惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

C
Check Point Blog
U
Unit 42
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Martin Fowler
Martin Fowler
L
LangChain Blog
博客园_首页
博客园 - 【当耐特】
Vercel News
Vercel News
I
InfoQ
GbyAI
GbyAI
爱范儿
爱范儿
D
DataBreaches.Net
Blog — PlanetScale
Blog — PlanetScale
B
Blog RSS Feed
A
About on SuperTechFans
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
G
Google Developers Blog
大猫的无限游戏
大猫的无限游戏
Apple Machine Learning Research
Apple Machine Learning Research
F
Fortinet All Blogs
N
Netflix TechBlog - Medium
酷 壳 – CoolShell
酷 壳 – CoolShell
P
Proofpoint News Feed
美团技术团队
V
V2EX
Stack Overflow Blog
Stack Overflow Blog
有赞技术团队
有赞技术团队
Y
Y Combinator Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
H
Help Net Security
Recent Announcements
Recent Announcements
Microsoft Azure Blog
Microsoft Azure Blog
D
Docker
宝玉的分享
宝玉的分享
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
量子位
小众软件
小众软件
J
Java Code Geeks
S
SegmentFault 最新的问题
Engineering at Meta
Engineering at Meta
Google DeepMind News
Google DeepMind News
MongoDB | Blog
MongoDB | Blog
The Cloudflare Blog
Recorded Future
Recorded Future
阮一峰的网络日志
阮一峰的网络日志
T
The Blog of Author Tim Ferriss
MyScale Blog
MyScale Blog
Microsoft Security Blog
Microsoft Security Blog

Security

Report: Business email compromise attacks surged dangerously in April Scope Systems confirms cyber incident, says no data loss occurred Instructure breach: ShinyHunters says ‘matter has been resolved’ Rapid7 launches Cyber GRC program to connect compliance with live risk data Australian federal budget 2026: The industry perspective Op-Ed: Microsoft May Patch Tuesday reveals 137 vulnerabilities Federal Budget 2026: The state of cyber security spending for the coming year OpenAI offers EU early access to its cyber security model Exclusive: Aussie firm Earth Systems listed by INC Ransom hacking group Op-Ed: Why Middle East tensions demand immediate action on OT security Aussie schools breach: Instructure boss “reaches agreement” with ShinyHunters to not release data Institute of Public Accountants members hit by data breach Union demands answers on Qantas AI plans 1 in 3 small businesses don't think they're a cyber target, new research finds Exclusive: Aussie toy distributor listed by M3rx ransomware Exclusive: Australian Computer Society investigating possible breach after ShinyHunters hack claims The industry speaks – part 2: World Password Day 2026 Aussie schools breach: The Instructure hack “transcends an isolated IT incident” Exclusive: Aussie car part importer Strategic Imports allegedly breached by threat actors New South Wales, other states, investigating Instructure/Canvas data breach Australian Cyber Security Centre warns of ClickFix campaign leveraging Australian infrastructure Queensland Department of Education confirms students & staff impacted by ShinyHunters data breach ACMA takes action against SpinTel & Yomojo over mobile number fraud violations Qualys and Converge tie cyber insurance pricing to real-time security posture Fakeout: Iranian APT caught hiding behind Chaos ransomware activity Exclusive: Australian energy management firm allegedly breached by SafePay Real estate giant Cushman & Wakefield confirms cyber incident, Qilin and ShinyHunters claim attack CrowdStrike expands Project QuiltWorks as more partners join AI security coalition Hacked: ALS discloses cyber incident, unauthorised access to IT systems Microsoft the main target of AI phishing attacks, report uncovers Attackers increasingly turning to trusted security tools to compromise Aussie victims Exclusive: Champion Homes confirms customer data compromised in “cyber event” Australia, Japan commit to partnership to meet cyber security challenges & strengthen cyber defences NSW Treasury cyber incident contained, impact no longer ‘significant’ WA rental scam surge: Tenants targeted with fake $500 discount trap Aussie Information Commissioner launches Privacy Awareness Week 2026 Unregistered branded text messages to be labelled ‘Unverified’ from 1 July Exclusive: Major Australian jewellery brand confirms cyber incident Watch this! Komari server monitor tool abused by hackers Act Now! ACSC warns of active exploitation of cPanel & WHM critical vulnerability Exclusive: Kiwi electrical contractor confirms cyber attack Exclusive: Prime Properties listed as breach victim by M3rx ransomware DigiCert launches AI Trust architecture to secure agents, models, and content Winners of the 2026 Australian Cyber Awards unveiled Op-Ed: Redefining performance in the AI-powered SOC NZ council cyber attack leads to ID and financial data being exposed Alert! Wave of fake toll, parking scams impacting countries worldwide, including Australia and New Zealand Vect unveiled: Inside an emerging ransomware group’s affiliate network Exclusive: Gelatissimo confirms unauthorised access, investigates DragonForce hack claims Aussie ice-cream franchise Gelatissimo suffers alleged hack by DragonForce Anthropic Mythos: The model, the myth and the mundane​ Report: Aussie small businesses doing it tough as job scams double, losses rise Cyber attacks on medical devices pose ‘significant’ impact on real-life patient care Twisted Firestarter! Aussie, US, and UK cyber agencies warn of Cisco malware campaign Generation Life informs customers of “cyber incident” as owner shares incident with ASX CBA launches new scam-finding AI agent Sri Lankan government hack sees $3.7m destined for Australia stolen CrowdStrike extends cloud threat detection to Google Cloud Hey big spender! Microsoft to invest $25bn in Australian AI infrastructure Genetec marks Sydney milestone with visit by high commissioner of Canada to Australia Rental platform under fire for collecting excessive personal data Exclusive: SA genealogical research firm confirms cyber incident following SafePay ransom claims PentenAmio announces acquisition of Armour Communications Exclusive: Aussie passports compromised in alleged Favelle Favco data breach Cutting edge: Anthropic’s Claude Mythos preview is a ‘double-edged sword’, expert says Treasury staffer charged for NSW government data breach Op-Ed: AI won’t patch the holes in your SOC Game on! More than a third of FIFA World Cup 2026 partners expose Aussies to email fraud risk Dark web markets: A complete Aussie identity costs as little as $200 Exclusive: NSW-based Strata Republic allegedly breached by Kairos ransomware group Mortgage fraud now harder to detect thanks to AI McGraw Hill confirms ShinyHunters breach, won’t confirm if any Aussie customers impacted Update now: Active exploitation of Nginx UI vulnerability CVE-2026-33032 underway National Defence Strategy 2026: Spending on military cyber capability to reach at least $15bn Exclusive: Qld pharmacy chain allegedly breached by Kairos ransomware Op-Ed: ASIO has broken its silence on cyber crime, and you should listen Too-hard basket: NIST to scale back CVE updates as vulnerabilities soar OpenAI launches GPT 5.4-Cyber in response to Anthropic Glasswing NZ racehorse auction stalled by cyber attack Op-Ed: Microsoft April Patch Tuesday reveals 167 vulnerabilities ADF joins international military exercise focused on cyber resilience and multi-domain operations OpenAI CEO’s home targeted in attempted drive-by just days after Molotov attack Exclusive: Aussie communications company Mastercom ‘aware’ of INC Ransom claims Booking.com confirms cyber incident, customer reservation data potentially compromised Report: Majority of CISOs not ready for the next big cyber attack Exclusive: Aboriginal community organisation confirms cyber incident following INC Ransom claims The industry speaks: World Identity Management Day 2026 WASTED! GTA developer Rockstar Games confirms hack as ShinyHunters demands ‘pay or leak’ Exclusive: Gunra ransomware lists Eric Davis Dental as breach victim Op-Ed: Why zero trust for OT should start at the boundary, not the boiler room Exclusive: NSW pharmacy management firm allegedly breached by INC Ransom US Treasury launches intelligence-sharing initiative with crypto companies Citigroup says AI speeds up new account openings Cyber war: Pro-Iranian hackers vow to fight on despite a fragile ceasefire with the US Exclusive: Victorian resort hotel allegedly breached by Space Bears ransomware Game on! Nationwide student competition aims to tackle Australia’s cyber skills gap Exclusive: Anubis ransomware gang claims hack of WA-based Shine Aviation Ransomware group claims hack of legal giant Jones Day Anthropic, partners announce Project Glasswing cyber security initiative Exclusive: Aussie tech firm Seeing Machines confirms potential cyber security incident
The Industry Speaks, Part 1: World Password Day 2026
David Hollin · 2026-05-07 · via Security

World Password Day is a reminder that securing access to our digital lives is essential – but it’s only one piece of the broader data security picture.

Data is the lifeblood of today’s digital economy, growing rapidly in both volume and value across personal and enterprise environments. As attention shifts beyond access to how data is stored, protected and preserved, secure storage becomes a foundational layer of trust – ensuring information remains safe, accessible, and resilient over time.

Ultimately, there is no data security without secure storage. As data continues to grow in importance, so must our commitment to protecting it – so it remains available, recoverable, and secure when it matters most.


Charles Guillemet
CTO at Ledger

Passwords are a relic of a less adversarial internet. They were never built to withstand the scale and sophistication of today’s threats, and that gap is only widening. AI is fundamentally rewriting the economics of security: lowering the cost of attacks, industrialising phishing and social engineering, and making the internet more adversarial by design.

In this context, asymmetric-cryptography-based authentication, such as passkeys, is a meaningful step forward. They reduce human error and improve usability. But they still rely on trusted environments, smartphones and laptops, that remain vulnerable in a world where attackers are increasingly automated and adaptive.

What comes next is not just an evolution of authentication, it’s a paradigm shift. The account-based model that protects our secrets will give way to a model built on secure digital ownership, like Ledger’s, where users hold their own cryptographic keys securely and with sovereignty. In this world, wallets won’t just secure assets; they will become the primary interface for identity, authentication, and interaction online. You no longer log in; you connect. Your wallet becomes your identity. This is why wallets won’t simply replace passwords as a feature; they redefine the foundation of the internet itself: a model where trust is minimised, intermediaries are reduced, and users regain full control over both their digital value and identity.

Passkeys improve usability. Secure self-custody is the endgame, where security, identity, and ownership converge into a single, user-controlled system.


Darren Guccione
CEO & Co-Founder, Keeper Security

Every year, World Password Day generates the same conversation. And every year, attackers walk straight through the same open doors. Credentials remain the most exploited entry points in enterprise breaches – not because the risk is unknown, but because access is still not being controlled with the rigour the threat demands. A compromised password doesn’t just unlock an account. It hands an attacker a foothold for lateral movement, data exposure and, in many cases, full environment takeover.

Password strength alone is not the issue. The real exposure sits in how credentials are stored, shared and governed across users, systems and service accounts. This is where Privileged Access Management (PAM) becomes critical. Enforcing least privilege, rotating credentials, removing standing access and introducing visibility over how credentials are used changes the risk profile entirely.

Passkeys are gaining serious institutional momentum. The UK’s National Cyber Security Centre (NCSC) and US agencies, including CISA, are actively pushing phishing-resistant authentication aligned with FIDO standards – and adoption is already visible across public services. The direction is set. Even so, most organisations remain in hybrid environments where passwords persist. Governance does not disappear in that model. It expands to both passkeys and traditional passwords in parallel.

Strong passwords still matter. But without control over who can use them, when and under what conditions, they offer a false sense of security. Organisations that treat access as a one-time configuration rather than a continuously managed risk are not protected. The credential problem is solvable. What is lacking is the will to govern access with the same discipline we apply to every other critical business function.


Anne Cutler
VP Global Communications, at Keeper Security

Most people don’t think about their passwords until something goes wrong. By then, the damage is usually already done. A breached email does not just expose one account – when passwords or variations of passwords are reused, it opens everything attached to them: password resets, linked services, saved payment details, the list goes on. It unravels faster than you might expect.

What makes this so frustrating is how little effort it takes on the attacker's side. Credentials stolen from one platform get tested automatically across hundreds of others within seconds. And AI has made the front end of that process genuinely difficult to defend against. A phishing message, a fake login page, and impersonation are not crude scams anymore. They are convincing, personalised and increasingly automated.

The good news is that the defence is not complicated. A password manager eliminates the reuse problem entirely, giving each account a strong, unique credential – whether it’s a traditional password or a phishing-resistant passkey – that is generated and stored without you having to think about it. Paired with built-in multi-factor authentication, you remove the two entry points attackers rely on most.

The threats have gotten smarter. Fortunately, so have the tools.


Kevin Charest
Vice President of Cyber Governance Services at Netrio

World Password Day has been around for more than a decade, but in the last year, the conversation has shifted from stronger passwords to MFA, phishing resistance, and passkeys. While it probably should be renamed ‘World Passkey Day,’ the reality is that most people still use passwords for everything. Companies are also not using passkeys at scale, which means security tools are left to make up for the shortcomings of how people actually use passwords.

To this day, the single biggest issue remains password reuse. With so much breach and security incident data available, attackers often do not need to crack a password; they can take a known password and try it across multiple services and systems. Complexity rules do not fully solve the problem either. Users often just add a few required characters or move from “password123” to “password124”. Relying on user IDs and passwords as the primary form of security can be the downfall of many companies.

Until organisations can truly move away from passwords, MFA and detection tools must do more of the work. For SMBs and mid-market enterprises in particular, the challenge regarding passwords is especially tough. If they cannot afford to apply the highest level of security across the entire organisation – which in many cases is true, due to limited budget – they should at least identify critical roles and apply stronger controls in those areas. At a minimum, financial teams, employees sending or receiving money, and those handling sensitive data, intellectual property or the company’s “crown jewels” need a higher level of security.

However, in the end, the biggest hurdle is not always technology. Culture eats technology for breakfast. Asking users to carry a physical hardware device or adopt a new authentication process can create resistance. At its core, change management is difficult, but necessary. Passwords are still the game for most users, and until that changes, companies need to treat password behaviour as a foundational security gap that must be actively managed.


Mohammed Khan
Strategic Engagement Lead at HP

World Password Day is a timely reminder for Australian businesses that the case for strong password hygiene and identity security has never been more compelling.

HP’s latest Threat Insights Report shows attackers are increasingly using AI to scale low-effort, modular campaigns that can bypass traditional defences. These aren’t always sophisticated attacks, but they are often effective. They highlight a shift in the threat landscape where speed and volume can outweigh complexity.

We’re seeing techniques like “vibe-hacking” scripts and reusable malware components, allowing attackers to rapidly build and adapt campaigns – including credential harvesting and account compromise. The reality is that even basic attacks can have a significant impact if organisations aren’t ready to respond.

This is why strong password practices and identity protection are critical. When threats target user credentials, simple steps like using unique passwords, enabling multi-factor authentication, and adopting password managers can significantly reduce risk.

At HP, we believe organisations need to rethink security with a focus on reducing exposure – protecting identities, isolating high-risk activities, and building resilience from the hardware up.

World Password Day should serve as a call to action: strengthen your password practices, secure your identities, and ensure your organisation is prepared for evolving threats.


Munu Gandhi
President, Xerox IT Solutions and Chief Technology Officer, at Xerox

World Password Day reinforces a simple reality: identity is the control point in modern cybersecurity.

At Xerox IT Solutions, we apply a Zero Trust model where every access request is continuously validated using adaptive authentication. The focus is not more controls - it’s smarter, contextual access that reduces risk while enabling speed.

Organisations that build integrated identity frameworks will be better positioned to protect operations, earn client trust, and move with confidence in an increasingly distributed, AI-driven world.


Doug Kersten
CISO of Appfire

World Password Day reminds us that passwords are still one of the most common ways attackers gain access to systems, and the most common ways to protect information. Password risk doesn’t usually come from a single weak password; it comes from how those credentials are used across an organisation. Employees reuse the same passwords across systems, share access to move work forward, or connect them to new tools that aren’t centrally tracked. Over time, no one has a complete view of where access exists or who owns it.

That lack of visibility is exactly what attackers take advantage of. AI is making phishing emails, messages, and even voice calls more convincing, which increases the chances that someone could unknowingly give up a password that can be used across multiple systems. Password risk lies within everything that password connects to. The priority now is to reduce how often passwords are used, limit where they can be used, and ensure every system and account has clear ownership. This includes using multi-factor authentication, where you need a password and something you know, have, or are to increase the level of difficulty needed to compromise your accounts. When organisations have consistent visibility and control over access – alongside clear governance around how tools and credentials are used – a compromised password is far less likely to lead to a broader security issue.


Kevin Higgins
Senior consultant at Optiv

World Password Day is no longer just about protecting people. It’s now also about protecting machines. As machine-to-machine communication accelerates, strong, frequently rotated credentials are essential to ensure trusted systems don’t execute malicious or compromised instructions.

The challenge, however, is that many organisations still rely on static credentials. Long-lived API keys and persistent service account passwords create machine credentials with unlimited replay value. When credentials become permanent, compromise becomes persistent. If these credentials leak through logs, configuration files, AI, or repositories, attackers can impersonate trusted systems for extended periods without triggering the authentication signals typically associated with human access.

Modern security requires a shift to short-lived, cryptographic identities, where every workload proves what it is through mechanisms like mutual TLS authentication and temporary identity tokens. This ensures every interaction is verifiable and resilient by design.

The future of cybersecurity will be defined by how effectively we secure the machines that now act on our behalf, and passwords continue to play an important role in the evolving security journey.


Jack Cherkas
Global CISO at Syntax

World Password Day 2026 brings the usual advice for passwords: longer, unique, never reused. That is no longer enough. Passwords are only one of many credentials now under AI-powered attack. Generative AI has industrialised credential attacks: phishing lures that defeat traditional user training, voice clones that pass help-desk identity checks, and credential stuffing at an industrial scale.

Credentials remain one of the top initial access vectors year after year, and non-human identities, from AI agents to service accounts, are multiplying, each one holding credentials, each one a potential blast radius. When the next breach arrives, "we didn't know who or what had access" will not be acceptable as a defence.

The fix is not novel. For organisations: phishing-resistant multi-factor authentication (MFA) and passkeys, single sign-on wired into a disciplined joiner-mover-leaver process, vaulted privileged access, and scoped, logged, revocable credentials for every non-human identity, AI agents included, never a shared service account. For individuals: a password manager, unique passwords or passkeys, and MFA on every account. The password era is ending, the credential era is not. Most breaches still begin with a credential someone forgot to protect, revoke, rotate, or retire.

The organisations and individuals that master that unglamorous work are the ones that stay resilient when the next AI-powered attack lands.


Jason Pearce
Field CTO APJ at Claroty

World Password Day is a timely reminder that despite years of warnings, 'admin/admin' remains the skeleton key to the world’s most critical infrastructure. Shockingly, many important systems are still protected by these weak, unchanged default logins. In the realm of Cyber-Physical Systems (CPS), weak or default passwords aren’t just a digital vulnerability – they are a direct threat to physical safety and operational uptime. As organisations continue to bridge the gap between IT and OT systems without the proper security in place, they are essentially leaving the front door unlocked to our power plants, water systems, and hospitals for any adversary with a basic search engine and a bit of persistence.

To shut this door, organisations must move past manual password management and embrace automated exposure management instead. Humans cannot feasibly manage hundreds or thousands of passwords at once – in many cases, humans can't even identify every single device that exists on their network. Therefore, any good exposure management program must start with having total visibility into every connected asset across the XIoT. This should be followed by implementing secure access controls that 'wrap' legacy systems in modern security layers like Multi-Factor Authentication (MFA). On this World Password Day, the goal shouldn't simply be "have better passwords". Instead, organisations should aim for a zero-trust architecture that ensures a single compromised credential can't take down an entire production line, a power grid or a health care facility.


Tomer Bar
Associate VP of Security Research at Semperis

Passwords have a terrible reputation, but that’s not really the password’s fault. It’s ours. Most of the risk comes from human limitations and predictable behaviour. The comforting myth is, "if the number of possible combinations for a 10-character password using lowercase letters, uppercase letters, digits, and special characters is enormous, then the password must be safe". The total search space is in the order of tens of quintillions of combinations. Even if an attacker can test one billion guesses per second, it would take roughly 1,700 years to exhaust the entire space with a pure brute-force attack.

On paper, that looks great. It’s misleading – because very few people choose random 10-character passwords. Humans tend to fall back on predictable patterns: a capital letter first, followed by one or more lowercase letters, then one to four digits (often a year), and finally a single special character at the end.

Advanced attackers know this. They don’t brute-force the entire key space; they brute-force your habits, making it much quicker to guess. If you keep using passwords, the best practice is to stop letting humans design them. Use a password manager to generate and store long, truly random passwords (20+ characters) and never reuse them; turn on MFA wherever possible so stolen passwords are far less useful; and for the few passwords you must remember, use long, unique passphrases made of random words instead of lyrics, quotes or clever patterns. The goal is to make attacking you so difficult and unprofitable that attackers move on to easier targets.


Robb Reck
Chief Information, Trust, and Security Officer at Pax8

For most small and mid-sized businesses, the password is still the front door. After years of breaches, credential stuffing, and cheap compute power, that door is effectively unlocked.

MSPs exist to close that gap. Helping customers eliminate account takeover risk is one of the highest-leverage moves in the SMB security stack.

World Password Day is a reminder to act on the basics. Microsoft's data is unambiguous: over 99.9 per cent of compromised accounts had no MFA. Turning it on is the single highest-impact control an SMB can implement today. Longer term, FIDO-based passkeys remove the password attack surface entirely by eliminating passwords from the equation.

The path is straightforward: unique credentials and MFA now, passwordless tomorrow. SMBs don't need enterprise budgets. They need an MSP with a repeatable playbook and the will to enforce it.


Nick Nigro
VP Sales, Reolink Australasia

As we mark World Password Day, it’s worth remembering that passwords are fundamental to our digital safety. With recent reports showing Australia logged 1.1 million leaked accounts in Q1 2026 alone, it’s clear that safeguarding our personal data has never been more critical.

At Reolink, we believe your security system should be safe from the moment you plug it in. That’s why we support the Australian Government's recent mandate to remove universal default passwords across consumer smart devices. Instead of relying on risky factory defaults, we have our users create their own unique passwords right from the setup.

Managing multiple logins can feel like a chore, but basic habits drastically improve your digital safety. Since longer equals stronger, always use at least ten characters. Avoid real words, obvious names, and birthdays; instead, rely on random combinations of letters, numbers, and symbols to stop bad actors. If tracking these complex codes seems daunting, a password manager can securely generate and store them for you. Finally, always enable two-factor authentication (2FA). While it might require an extra step at login, that unique code sent to your phone provides a massive, necessary layer of defence.

Ultimately, the motivation for using strong, unique passwords is the exact same reason we use home security systems: safety, protection, and peace of mind.

Cyber DailyWant to see more stories from trusted news sources?
Make Cyber Daily a preferred news source on Google.