Notifications
Clear all
Topic starter
06/06/2026 1:47 am
TL;DR: World Password Day reinforces a long-running security problem: passwords remain easy to implement but costly for users and enterprises, driving reuse, phishing exposure, resets, and attack surface growth, according to Imprivata. The real shift is away from human memory toward cryptographic trust, where authentication becomes less brittle and easier to govern.
NHIMG editorial — based on content published by Imprivata: World Password Day analysis of why passwords still dominate modern security
Questions worth separating out
Q: How should security teams phase out passwords without breaking access?
A: Security teams should begin with the highest-risk user groups and the most common phishing targets, then move application by application rather than trying to replace passwords everywhere at once.
Q: Why do passwords remain a security problem even with strong policies?
A: Passwords remain a problem because policy cannot eliminate the human failure modes that come with shared secrets.
Q: What breaks when organisations keep passwords as the default identity control?
A: What breaks is the assumption that identity can be reliably proven through something a person remembers.
Practitioner guidance
- Inventory password-dependent applications Identify where passwords are still required, where they are optional, and where they are only present because of legacy authentication design.
- Move high-risk users to phishing-resistant authentication first Start with administrators, finance, support staff, and remote users who are most exposed to credential theft.
- Redesign recovery before rollout Review account recovery, lost-device handling, and help desk processes before expanding passwordless access.
What's in the full article
Imprivata's full article covers the operational detail this post intentionally leaves for the source:
- Why passwords still persist in older infrastructure and compliance-driven environments
- How passkeys, biometrics, and device-based authentication differ in practice
- What user friction and help desk burden look like when password resets disappear
- Why MFA remains a bridge control rather than the end state
👉 Read Imprivata's analysis of why passwordless access is replacing weak passwords →
Passwords are still failing users. What should IAM teams do next?
Explore further
06/06/2026 3:06 am
Passwords are a governance liability, not just a user inconvenience. The article correctly identifies the core failure: security models that depend on perfect human memory and flawless behavior do not survive scale. Password resets, reuse, lockouts, and phishing exposure are not edge cases. They are the predictable operating condition of a system built around shared secrets. For IAM teams, the implication is that password policy tuning cannot close a structural design gap.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
A question worth separating out:
Q: Should organisations replace MFA with passwordless authentication?
A: Organisations should not treat this as a simple replacement question. MFA is still useful where passwordless is not yet available, but passwordless raises the security baseline by removing the password as the primary failure point. The right path is to use MFA as a bridge and passwordless as the destination.
👉 Read our full editorial: World Password Day shows why passwordless access is the real fix
