World Password Day 2025
World Password Day 2025: Stronger Passwords, Smarter Identity
Every first Thursday in May, World Password Day rolls around and in 2025, it’s still as relevant as ever.
Yes, we’re moving towards a passwordless future. But today, passwords remain the front door to countless systems both personal and professional. That’s why this year’s message is simple:
🔑 It’s time to build stronger identity habits, whether you’re an IT admin, an SME owner, or someone with too many logins.
Why Are We Still Talking About Passwords?
Because the basics still aren’t being done right.
Credential reuse, weak passwords, and insecure storage continue to be the root cause of breaches across every sector. Many businesses still lack controls to block exposed credentials or detect lateral movement tied to compromised accounts.
📉 Over 80% of breaches involve stolen or weak credentials.
And yet, 123456, qwerty, and password remain common.
Check if your passwords have been exposed: HaveIBeenPwned.com
What Makes a Strong Password in 2025?
Both the NCSC and NIST SP 800-63B offer clarity here. We’re done with enforcing complexity rules like Th!s1sAwf^l. They don’t work.
Instead, we focus on length, memorability, and uniqueness.
NCSC Says:
Use Three Random Words, for example:
PurpleLaptopOrbit
It’s strong, unique, and easy to recall.
Now you could spice that up a little or add more words the choice is yours.
NIST SP 800-63B Says:
- Minimum of 8 characters
- No complexity requirements
- No periodic password expiration (unless a breach is suspected)
- Block known compromised passwords
- Allow password manager input (no blocking paste)
These are not just recommendations—they’re shaping policy for enterprise IAM platforms, including Microsoft Entra ID.
MFA: Still the Strongest Shield
MFA is your frontline defence when passwords fail and that’s often.
Whether it’s phishing, credential stuffing, or brute-force attacks, MFA breaks the attacker’s chain.
Business Best Practice:
- Enforce MFA across all accounts, especially admin and privileged roles
- Use Microsoft Entra ID Conditional Access to control access based on user, location, and risk
- Push notifications with number matching are preferred, and SMS is prohibited.
Consumer Best Practice:
- Enable MFA on all critical services: email, banking, cloud storage, social
- Use an app-based authenticator like Microsoft Authenticator or Authy
👋 Going Passwordless: It’s Happening
Passwordless authentication is not science fiction, it’s rolling out now. Windows Hello, FIDO2, and passkeys are already helping users bypass passwords entirely.
Business Options:
- Microsoft Entra ID passwordless sign-in (Hello for Business, FIDO2 keys, Authenticator app)
- Start with high-risk user groups (e.g., admins, developers)
- Combine with Defender for Identity to monitor post-authentication behaviour
Personal Options:
- Use passkeys where supported (Apple, Google, Microsoft ecosystem)
- Supplement with password managers and MFA for less advanced systems
Tools of the Trade
🧼 Five Steps to Spring Clean Your Digital Identity
- 🔁 Stop Reusing Passwords – especially on work and email accounts
- 🔐 Turn On MFA Everywhere – make it your new login default
- 🧠 Use a Password Manager – don’t rely on memory or browser autofill
- 🧽 Audit Old Accounts – shut down unused logins
- 🚀 Try Passwordless Where Possible – especially for Microsoft and Apple logins
World Password Day isn’t just a reminder, it’s a call to evolve.
Whether you’re securing a small team or just your personal inbox, identity is the new perimeter, and passwords are still part of that defence.
🧭 Resources & Further Reading
- 🔗 NCSC – World Password Day 2025
- 🔗 NCSC – Password Managers
- 🔗 HaveIBeenPwned
- 🔗 1Password
- 🔗 NIST SP 800-63B
- 🔗 Microsoft Entra ID Identity Protection
- 🔗 NCSC Cyber Aware – Personal Advice