Cybersecurity leaders are using World Password Day to highlight a growing shift away from password-centric security, as AI-driven attacks make it easier to steal credentials across increasingly connected IoT environments.
They say that, rather than changing how passwords are broken, AI is dramatically scaling how they are stolen, particularly through more convincing phishing, impersonation, and social engineering campaigns targeting users and connected systems.
As commercial and industrial IoT deployments continue to scale, security controls have struggled to keep pace, leaving many organisations exposed across connected environments.
World Password Day serves as a timely reminder of these risks, but experts argue the issue is no longer simply about choosing stronger passwords. Instead, it reflects a broader challenge around identity management across sprawling digital and IoT ecosystems.
“AI does not fundamentally change how passwords are cracked; it makes stealing them through deception more efficient,” says Adrian Podkaminer, Head of Security at digital entertainment marketplace G2A.COM.
“Weak or reused passwords are still one of the primary attack vectors, but the threat landscape is also evolving through AI-enabled phishing and social engineering. Threat actors are increasingly using generative AI to scale credential-harvesting campaigns, create more convincing impersonation attempts, and produce fraudulent communications that are harder to distinguish from legitimate ones.
A continuously managed system
Chris Newton-Smith, Chief Executive Officer at information security and data privacy specialist IO, says organisations need to move beyond point-in-time thinking about security.
“The real challenge isn’t that employees use weak passwords. It’s that organisations treat security as a series of one-off actions rather than a continuously managed system,” he says. “Password hygiene matters. But it’s one signal in a much bigger system. The question worth asking today isn’t ‘how strong is our password policy?’ It’s ‘what are we doing on every other day of the year?’”
The problem becomes more acute in IoT environments, where authentication is not limited to human users. Devices, sensors, and automated systems all require identities, often at scale, creating a far more complex security challenge than traditional IT environments.
Despite this, passwords remain widely used across IoT deployments, including default credentials and weak or reused logins that are rarely rotated. This creates an expanded attack surface that is difficult to monitor and even harder to secure consistently.
Michael Downs, Vice President at zero trust access solution company SecurEnvoy, adds that multi-factor authentication (MFA), the act of requiring two or more credentials to access a system, is not in place in the majority of UK businesses,
“The problem isn’t that people need to choose stronger passwords, but that password hygiene alone won’t protect you once credentials are leaked or bought on the dark web. And they get leaked constantly,” he says. “Only 47% of organisations have deployed MFA as standard, which means the majority are one credential leak away from a serious incident.”
In IoT environments, that single compromised credential can be enough to expose entire device fleets or provide a foothold into wider operational systems.
Security researchers warn that attackers increasingly exploit predictable human behaviour rather than attempting to brute force credentials directly. Password reuse, minor variations, and predictable patterns remain common across both consumer and enterprise environments.
Tomer Bar, Associate VP of Security Research at security and resilience firm Semperis, explains how these weaknesses are exploited at scale:
“When people create long passwords, they often choose memorable options like reused patterns, small variations of old passwords, predictable phrases, or popular lyrics, quotes, and memes rather than random strings.”
Rainbow tables
Attackers then industrialise these weaknesses using techniques such as precomputed hash attacks:
“They also build rainbow tables: precomputed tables of password hashes. Because most systems store only hashes, not raw passwords, a rainbow table allows an attacker to reverse a hash back to the original password, if that password is in the table.”
While these techniques are not new, IoT environments amplify their impact due to the scale of connected devices, inconsistent security controls, and limited visibility across distributed systems.
Bar urges users to use a password manager to generate and store long, truly random passwords, and never reuse them. Turn on multi-factor authentication wherever possible, and for the few passwords you must remember, use long, unique passphrases made of random words.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by commenting below or visiting our LinkedIn page.
