) wherever possible •   Do not reuse passwords across different accounts •   Never share your password in an email •   Use a Password Manager to keep your credentials safe and unique

 

What's New in 2026: The NCSC's Big Shift

Last week at CYBERUK 2026 in Glasgow, the National Cyber Security Centre (NCSC) , part of GCHQ, made a landmark recommendation: passkeys should now be the default way of logging in to online services where they are available. This is a striking departure from decades of advice focused on creating stronger and more complex passwords.

This follows the UK government's move to roll out passkeys across GOV.UK services in place of SMS verification. The NCSC still recommends a good password manager paired with two-step verification for services that have not yet added passkey support, but where passkeys are an option, the message is clear: use them.

 

What Makes a Good Password in 2026?

Length over complexity

The biggest shift in guidance over recent years is that length now matters more than complexity. Security experts and standards bodies, including the US National Institute of Standards and Technology (NIST) and the UK's NCSC, now agree:

•     📏  Aim for at least 15–16 characters (NIST recommends 15, CISA recommends 16)

•     💡  Passphrases, sequences of random words, are ideal: long, memorable, and hard to crack

•     ❌  Forced complexity rules (upper case, numbers, symbols) are now considered outdated, they produce predictable patterns without meaningfully improving security

 

The NCSC's long-standing advice remains a simple and effective starting point: combine three random words to create a password (for example: applenemobiro). It is long enough to be strong, and easy enough to remember.

 

Stop forcing regular password changes

Another key update: mandatory periodic password resets are no longer recommended. NIST and the NCSC both agree that forced resets every few months actually weaken security — users tend to make predictable, minor changes (Password1 → Password2) that are easy for attackers to anticipate. The guidance now is to change a password only when there is evidence of a compromise.

 

Use a Password Manager

With the average person managing around 100 passwords, a password manager is now considered essential rather than optional. It allows you to create and store complex, unique passwords for every account, secured behind a single strong master password, ideally with MFA enabled on the manager itself.

 

Multi-Factor Authentication (MFA)

MFA, requiring a second form of verification in addition to a password, significantly reduces the risk of unauthorised access, even if a password is stolen. The NCSC recommends enabling MFA across all sensitive systems and accounts, particularly those with privileged access.

Common MFA methods

•     📱  Authenticator apps: (Microsoft Authenticator, Google Authenticator), generate a time-based code

•     💬  SMS codes: convenient but weaker than app-based MFA

•     🔑  Hardware security keys: (e.g. YubiKey) the strongest option, physical device required

•     👆  Biometrics: fingerprint or face recognition built into devices

•     📧  Email-based one-time codes:  accessible and phone-free

 

What about schools or organisations that don't allow personal phones?

MFA doesn't have to mean personal smartphones. There are several phone-free alternatives that work well in school and organisational environments:

•     🔑  Hardware security keys (e.g. YubiKey): plug into a USB port or tap via NFC, no phone needed. Can be issued to staff like library cards.

•     🔢  Hardware token fobs (e.g. RSA SecurID): small devices that display a rotating 6-digit code. Common for staff and admin use.

•     🪪  Smart cards / ID cards: existing staff or student ID cards can be configured as a second factor using chip-based authentication.

•     👆  Biometrics: fingerprint readers or facial recognition built into school devices (common on laptops and Chromebooks).

•     📧  Email-based verification: one-time codes sent to a school email account accessed on school computers. Less robust but far better than no MFA.

 

For most schools, a practical approach is to prioritise MFA for staff and administrator accounts, which hold access to sensitive data such as grades, safeguarding records, and finances, and rely on strong passwords for student accounts where the risk profile is lower. In addition, schools may want to consider whitelisting school devices so account MFA is only triggered when using cloud accounts when not on school grounds - Further Education establishments working towards Cyber Essentials would not be able to use this with the current question set.

 

The Future: Passkeys

Passkeys are rapidly becoming the recommended alternative to traditional passwords. Rather than a typed credential, passkeys use cryptographic keys tied to your device, authenticated via biometrics (fingerprint or face) or a PIN. They cannot be phished, cannot be stolen in a data breach in the traditional sense, and require no memorisation.

Major platforms now support passkeys natively,  Windows, macOS, iOS, Android, ChromeOS, and all mainstream browsers. Microsoft has made passkey profiles generally available in Entra ID (Microsoft 365), giving administrators control over passkey policies for staff and students. Apple, Google, Microsoft, GitHub, PayPal and many others support passkey sign-in today.

What the UK Cyber Breaches Survey 2025/2026 Tells Us

Published on 30 April 2026, just days before World Password Day, the government’s annual Cyber Security Breaches Survey paints a sobering picture. Despite years of guidance and awareness campaigns, the fundamental threats have not changed, and many organisations are still not doing the basics.

📊 Key Statistics from the 2025/2026 Survey •   43% of UK businesses and 28% of charities experienced a cyber breach or attack in the past 12 months — around 612,000 businesses and 57,000 charities •   Phishing was the most prevalent attack type: reported by 38% of businesses and 25% of charities •   Among organisations that experienced a breach, phishing was involved in the vast majority — and 51% of affected businesses said phishing was the only type of attack they experienced •   Only 47% of businesses have adopted two-factor authentication — meaning more than half have not •   Only 38% of charities use two-factor authentication •   74% of businesses have a password policy in place — but implementation of stronger controls lags behind •   Only 5% of businesses report adherence to Cyber Essentials

 

Phishing is still the dominant threat

The survey confirms what security professionals have been saying for years: phishing remains the most reliable entry point for attackers, and it is getting harder to detect. Interviewees noted that phishing attacks have become easier for attackers to carry out, AI tools are making convincing fake emails and websites faster and cheaper to produce. The practical implication is clear: awareness training, MFA, and strong password practices are not optional extras. They are the frontline defence.

MFA adoption is still too low

Only 47% of businesses have implemented two-factor authentication, a figure that security experts describe as “surprising” given how long MFA has been recommended. The NCSC’s Cyber Essentials scheme is being updated this year to require MFA on all cloud services, meaning it will no longer be optional for organisations seeking certification. If your organisation has not yet enabled MFA on cloud services and staff accounts, now is the time to act.

Small organisations are going backwards

The survey found that modest gains in basic cyber hygiene recorded in 2024/2025 have not been sustained. Smaller organisations in particular are completing fewer risk assessments, maintaining fewer documented policies, and have weaker continuity planning than the previous year. Awareness of government campaigns is increasing — but awareness alone is not building resilience.

Key Risks to Be Aware Of

•     🎣  Phishing: fake websites and emails designed to steal your credentials. AI-generated phishing pages are now indistinguishable from the real thing. Passkeys remove this risk entirely.

•     💻  Credential stuffing: attackers use leaked passwords from one breach to try accessing other accounts. Never reuse passwords.

•     ⚠️  Weak or common passwords: '123456' and 'password' remain the most used passwords globally in 2025. These are cracked instantly.

•     🔄  Keep devices up to date: patches fix vulnerabilities that attackers actively exploit.

•     🔒  Secure your device: use a strong password, PIN, or biometric lock.

 

⚠️  If You've Accidentally Filled Out a Phishing Email •   Let IT know as soon as possible, speed is critical •   Change the password for the affected account immediately •   Change any other accounts where you use the same password •   Check your account for any suspicious activity or changes

 

Our Guidance and Resources

Good password security is a crucial part of any organisation's cyber security culture. We have created a range of resources to help:

 

→  A Guide to Multi-Factor Authentication  : where possible, turn on multi-factor authentication

→  Model Password Policy Template :consider creating a formal password policy (DPE Customers only)

→  Password Security Learning Nugget :train staff about password best practice (DPE Customers only)

→  Create a Strong Password: download awareness poster (DPE Customers only)

→  Keep it Strong – Keep it Long :download awareness poster (DPE Customers only)

→  Password Best Practice Library: general support and guidance (DPE Customers only)

 

Further Reading

The following authoritative sources provide the most up-to-date official guidance:

 

→  Cyber Security Breaches Survey 2025/2026  — official UK government findings

→  NCSC: Password Administration for System Owners

→  NCSC: Updating Your Approach to Passwords

→  NCSC: Three Random Words

→  NCSC: Multi-Factor Authentication for Online Services

→  GOV.UK: Password Guidance — Simplifying Your Approach

→  ICO: Password Guidance  — consider password security in relation to data protection