15 May 2026 Credential Security

World Password Day 2026: Why AI and Infostealers Have Made Passwords Obsolete for Australians

Every six minutes, a new cybercrime report lands at the Australian Signals Directorate. On World Password Day — observed on the first Thursday of May each year — the security community takes stock of how well our authentication practices are keeping pace. In 2026, the assessment is blunt: they are not. Infostealer malware has industrialised credential theft, AI-assisted phishing has made social engineering indistinguishable from legitimate correspondence, and an underground market for stolen credentials operates at a scale that treats passwords as a disposable commodity. This guide breaks down what has changed, why strong passwords alone are no longer an adequate defence, and what Australian individuals and small businesses must do now.

Disclosure: This post contains affiliate links. We only recommend tools we've researched and trust. If you purchase through our links, we may earn a commission at no extra cost to you.

What World Password Day 2026 Is Really Telling Us

World Password Day was launched in 2013 as a simple nudge: pick a stronger password, don't reuse it, change it regularly. Thirteen years later, the event has shifted tone dramatically. Industry commentary across Australian security publications — including Cyber Daily and SMBtech — reflects a growing consensus: the traditional password conversation has become a distraction. The question is no longer "how do I make my password stronger?" It is "how do I stop depending on passwords at all?"

That shift in framing reflects a genuine change in the threat environment. The Australian Signals Directorate's Annual Cyber Threat Report 2024–25 recorded over 84,700 cybercrime reports — one every six minutes — with credential theft driving a growing proportion of those incidents. The average cost per incident to a large Australian business reached $202,700 in FY2024–25, a 219 per cent increase from the prior year.

Australian industries most affected include financial services, healthcare, and retail — sectors where employee credential theft via phishing or infostealer malware is the preferred initial access vector. In the first quarter of 2026 alone, approximately 1.1 million Australian accounts appeared on dark web marketplaces, according to threat intelligence reporting. The pattern is consistent: attackers are not typically breaking in via exotic zero-day exploits. They are logging in with stolen credentials, acquired cheaply and at scale from an industrialised underground ecosystem.

The timing of World Password Day in 2026 carries added significance. The FIDO Alliance simultaneously observed "World Passkey Day" on 1 May, announcing that an estimated 5 billion passkeys are now deployed globally. Ninety per cent of people are aware of passkeys; 75 per cent have activated one on at least one account. The industry is no longer debating whether passwordless authentication is theoretically viable — it is debating rollout strategy and timeline.

For Australian SMBs, that milestone matters because the tools are no longer experimental. Passkeys are built into Microsoft 365, Google Workspace, and the major Australian banking apps as standard features. The barrier is not technical availability; it is organisational inertia. World Password Day 2026 is, in effect, the industry's collective push to resolve that inertia before the next wave of infostealer campaigns lands.

How Infostealers Have Industrialised Credential Theft

Understanding why password complexity no longer matters as much as it once did requires understanding how modern credential theft actually works. The dominant attack path in 2026 is not brute-force guessing — it is infostealer malware delivered via phishing emails, malicious advertisements, trojanised software downloads, and compromised browser extensions.

Infostealers are lightweight malware designed to harvest everything a browser knows: saved passwords, session cookies, autofill data, and cryptocurrency wallet files. They run silently, exfiltrate data within minutes, and self-delete. The credentials they harvest are packaged into "logs" and sold on Telegram channels and dark web markets — often within hours of infection.

The market has professionalised. Subscriptions to leading infostealer families now start at around USD $250 per month, cheaper than many business software licences. The top three families — LummaC2, StealC, and RedLine — accounted for over 75 per cent of tracked infections in recent threat intelligence, operating as Malware-as-a-Service with update cadences, technical support, and customer service channels. LummaC2 was briefly disrupted by a law enforcement action in mid-2025 but recovered within weeks and is back at operational scale.

The scale of resulting credential exposure is difficult to overstate. In 2024, infostealer malware compromised 3.9 billion credentials across 4.3 million devices globally. Each infected device yielded an average of 1,861 browser cookies — the session tokens that allow attackers to bypass multi-factor authentication entirely without ever needing the underlying password.

That last point is critical for Australian businesses that believe MFA protects them. Standard push-notification MFA and SMS one-time passwords can be rendered ineffective when an attacker holds a live, unexpired session cookie. The attacker does not need your password and does not need your second factor — they need only the cookie that your browser has already authenticated. The ACSC's infostealer guidance page frames cookie theft as a near-certain risk for any organisation with a Windows environment exposed to the internet, and recommends treating it as baseline threat modelling rather than an edge case.

How AI Has Changed the Credential Threat Landscape Permanently

Infostealers require the target to run malware. AI has expanded the attack surface in two significant ways: making the phishing campaigns that deliver infostealers far more convincing, and introducing new vectors for credential compromise that do not require malware delivery at all.

AI-personalised phishing at mass-phishing prices

Traditional phishing is recognisable once you know the signals: generic greetings, awkward phrasing, mismatched sender domains. AI-generated phishing eliminates most of those tells. Threat actors now use large language models to craft messages that reference the recipient's actual role, employer, and recent activity — sourced from LinkedIn, corporate websites, and previously leaked data sets. The result is spear-phishing precision at mass-phishing cost.

Check Point Research's analysis for March 2026 found that one in every 28 GenAI prompts submitted from enterprise environments posed a high risk of sensitive data leakage, affecting 91 per cent of organisations using GenAI tools. A further 17 per cent of all prompts contained potentially sensitive information. This matters not only because of direct leakage risk — it matters because the data fed into public AI tools increasingly includes credentials, API keys, and authentication tokens that employees share inadvertently during routine tasks.

AI-assisted credential cracking and pattern prediction

GPU acceleration has made offline password cracking faster than most organisations assume. An eight-character password using uppercase, lowercase, numbers, and symbols — once considered reasonably secure — can now be cracked in under an hour with modern hardware. AI-assisted models trained on previous breach datasets predict likely password patterns with high accuracy, dramatically reducing the search space for constructions common in Australian workplaces: Company@Year!, Welcome1!, or the name of the city combined with a memorable date.

According to the Check Point World Password Day 2026 report, subscriptions to top-tier infostealer services range from USD $100 to USD $1,024 per month — a commodity market accessible to criminal operators with modest budgets, not a nation-state capability.

Session hijacking: no credentials required

The most technically significant evolution in credential attacks is session hijacking via stolen cookies. When an infostealer captures a valid browser session cookie, an attacker can import it directly into a browser and authenticate as the victim — no password entered, no MFA prompt triggered. This technique, documented extensively in the 2025 Vercel breach and the 2026 Canvas LMS incident, is now considered a standard technique in infostealer playbooks. Phishing-resistant FIDO2 authentication is the only reliable mitigation, because it cryptographically ties the credential to the specific device and origin domain — a stolen cookie cannot be replayed on a different device or domain.

What Australian Businesses and Individuals Must Do Now

The tools to address this threat landscape are available, affordable, and compatible with how Australian SMBs already work. The shift does not require replacing entire IT infrastructure — it requires deliberate changes to authentication practices and credential hygiene, applied in the right order.

Step 1: Eliminate password reuse with a dedicated password manager

The most persistent attack vector is credential reuse: the same password or a minor variant used across multiple accounts. When one service is breached, every account sharing that credential becomes accessible. A password manager eliminates reuse by generating unique, random passwords for every service and storing them in an encrypted vault.

For Australian SMBs looking at a solution with business-grade controls, NordPass Business is maintained by the Nord Security team and includes centralised admin controls, employee breach monitoring, and native passkey support — meaning it bridges the transition from passwords to passwordless authentication without forcing an abrupt, disruptive switch. The breach monitoring feature alerts administrators when an employee's credentials appear in a newly discovered data set, closing the gap between a leak occurring and the compromised credential being rotated.

Step 2: Enable phishing-resistant MFA on all internet-facing accounts

Where passwords cannot yet be eliminated, the ASD Essential Eight's Maturity Level 2 now mandates phishing-resistant MFA — specifically FIDO2 security keys or device passkeys, not SMS codes or push notifications. Microsoft Entra ID and Google Workspace both support FIDO2 natively. The Australian Signals Directorate recommends prioritising phishing-resistant MFA for internet-facing services and privileged accounts as the first deployment step, with broader rollout following once IT administrators are comfortable with the recovery procedures.

Step 3: Audit active sessions and rotate credentials after any suspected exposure

Because session cookie theft is now a primary attack vector, organisations should establish a routine of reviewing active authenticated sessions for critical services — cloud platforms, email, accounting software — and terminating sessions that cannot be verified. Most enterprise platforms provide a "sign out all other sessions" function; using it after any suspected phishing click or device compromise limits the window of attacker access even if a cookie was stolen.

Step 4: Train staff specifically on infostealer delivery methods

Infostealers arrive via phishing emails, malicious advertisements, trojanised software, and browser extension updates. Staff awareness training that focuses specifically on these delivery vectors — including the ClickFix social engineering technique that the ACSC flagged in April 2026 — is a necessary complement to technical controls. An employee who installs a trojanised browser extension bypasses every password policy and MFA control the organisation has in place, because the malware harvests credentials after the user has already authenticated.

The Road to Passwordless: Passkeys, FIDO2, and the Essential Eight

The long-term trajectory of authentication is no longer speculative. FIDO2 passkeys will replace passwords as the primary credential for most consumer and business services within the next few years — a statement supported by both adoption data and regulatory signals in Australia.

The FIDO Alliance's World Passkey Day announcement on 1 May 2026 confirmed the ecosystem has reached genuine scale: 5 billion passkeys are now in active use globally. Consumer awareness sits at 90 per cent; 75 per cent of people have activated a passkey on at least one account. Critically, 68 per cent of organisations report they have deployed or are actively deploying passkeys for employee sign-ins — reflecting enterprise adoption accelerating faster than consumer rollout.

The Essential Eight context for Australian organisations

For Australian organisations following the ASD Essential Eight framework, phishing-resistant MFA has been a Maturity Level 2 requirement since November 2023. This is not optional guidance for organisations subject to the framework — it is a baseline control with defined compliance expectations. Cyber insurers are increasingly factoring authentication posture into premium structures and coverage scope, with policies beginning to distinguish between organisations using phishing-resistant MFA and those still relying on push notifications or SMS codes.

Organisations still on legacy MFA methods should expect that coverage scope for credential-based breaches may narrow as insurer policy language catches up with the known limitations of push and OTP authentication. The ACSC recommends reviewing your current MFA configuration against the Essential Eight guidance, particularly if your organisation renewed a cyber insurance policy in the last twelve months without having upgraded authentication controls.

Practical rollout for Australian SMBs

The pragmatic path for most Australian SMBs involves three sequenced steps: enable passkeys alongside existing MFA on Microsoft Entra or Google Workspace; train staff to enrol their primary work device as a passkey authenticator; and phase out SMS-based MFA over six to twelve months, starting with the highest-risk accounts — IT administrators, finance, HR, and anyone with access to customer personal information subject to the Notifiable Data Breaches scheme.

A business password manager like NordPass Business supports this transition by storing passkeys alongside traditional passwords in a single auditable vault, allowing teams to manage both credential types during the transition period without losing access to legacy services that have not yet implemented passkey support. It also provides emergency access procedures — important for SMBs that cannot afford a scenario where a departing administrator's credentials become inaccessible.

What this means for Notifiable Data Breach obligations

Under Australia's Privacy Act, organisations that experience a data breach involving personal information must notify the Office of the Australian Information Commissioner if the breach is likely to cause serious harm. Credential theft that enables subsequent unauthorised access to personal records is one of the most common triggers for NDB notifications. Phishing-resistant authentication materially reduces the probability of that trigger being met — which is why the ACSC, the ASD, and Australian cyber insurers all now treat it as a baseline control, not an aspirational best practice.

The message from World Password Day 2026 is not that security has failed. It is that the threat model has evolved faster than the average organisation's authentication practices. The tools to close that gap are available today, built into the platforms most Australian businesses already pay for. The cost of not using them is measurable in breach statistics that the ACSC logs every six minutes.