World Password Day 2025: Keeping credentials safe

Each year, the first Thursday of May marks World Password Day, a global event dedicated to raising awareness about the importance of securing passwords and following the best online security practices. With phishing lures becoming more topical and sophisticated, World Password Day serves as a pivotal reminder for individuals and organizations alike to examine the security of their login credentials. 

While its original purpose was simple — to encourage better password hygiene like using complex, unique passwords and avoiding reuse — it has taken on greater importance with the rise of credential harvesting. 

Credential theft remains the cybercriminal’s weapon of choice, as stolen passwords make up over 80% of web app breaches today. Attackers target user credentials through phishing, social engineering, and other techniques, using them to access sensitive systems or sell them on the dark web. Understanding these threats is crucial for safeguarding your company’s data and minimizing risks. 

Credential harvesting: Phishing emails, malicious websites, or data breaches 

Cybercriminals rely on weak or poorly managed passwords to infiltrate systems. About 63% of all phishing is credential harvesting; Mimecast’s threat intelligence data supports this data point. With billions of compromised credentials circulating online (some available for as little as $10), businesses face enormous risks if passwords are not adequately protected. Additionally, attackers are leveraging sophisticated tactics, such as using infrastructure from trusted services, to disguise phishing attempts and make malicious websites appear authentic.

Figure 1: According to Mimecast’s threat intelligence data over the past 3 months, an average of 64% of all phishing attempts are focused on obtaining credentials.

Why it’s critical to secure passwords 

Passwords remain the first line of defense in protecting sensitive business systems, financial data, and personal information. However, weak, reused, or shared passwords significantly increase the risk of cyberattacks, including phishing schemes, credential stuffing, and brute force attempts. 

Strengthening passwords reduces the likelihood of costly incidents such as ransomware attacks or data breaches. Furthermore, businesses should implement comprehensive safeguards to prevent credentials from being stored or shared in insecure locations. A few tips include:

Multi-Factor Authentication (MFA) is necessary 

Even the strongest passwords can be compromised. That’s where multi-factor authentication (MFA) steps in. MFA requires users to verify their identity through multiple methods, such as a one-time code sent to their smartphone or biometric data like a fingerprint scan. 

Why MFA is essential: 

• Stops attackers who have valid credentials but no access to secondary verification. 
• Provides protection against the 88% of ransomware attacks that occur in accounts without MFA, especially privileged ones. 
• Reduces reliance on passwords for security, aligning with password less initiatives that improve both security and usability. 

Companies must prioritize implementing phishing-resistant, next-generation MFA solutions – just 40% of enterprises have either no MFA or weak MFA in place, leaving many devices and accounts unsecured.

By combining strong passwords with MFA, businesses can successfully mitigate unauthorized access and improve their security posture.

Protecting credentials from phishing sites 

Cybercriminals frequently rely on phishing attacks to harvest credentials. These schemes often deploy fake websites that mimic well-known brands, tricking users into entering their passwords. Compromised login details from these attacks are then used to infiltrate systems or sold to other malicious actors. 

Alarmingly, criminals are adapting their methods to evade detection. Instead of suspicious, easily flagged domains, attackers now host malicious sites under infrastructure provided by legitimate companies, making phishing campaigns more convincing and harder to uncover. 

Enhancing protection with enterprise education and technology 

Employee education remains one of the best defenses against credential harvesting. Training programs on password management, spotting phishing attempts, and using password managers should be conducted regularly to minimize human error. Additionally, leveraging advanced solutions can provide an extra layer of protection by identifying and blocking malicious emails before they reach employees. 

The bottom line 

On this World Password Day, commit to strengthening your organization’s defenses by prioritizing password security, implementing MFA, and educating users on avoiding common pitfalls. Credential theft remains the #1 cyber threat to businesses, but with proactive measures, you can reduce your risk. 

For deeper insights into keeping credentials and systems secure, read the Mimecast Threat Intelligence report. Protect your credentials; protect your business.