Skip to main content
Cybersecurity

Cybersecurity Experts Push for Password Paradigm Shift

Person sitting at desk with laptop, surrounded by office equipment and network infrastructure.

"World Password Day reminds us that passwords are still one of the most common ways attackers gain access to systems, and the most common ways to protect information," says Doug Kersten, CISO of Appfire.

Doug Kersten: poor visibility is the vulnerability

Kersten argues the problem is rarely a single weak password; it is how credentials propagate across organizations. Employees, he says, "reuse the same passwords across systems, share access to move work forward, or connect them to new tools that aren’t centrally tracked. Over time, no one has a complete view of where access exists or who owns it." That lack of visibility, he warns, is precisely what malicious actors exploit.

Kersten also calls out a new variable: artificial intelligence. "AI is making phishing emails, messages, and even voice calls more convincing, which increases the chances that someone could unknowingly give up a password that can be used across multiple systems," he explains. In his framing, password risk is not just the secret itself but "everything that password connects to."

Tim Chase: identity, not logins, should be the control point

Tim Chase, Field CISO & Principal Technical Evangelist at Orca Security, says the architecture that treated passwords as the backbone of security no longer fits today's environment. "They were not built for a world where identities include not just people, but also apps, services, and now AI agents acting on their own," he says.

Chase prescribes a shift in focus: knowing "who or what is accessing your environment, what they are allowed to do, and whether that behavior actually makes sense." He places emphasis on a combination of strong authentication, least-privilege access, and continuous monitoring, arguing that these measures, rather than stronger passwords alone, are what actually keep systems in check as AI becomes more embedded in operations.

Steve Shoaff: a future without passwords

Steve Shoaff, SVP of Transformation at Imprivata, frames passwords as an "outdated and frustrating convention" and says the model itself is "broken and increasingly unnecessary for the majority of our logins." He rejects the premise that user behavior alone is to blame: "Bad password habits have been around for so long that continuing to blame users just isn’t productive."

Shoaff sets a clear aspiration: he hopes World Password Day will be "one of the last — if not the very last — World Password Days." His prescription is architectural: replace remembered secrets with "stronger, smarter authentication methods built on cryptography, trusted devices, and identity-bound access." In his view, when security operates behind the scenes, organizations can "reduce phishing and credential theft, eliminate password reuse, and strengthen protection without adding friction."

John Cannava: passwordless options on the rise

John Cannava, CIO at Ping Identity, points to concrete alternatives gaining traction. He says "passwordless solutions are rapidly replacing traditional passwords with stronger, more user-centric methods like biometrics, authenticator apps, and digital certificates." According to Cannava, these approaches "significantly reduce the risk of phishing and credential theft while improving the user experience."

He urges reframing World Password Day: rather than a seasonal reminder to update weak credentials, the day should "spark a broader shift" toward "more resilient authentication strategies that put control back in the hands of users."

What this means for technologists, enterprises, and end users

  • Technologists and security teams: Chase’s call for identity-centric controls points them toward implementing strong authentication, least-privilege policies, and continuous monitoring to understand who—or what—is acting in their environments.
  • Enterprises and procurement leaders: Shoaff and Cannava signal a procurement decision point—prioritize cryptographic, device-bound, or biometric authentication and invest in passwordless workflows if the objective is reducing phishing and credential theft while lowering user friction.
  • End users and the general public: Kersten’s warning about AI-enhanced phishing underscores continued exposure; users stand to benefit if organizations adopt behind-the-scenes authentication but remain vulnerable so long as reused or shared credentials persist.

World Password Day has traditionally been a prompt to change weak passwords. This year the conversation among CISOs and identity executives shifts that prompt into a larger question: should the daily burden of managing secrets be replaced by systems that authenticate identities and devices without asking users to remember complex secrets?

The experts quoted—Doug Kersten, Tim Chase, Steve Shoaff, and John Cannava—converge on one point: passwords remain both ubiquitous and fragile. Their prescriptions differ in emphasis but align on an architectural transition toward identity-driven, cryptographic, and device-based authentication. Whether that transition will render World Password Day obsolete depends on how quickly organizations act on visibility, privilege, and authentication design while attackers sharpen tactics with AI.

Original story