Experts urge businesses to move beyond passwords for security

Yesterday

World Password Day has once again prompted cybersecurity experts to stress the importance of robust password management and rethink the traditional reliance on passwords alone. With the digital landscape rapidly evolving, industry leaders are advocating for fundamental changes in how personal and organisational digital identities are secured.

Fabio Fratucello, Field Chief Technology Officer World Wide at CrowdStrike, highlighted a significant shift in the tactics employed by cybercriminals. "Today's attackers are no longer relying on malware to break through defences. Instead, they're exploiting stolen credentials and trusted identities to quietly slip into organisations and move laterally across cloud, endpoint and identity environments—often undetected," he said.

Data from CrowdStrike's latest Global Threat Report underscores this shift, revealing that 79% of initial access attacks are now malware-free. In addition, access broker activity, where threat actors sell or trade access to breached systems, has jumped 50% year over year. This highlights the rising value of credentials as an attack vector.

Fratucello urges organisations to "go beyond traditional password hygiene and adopt an identity-first approach." He recommends applying Zero Trust principles, which assume that no one, whether inside or outside the network, is inherently trustworthy. Continuous monitoring of users and access, combined with strengthening authentication through multi-factor authentication (MFA) and passwordless solutions, are key strategies.

Further, Fratucello notes that the removal of unnecessary privileges and the adoption of AI-driven identity threat detection can help close security gaps. "Layering in AI-driven identity threat detection and unifying visibility across endpoint, identity and cloud domains helps close the gaps attackers count on," he said.

Echoing the call for vigilance, Bernard Montel, Technical Director and Security Strategist at Tenable, described strong passwords and credential hygiene as "critical to safeguarding our personal and professional digital lives." According to Montel, the strength and security of credentials can determine whether individuals and organisations remain protected or vulnerable to cyber threats.

While complex, unique passwords remain a core component of cybersecurity defences, Montel cautions that password strength alone is not sufficient. "Each credential should be unique and managed carefully, especially for software accounts with elevated privileges or persistent access," he advised. Montel emphasised that poor password practices can lead to severe consequences including data breaches, identity theft, financial loss, and reputational damage.

Crucially, as more digital systems operate autonomously in the background––such as service accounts, APIs, and automated workflows––securing these non-human credentials is becoming just as important as protecting user logins. "Organisations must adopt a layered approach to password security… to protect both human and machine accounts," added Montel. He highlighted the importance of MFA, regular audits, and ongoing security awareness initiatives to underpin a culture of robust security.

The advice from industry leaders is clear: while strong, unique passwords are a necessary first step, they must be supplemented with modern, layered security measures such as passwordless technologies, identity monitoring, AI-driven detection, and comprehensive user training. As threat actors refine their tactics, maintaining a proactive and adaptive approach to identity security remains essential for individuals and organisations navigating the digital era.

Share on: