World Password Day 2026: The Credential Crisis Hasn’t Gone Away, It’s Just Got More Dangerous

Summary

A World Password Day 2026 analysis reveals that the credential crisis persists with default credentials accounting for ~60% of offensive security findings, outpacing weak password issues. While passkeys gain momentum and AI industrializes credential attacks through phishing and voice cloning, most organizations remain vulnerable due to poor access governance, unsecured credential storage, and lack of enforcement of access control policies. The report emphasizes that password strength alone is insufficient without proper privileged access management, least privilege enforcement, and continuous credential rotation across both human and machine identities.

Full text

Every year, World Password Day arrives with a familiar chorus: use longer passwords, don’t reuse them, enable multi-factor authentication, and every year, attackers walk straight through the same open doors. The advice hasn’t changed dramatically. The threat, however, has, and the gap between the two is wider than ever. In 2026, the conversation around passwords sits at a genuine inflection point. Passkeys are gaining serious institutional momentum. AI is turbocharging credential attacks at an industrial scale. Machine identities are multiplying in ways that make human password hygiene look like a quaint footnote. And yet, in most organisations, the foundational problems remain stubbornly unsolved: default credentials left unchanged, credentials stored and shared insecurely, recovery routes left pointing at old phone numbers, and access governed by policy documents that nobody enforces. We asked leading voices from across the security industry to share their thinking. The picture that emerges is urgent, honest, and sometimes uncomfortable. The Credential Problem Isn’t About Password Strength Let’s start with the headline finding that should make every IT team uncomfortable. According to Dragos Sandu, Product Manager at Pentest-Tools.com, whose team analysed findings from offensive security testing workflows since the start of 2026, the single biggest category of credential-related findings isn’t weak passwords at all. “Looking at findings from real offensive security testing workflows since the start of the year, the single biggest category isn’t weak passwords. It’s default credentials. Roughly 60% of those findings came from services still running factory-default logins: FTP first, then RDP, Redis, HTTP-accessible admin interfaces, Telnet.” Sandu said. “That’s worth sitting with. These aren’t findings that require sophisticated brute-forcing or breach data. They require trying the credentials that came in the box. “When weak passwords do appear, they follow the same pattern: FTP leads by a significant margin (60%), followed by HTTPS, Telnet, VNC, and SSH. Remote access and file transfer services, exactly the kinds of interfaces that get stood up, forgotten, and left exposed. The practical implication is that most organisations have already solved the password problem in the places they think about it: their corporate SSO, their email, their well-monitored identity layer. What they haven’t solved is the perimeter they don’t look at. A Redis instance with default credentials, reachable from a compromised workstation, isn’t in anyone’s password rotation policy. Neither is the FTP server that got stood up for a vendor transfer two years ago. Default credentials on network-facing services remain one of the most reliable paths to initial access and lateral movement that assessments consistently validate. They’re not glamorous. They show up in almost every environment we test.” The Governance Gap: Why Credentials Keep Failing Darren Guccione, CEO and co-founder at Keeper Security, has spent years watching organisations invest in security tooling while leaving access management as an afterthought. His assessment of where the real exposure lies is unsparing. He explains, “Credentials remain the most exploited entry points in enterprise breaches – not because the risk is unknown, but because access is still not being controlled with the rigour the threat demands. A compromised password doesn’t just unlock an account. It hands an attacker a foothold for lateral movement, data exposure, and, in many cases, full environment takeover. Password strength alone is not the issue. The real exposure sits in how credentials are stored, shared, and governed across users, systems, and service accounts. This is where Privileged Access Management (PAM) becomes critical. Enforcing least privilege, rotating credentials, removing standing access, and introducing visibility over how credentials are used changes the risk profile entirely. Passkeys are gaining serious institutional momentum. The UK’s National Cyber Security Centre (NCSC) and US agencies, including CISA, are actively pushing phishing-resistant authentication aligned with FIDO standards – and adoption is already visible across public services. The direction is set. Even so, most organisations remain in hybrid environments where passwords persist. Governance does not disappear in that model. It expands to both passkeys and traditional passwords in parallel. Strong passwords still matter. But without control over who can use them, when, and under what conditions, they offer a false sense of security. Organisations that treat access as a one-time configuration rather than a continuously managed risk are not protected. The credential problem is solvable. What is lacking is the will to govern access with the same discipline we apply to every other critical business function.” AI Is Fundamentally Changing the Attack Surface Perhaps the most significant shift in 2026 is how artificial intelligence is affecting credential attacks. Jack Cherkas, Global CISO at Syntax, describes a transformation that makes last year’s threat landscape look almost quaint. He says, “World Password Day 2026 brings the usual advice for passwords: longer, unique, never reused. That is no longer enough. Passwords are only one of many credentials now under AI-powered attack. Generative AI has industrialised credential attacks: phishing lures that defeat traditional user training, voice clones that pass help-desk identity checks, and credential stuffing at an industrial scale. Credentials remain one of the top initial access vectors year after year, and non-human identities, from AI agents to service accounts, are multiplying, each one holding credentials, each one a potential blast radius. When the next breach arrives, ‘we didn’t know who or what had access’ will not be acceptable as a defence. The fix is not novel. For organisations: phishing-resistant multi-factor authentication (MFA) and passkeys, single sign-on wired into a disciplined joiner-mover-leaver process, vaulted privileged access, and scoped, logged, revocable credentials for every non-human identity, AI agents included, never a shared service account. For individuals: a password manager, unique passwords or passkeys, and MFA on every account. The password era is ending; the credential era is not. Most breaches still begin with a credential someone forgot to protect, revoke, rotate, or retire. The organisations and individuals that master that unglamorous work are the ones that stay resilient when the next AI-powered attack lands.” Kevin Higgins, senior consultant at Optiv, extends the argument to the machines themselves, saying, “World Password Day is no longer just about protecting people. It’s now also about protecting machines. As machine-to-machine communication accelerates, strong, frequently rotated credentials are essential to ensure trusted systems don’t execute malicious or compromised instructions. The challenge, however, is that many organisations still rely on static credentials. Long-lived API keys and persistent service account passwords create machine credentials with unlimited replay value. When credentials become permanent, compromise becomes persistent. If these credentials leak through logs, configuration files, AI, or repositories, attackers can impersonate trusted systems for extended periods without triggering the authentication signals typically associated with human access. Modern security requires a shift to short-lived, cryptographic identities, where every workload proves what it is through mechanisms like mutual TLS authentication and temporary identity tokens. This ensures every interaction is verifiable and resilient by design. The future of cybersecurity will be defined by how effectively we secure the machines that now act on our behalf, and passwords continue to play an important role in the evolving security journey.” The Attack Sophistication Is

Entities