Issue016 5 May 2026

World Password Day

Amy Stokes-Waters 5 Minute Read

On why performative awareness days are fucking nonsense.

It’s World Password Day this week. Yay!

The celebration we’ve all been waiting for. The jewel in the cyber security calendar. The culmination of weeks and months of work on organisational culture… building our people’s instinct… earning trust in every direction.

You rolled your eyes just then didn’t you. Because you know that’s not true. So why then is every cyber marketing team this week about to make it seem that way?! The graphics. The padlocks. The Slack messages with the subject line Important Reminder that everyone reads with the same energy they bring to a fire drill at 3pm on a Friday. The LinkedIn posts from vendors who have been sitting on a World Password Day graphic since January, waiting for their moment. YES!

Article content

And do you know what? On that day, exactly as many people will reuse their password on three websites as did the previous day.

This is the Annual Awareness Trap. And you know, I’m poking fun at it here, but the sad thing is that’s how annual awareness training plays out in a lot of organisations, except with less fanfare. One day to be told about phishing. One day to be told to use a password manager. One day to be reminded about all of the many, many ways we need people to be vigilant with data security.

Let me be specific about what is actually happening here, because “awareness days don’t work” is too easy a sentence to type and too easy to dismiss.

The forgetting curve was documented by Hermann Ebbinghaus in 1885. You might know the headline already, but if not… let me lay it out for you: 70-80% of new information is lost within 24 hours without reinforcement. Over a century later, we design annual training programmes as if he never wrote it down. Not 140 years of ignoring something obscure… 140 years of ignoring something that appears in the first chapter of every introductory learning theory textbook ever published. But then again, when did we ever give our security awareness people textbooks on learning theory?

In 2006, Nicolas Cepeda conducted a meta-analysis (i.e. an analysis of analyses) of spaced repetition. He looked at 254 studies and he confirmed what Ebbinghaus started. Which is that distributed practice over time produces dramatically better long-term retention than massed practice in a single session. Not slightly better. Dramatically better. The effect size is not marginal. It is the kind of finding that, if applied consistently, would make most of what we currently call security training structurally obsolete.

IBM’s skills data estimates that 30% of acquired skills become outdated annually. Which means that even if your training worked… even if your people left that session having absorbed something meaningful… the clock started ticking the moment the browser tab closed…

And we respond to this by throwing a little LinkedIn party about passwords on the first Thursday in May. Cool. Love that for us. I guess.

The REALLY annoying thing about World Password Day though is… passwords are not a knowledge gap. Nobody in your organisation genuinely does not know that “Password1” is a weak password. Nobody is reusing credentials across sites because they missed the memo. They are doing it because it is frictionless… because the threat feels abstract… because the inconvenience is immediate and the consequence is hypothetical.

That is a behaviour problem. And behaviour problems are not solved by information.

I have watched hundreds of teams inside escape room scenarios make decisions that contradict everything they were trained to know. Smart, experienced, well-intentioned professionals… clicking the wrong thing, sharing the wrong detail, plugging in the random USB, hesitating at exactly the moment they should act. Not because they did not know better. Because knowing and doing are not the same thing… and the gap between them does not close on its own.

Behaviour changes when the stakes feel real. When the decision has to be made under pressure. When the muscle memory gets built through repetition, not reminder.

An awareness day gives people a spike. A moment of slightly elevated attention that degrades within 72 hours by every available measure of memory retention. A calendar event does not create a habit. A graphic does not build instinct. A forwarded email from leadership does not change what someone does at 4pm on a Thursday when they are tired and they just want to get that project sorted.

Culture… real security culture… is not what happens on World Password Day.

It is what happens when nobody is watching. When someone pauses before clicking. When someone asks the question even though it feels awkward. When someone reports the thing they did wrong because they trust that the response will be to learn rather than to blame.

That culture does not come from annual events. It comes from rhythm. From repeated exposure. From practice that builds instinct rather than knowledge. From organisations that treat behaviour change as a design problem and not a content problem.

The spy thriller on your training platform is not creating that culture. The 20-minute click-through module with the certificate at the end is not creating that culture. And the padlock graphic on LinkedIn this week is not creating that culture. Soz

The cycle is: Engagement, then Culture, then Instinct. In that order. Repeated. Across time.

If your October programme looks like a busier version of World Password Day… you already know it is not going to be enough. The question is whether this is the year you do something about it.

That's it for this week. Reply and tell me what you think.

Amy

Amy Stokes-Waters · Founder, The Cyber Escape Room Co.