World Password Day

In 2005, the security researcher Mark Burnett published a book called Perfect Passwords in which he made a small, practical suggestion: people ought to set aside a regular day to update their important passwords, much as they replace the battery in a smoke alarm. Eight years later, in May 2013, Intel Security took the idea and ran with it, formally declaring the first Thursday of May to be World Password Day. Because it is anchored to a weekday rather than a fixed date, the observance drifts slightly each year, landing somewhere in early May — a movable feast devoted to one of the dullest yet most consequential chores in modern life.
Origins: A Book, Then a Chipmaker
Burnett’s contribution was the kernel; Intel’s was the megaphone. Perfect Passwords was a technical book aimed at people who already cared about security, and its password-day suggestion might have stayed buried there had a major technology company not adopted it. Intel Security promoted the day heavily from 2013 onward, and other firms, password-manager companies and online communities soon joined in, until it became a recognisable annual fixture across the cybersecurity industry. The choice of the first Thursday of May gave it a recurring, easy-to-remember slot untethered from any particular historical anniversary.
The day belongs to a wider family of observances built around information and communication — the literacy of World Read Aloud Day is about giving people access to the written word, while World Password Day is about defending the increasingly digital records of their lives. Both rest on the same modern premise: that ordinary people now navigate vast information systems and need help doing it safely.
History: Older Than the Computer
Passwords long predate computers. Watchwords and secret phrases have guarded gates, sentries and secret gatherings for millennia; Roman soldiers used a rotating watchword passed down the ranks each night. The digital password arrived early in computing history — the Compatible Time-Sharing System at MIT, in the early 1960s, is usually credited as one of the first systems to use passwords to keep one user’s work separate from another’s on a shared machine. As computing spread into banking, communication and eventually almost everything, the number of passwords each person had to manage multiplied alarmingly, and so did the ingenuity of those trying to steal them.
That same MIT system, incidentally, is also the site of one of the first recorded password breaches: in 1962 a researcher named Allan Scherr reportedly printed out the master password file to get more machine time than his allocation allowed. The quiet arms race the day responds to is, in other words, almost as old as the password itself.
A second crucial step came in the 1970s, when Robert Morris and Ken Thompson, working on the Unix operating system at Bell Labs, introduced the idea of storing passwords not as readable text but as the output of a one-way mathematical function, with a small random “salt” added to each. That principle — never keep the password itself, only a transformation of it — remains the foundation of how reputable systems protect credentials today, and it is why a well-run service can suffer a database breach without immediately handing attackers every user’s password in plain sight.
Why It Matters
The day exists because weak and reused passwords remain one of the most common ways accounts are compromised. People gravitate towards passwords that are easy to remember and therefore easy to guess, and they reuse the same one across many sites, so that a single breach can unlock dozens of accounts at once — a technique attackers automate at scale, known as credential stuffing. The consequences range from the merely annoying to the genuinely ruinous: drained bank accounts, stolen identities, hijacked businesses. World Password Day pushes back against complacency, framing good password habits as among the cheapest and most effective forms of self-defence available to anyone with an internet connection.
How It Is Observed
This is a day celebrated less with festivity than with housekeeping. Security firms and technology companies publish guidance, run awareness campaigns and offer practical tips, and the occasion is a prompt to do something concrete: replace weak passwords with stronger ones, set up a password manager, or switch on two-factor authentication for the accounts that matter most. Some workplaces treat it as a prompt to remind staff of good practice. The whole observance is unusual in that its “celebration” is really a to-do list — a set of small, sensible actions that quietly reduce risk.
Variations and the Wider Shift
Online security is borderless: a breach in one country can expose users everywhere, so the advice tends to be broadly consistent regardless of language or region, and the day is marked across many countries and platforms. It also captures a technology in transition. Fingerprints, face recognition, hardware keys and one-time codes increasingly supplement or replace the typed secret, and the industry is steadily pushing towards “passkeys” and other passwordless methods. The standards behind that shift come from the FIDO Alliance, an industry body founded in 2013 — the very year Intel launched the day — whose work Apple, Google and Microsoft jointly committed to supporting in 2022. A passkey replaces the shared secret with a pair of cryptographic keys, one held on the user’s device and one on the server, so that there is no password to phish, reuse or leak in a breach. There is a quiet irony in a day devoted to passwords becoming, in part, an occasion to discuss their retirement. Just as broadcast institutions reinvent themselves around occasions like UNESCO’s World Radio Day, the password is being reinvented even as it is celebrated — observed everywhere people log in, but no longer expected to last forever.
The Breaches That Made the Case
The day’s urgency is easiest to grasp through the breaches that keep proving its point. In 2012 the professional network LinkedIn lost a vast set of password hashes, and because they had been stored without salting, attackers cracked them in bulk; the full scale, well over a hundred million accounts, only became clear when the data resurfaced for sale in 2016. The same period saw the Yahoo breaches, ultimately disclosed to have affected all three billion of its accounts, the largest known compromise of its kind. These episodes did more than any awareness campaign to push the practical advice that World Password Day repeats: a password reused across sites turns one company’s failure into a personal catastrophe, which is precisely the gap a password manager and two-factor authentication are meant to close.
The researcher Troy Hunt turned this grim record into a public service with the site Have I Been Pwned, which lets anyone check whether their email or password has appeared in a known breach. It has become a fixture of the day, a tangible way to translate abstract warnings into the slightly unsettling experience of seeing one’s own credentials in a leaked list.
Symbols and Recurring Advice
The padlock is the day’s natural emblem, alongside the rows of asterisks and dots that stand in for hidden characters on screen. The advice repeated each year has itself become a kind of tradition: make passwords long and unique, never reuse them across important accounts, avoid obvious choices, and add a second layer of protection wherever possible. The password manager — software that generates and remembers complex passwords so people do not have to — has become a central theme, as has the gradual movement towards doing away with passwords altogether.
Fun Facts
- World Password Day began as a single suggestion in Mark Burnett’s 2005 book Perfect Passwords; Intel Security turned that line into an official observance in 2013.
- One of the first computer systems to use passwords, MIT’s Compatible Time-Sharing System in the early 1960s, also suffered one of the first known password leaks.
- Year after year, security firms’ analyses of leaked databases find that strings such as “123456” and the word “password” itself rank at the very top of the most common choices still in use, despite decades of warnings.
- The old security gospel — forcing frequent password changes and demanding cryptic character mixes — has been formally walked back by standards bodies, which now favour longer, memorable passphrases.
- Because the day falls on the first Thursday of May, its calendar date moves every year, making it one of the very few observances you genuinely have to look up each year.
A Closing Reflection
World Password Day is a rare holiday whose entire purpose is to nudge people into a small, slightly tedious task — and yet that task stands between strangers and our money, our memories and our identities. As the technology drifts towards a future with fewer passwords and more keys and biometrics, the day’s underlying lesson outlasts the password itself: the weakest link in security is almost never the mathematics, but the small human habits we never quite get around to fixing.




