Today (1 May) is World Password Day, which often serves as a timely reminder for organisations to rethink how they secure access and what a critical role passwords still plays in our daily lives.
Despite rising awareness that stolen passwords fuel cyber attacks, password reuse remains a serious vulnerability.
How weak is your password?
Hive Systems, a cybersecurity company, released their 2025 Hive Systems Password Table, which shows just how fast a hacker can brute-force your password. The infographic, titled "Are Your Passwords in the Green?" provides revelations related to password strength, explaining how fast modern graphics processing units (GPUs) can shatter digital defenses.
They modelled a hacker or attacker's attempt to guess your password, the revelations from this were alarming to say the least:
Want something that is unbreakable and last years? According to Hive Systems, you are looking at random 12-character passphrases, and even that is starting to feel like the bare minimum of password strength now and into the near future.
According to Hive Systems for passwords to be in the "green zone" which they designate as "safe passwords", they have to be more than 16 characters long with special symbols included. Whereas passwords like "hello" and "qwerty123" would be in the "green zone".
Verizon, an American telecommunications company, published a 2024 Data Breach Investigations Report, which identified as much as 68% of breaches involved the "human element", which includes phishing, reused passwords, and easily guessable login attempts.
NordLayer, a network access security service, said over a billion records were stolen in 2024, and that login credentials were the most common target. IBM's "Cost of a Data Breach Report 2024" stated that all of this is costing businesses about $4.9 million from cybersecurity breaches.
How to be more secure?
The new best practice is length over cleverness and "passphrases" over passwords:
As well as this, multi-factor authentication (MFA) adds extra doors, whether it is a one-time code, a hardware token, or a push notification. According to Microsoft, 99.9% of automated attacks fail if MFA is on, so enable them wherever you can.
Then there are passkeys, which are device-bound, phishing-resistant logins ditch secrets altogether in favour of cryptographic keys stored on your phone or computer.