Skip to content
Chimera readability score 71 out of 100, Expert reading level.

By Jeannette Jarvis, Chief Business Officer, Cyber Threat Alliance
At the Cyber Threat Alliance, we see every day how interconnected our digital world has become and how much our collective security depends on the choices each of us makes. Passwords remain one of the most common entry points for attackers, yet they’re also one of the easiest places for individuals and organizations to strengthen their defenses. As part of our commitment to advancing shared resilience across the global cybersecurity community, we’re proud to support World Password Day and the movement to promote stronger, more consistent authentication practices.
World Password Day
World Password Day is an annual global awareness effort focused on improving password hygiene and promoting stronger authentication practices. Celebrated on the first Thursday of May, it encourages individuals and organizations to take meaningful steps to protect their digital identities.
This global moment aligns closely with the work of organizations like Nonprofit Cyber, which continues to champion consistent, evidence‑based guidance on password and authentication best practices. Their Common Guidance on Passwords, endorsed by more than 130 organizations, provides clear, actionable recommendations for strengthening credential security.
Passwords: Still a Growing Problem
Passwords have always been a major source of frustration — and the problem hasn’t improved. Recent analyses show that the average person now manages around 100 passwords, a number that has remained stubbornly high as our digital lives expand. With so many accounts to secure, it’s no surprise that many people reuse passwords across multiple platforms, often relying on predictable patterns or simple variations that attackers can easily guess.
This behavior has real consequences. Weak or reused passwords continue to be a leading cause of breaches. CTA member Panda Security published ‘40+ Password Statistics That Will Change Your Online Habits in 2025’ revealing alarming details around poor password hygiene –– including that the most common password used globally is ‘123456’, being used by millions of users.
The Breach Landscape: Still Escalating
The threat landscape continues to grow more complex. The 2025 Verizon Data Breach Investigations Report (DBIR) analyzed 12,195 confirmed data breaches. One 2025 leak alone exposed 16 billion stolen passwords, one of the largest compilations ever recorded. If you’ve received multiple breach notifications in the past year, you’re far from alone.
Passwords Alone Aren’t Enough
It is clear––passwords alone can’t carry the security burden.
Attackers have become faster and more sophisticated. AI‑accelerated cracking tools and other password cracking techniques can break even “complex” passwords in hours or days. Verizon’s 2025 DBIR reports that use of stolen credentials was the initial access vector in 22% of breaches, though several other sources place the figure significantly higher. Regardless of the exact metric, compromised credentials remain the leading cause of security breaches, outpacing techniques such as phishing and vulnerability exploitation.
What You Can Do Today
It’s apparent that we must continue to evolve our protection strategies to stay ahead of attackers evolving techniques.
The Common Guidance outlines practical steps to reduce your risk. One of the most important is adopting Multifactor Authentication (MFA). MFA adds a second layer of verification, such as a code, token, or biometric, making it dramatically harder for attackers to access your accounts. Even if your password is compromised, MFA can stop unauthorized access. The impact is undeniable––MFA makes accounts 99% less likely to be hacked. Yet adoption remains low. According to the Cyber Readiness Institute, as of 2024, 58% of small and medium‑sized businesses were unaware of MFA’s importance, and only 35% had implemented it.
CTA member Sophos notes in ‘Strengthening authentication with passkeys: A CISO playbook’ that while MFA is stronger than passwords alone, threat actors have discovered ways to circumvent them, and passkeys can be used as a phishing-resistant solution. Recently the UK’s National Cyber Security Center (NCSC) has now officially endorsed passkeys as the default authentication standard, marking the first time they have told customers to move completely away from passwords. You can learn more about passkeys from CTA member McAfee’s article ‘What Is a Passkey and Is it Really Safe’, where they note passkeys offer a meaningful step towards a safer and more manageable digital life.
CTA’s Recommendation
The Cyber Threat Alliance strongly encourages individuals and businesses to move beyond passwords by enabling MFA wherever possible, adopt passkeys where supported, follow the Common Guidance on Passwords, and strengthen identity protection practices. These simple steps can dramatically reduce your risk and strengthen your overall security posture. Protect what matters – and since it’s World Password Day, take a moment today to refresh your passwords.

Facts Only

World Password Day is an annual global awareness effort held on the first Thursday of May.
The Cyber Threat Alliance (CTA) supports World Password Day to promote stronger authentication practices.
The average person manages around 100 passwords, often reusing them across multiple platforms.
Weak or reused passwords are a leading cause of data breaches.
A 2025 leak exposed 16 billion stolen passwords, one of the largest compilations recorded.
The 2025 Verizon Data Breach Investigations Report analyzed 12,195 confirmed data breaches.
Stolen credentials were the initial access vector in 22% of breaches, according to Verizon’s report.
Multifactor Authentication (MFA) makes accounts 99% less likely to be hacked.
As of 2024, 58% of small and medium-sized businesses were unaware of MFA’s importance, and only 35% had implemented it.
The UK’s National Cyber Security Center (NCSC) has endorsed passkeys as the default authentication standard.
The CTA recommends enabling MFA, adopting passkeys, and following the Common Guidance on Passwords.

Executive Summary

World Password Day, observed annually on the first Thursday of May, is a global initiative aimed at improving password hygiene and promoting stronger authentication practices. The Cyber Threat Alliance (CTA) supports this effort, emphasizing the persistent vulnerability of passwords as a common entry point for cyberattacks. Despite their weaknesses, passwords remain widely used, with the average person managing around 100 passwords, often reusing them across platforms. Weak or reused passwords are a leading cause of data breaches, with recent leaks exposing billions of stolen credentials. The 2025 Verizon Data Breach Investigations Report highlights that stolen credentials were involved in 22% of breaches, underscoring the inadequacy of passwords alone.
To mitigate risks, the CTA and organizations like Nonprofit Cyber advocate for multifactor authentication (MFA), which reduces the likelihood of account compromise by 99%. However, MFA adoption remains low, particularly among small and medium-sized businesses. Passkeys, a phishing-resistant alternative, are gaining traction, with the UK’s National Cyber Security Center endorsing them as the new default standard. The CTA recommends enabling MFA, adopting passkeys where possible, and following evidence-based password guidelines to enhance security.

Full Take

The narrative presented aligns with a broader push in cybersecurity to move beyond traditional passwords, emphasizing the urgency of adopting stronger authentication methods like MFA and passkeys. The strongest version of this argument is grounded in empirical data—passwords are a persistent weak point, with billions of credentials exposed in breaches, and MFA significantly reduces risk. However, the piece also highlights a critical gap: despite the clear benefits, MFA adoption remains low, particularly among smaller businesses. This raises questions about why such a proven solution isn’t more widely implemented—are barriers technical, financial, or cultural?
Patterns detected: none. The content avoids emotional exploitation or distortion, focusing on evidence-based recommendations. The root cause of the narrative is the growing sophistication of cyber threats and the inadequacy of legacy security measures. The implications are clear: individuals and organizations must evolve their practices to protect digital identities, but systemic challenges—like awareness and implementation gaps—persist. Bridge questions: What structural incentives could accelerate MFA adoption? How might passkeys reshape authentication if widely adopted? What role do tech giants play in driving or resisting these changes?
Counterstrike scan: If this were part of a coordinated campaign, the playbook might involve exaggerating the risks of passwords to push specific security products. However, the content aligns with established cybersecurity best practices and cites credible sources, showing no signs of manipulation. The focus on actionable solutions, rather than fearmongering, suggests a genuine effort to improve security hygiene.

Sentinel — Human

Confidence

The analysis is highly organized and grounded in specific industry data, indicating a human-driven synthesis of expert sources rather than purely synthetic generation.

Signals Detected
low severity: Natural variance in sentence structure; effective use of declarative and emphatic phrasing.
low severity: Strong, consistent narrative flow driven by a clear advocacy objective; contains specific, non-generic industry statistics.
low severity: Effective linking of internal claims to external, named sources (DBIR, NCSC, Sophos) without relying on vague attribution.
low severity: Claims rely on specific, verifiable (though referenced) statistics and known industry reports, suggesting careful citation rather than pure LLM confabulation.
Human Indicators
The text balances specific, real-world statistics (e.g., 16 billion stolen passwords, MFA adoption rates) with high-level advocacy, suggesting integration of specialized knowledge.
The specific referencing of multiple, distinct external bodies (CTA, Verizon, NCSC, Sophos) provides a dense, context-rich structure typical of human-curated reporting.