How to Boost Workplace Password Security

With both data breaches and fines on the rise, workplace password security has become more critical than ever. We've some practical tips to help.

Key takeaways

• Weak passwords are a major cybersecurity risk. Reusing passwords or using simple ones like "123456" makes it easy for hackers to breach systems through brute-force or credential-stuffing attacks.
• Strong, unique passwords and passphrases are essential. Encourage staff to use long, complex passphrases or password manager tools to generate and store secure credentials.
• Two-factor authentication (2FA) enhances security. Implementing 2FA adds an extra layer of protection, making it harder for attackers to gain access even if passwords are compromised.

One of the most common causes of a security breach is weak passwords, with people often reusing them for multiple or all accounts. In our recent survey of finance professionals, 59% admitted to clicking on a link or opening an attachment that could have been a phishing scam or cyber attack.

People's attitude to password security is alarmingly lax, which can have costly repercussions for businesses. It is estimated that cybercrime costs the UK economy $27 billion per year. An estimated five billion unique user credentials (e.g. username and password combinations) are available on the darknet to cybercriminals that can grant access to corporate networks or bank accounts.

How do hackers steal passwords?

a. Credential stuffing

A cyberattack where hackers use large lists of stolen usernames and passwords to try and gain access to multiple online accounts, hoping that users have reused the same login details across different services.

b. Phishing

A social engineering trick where attackers pose as trustworthy sources, like banks or service providers, to trick individuals into revealing sensitive information such as usernames, passwords, or financial details.

c. Password spraying

An attack method where hackers attempt to access accounts by trying a few commonly used passwords (e.g., 123456, password123, letmein) across many different usernames, avoiding account lockouts by not triggering rapid failed attempts.

d. Keylogging

A form of spyware that secretly records every keystroke typed on a device. Keyloggers are often used in targeted attacks to capture sensitive credentials, including those for banking, cryptocurrency, or secure logins.

e. Brute force

A trial-and-error hacking technique that systematically attempts every possible combination of characters to guess passwords, encryption keys, or hidden website pages.

f. Local discovery

A simple but common risk where passwords are left visible, such as written on sticky notes, stored in plain text files, or displayed on screens that allow others to see or steal them.

g. Extortion

A direct form of attack where someone uses threats, coercion, or intimidation to force an individual to hand over login credentials or other sensitive information.

How can you improve workplace password security?

So, what should you and your colleagues/staff do to reduce this risk and ensure they keep their passwords safe?

1. Choose a strong and unique password

Your first line of defence is a well-crafted password. Avoid using common or easily guessed passwords like 123456 or password1. Instead, aim for a password that is:

• At least 8–12 characters long – the longer, the better.
• A mix of uppercase and lowercase letters, numbers, and special characters (e.g., !, @, #, $).
• Unique to each account – never reuse passwords across different services, as this increases the risk if one site is breached.
• Not based on personal information like your name, birthdate, or pet’s name, which can often be guessed or found online.

2. Avoid obvious passwords

Don't use easily guessed passwords like 1234, 4321, qwerty, password and password123. Avoid using words that can be found on social media accounts - for example, family names, pets, place of birth, school, favourite holiday, or something related to your sports team or hobby.

Do not use:

• Names or business names.
• Family members’ or pets’ names.
• Your own or family's birthdays.
• Favourite sports team or other words easily guessed by acquaintances
• The word ‘password’ or numerical sequences. A survey of data breaches showed "123456" was used as a password 23 million times!
• Single common dictionary words, such as ‘kitchens’, that programs can easily hack.
• Recycled passwords (e.g. Jon2, Jon3 etc.).

3. Keep passwords safe

Never write your passwords on sticky notes, notepads, or save them in plain text on your device. Avoid sharing them with others, no matter how trustworthy they seem. Reusing the same password across multiple sites increases your vulnerability, if one gets breached, all linked accounts are at risk. If you must write a password down, disguise it using a code or mnemonic only you would understand.

4. Change your password regularly

While you don’t need to update your password every week, it’s a good habit to change it periodically, especially if you suspect someone else may have gained access. Regular updates reduce the window of opportunity for attackers to exploit stolen credentials.

5. #thinkrandom

As promoted by the UK government's Cyber Aware campaign, using three completely random words, such as dogmoonpurple, makes passwords both strong and easier to remember. Enhance them with symbols, numbers, or by altering letters (e.g. D0gm00npu4p!e) to increase security without sacrificing memorability.

6. Use a random password generator

Random password generators can create secure, hard-to-guess passwords that mix uppercase and lowercase letters, numbers, and symbols. Alternatively, turn a sentence or line from a song into a password by taking the first letter of each word and adding symbols and numbers (e.g. "I left my heart in San Francisco" → Ilmh1SF!).

7. Use password management software

Tools like Dashlane, 1Password, KeePass, or LastPass store all your passwords in an encrypted vault. You only need to remember one master password to access the rest. This makes it easier to use long, unique passwords without the risk of forgetting them.

8. For added security, use 2-step factor authentication

2FA adds another layer of protection by requiring a second form of identification, such as a text message, email code, or authentication app, before granting access. Even if someone obtains your password, they won’t be able to log in without the second factor.

9. Regularly check your email addresses

Use tools like Have I Been Pwned to see if your email addresses or passwords have been exposed in known data breaches. If your email is compromised, hackers can reset other accounts using password recovery links, so it’s critical to secure it with a strong, unique password and 2FA.

Password security FAQs

What makes a password secure?

A secure password is long (ideally 12+ characters), contains a mix of letters, numbers, and symbols, and avoids obvious choices like names, birthdays, or simple sequences.

What is a passphrase, and is it better than a password?

A passphrase is a string of unrelated words (e.g., "BlueMonkeySkyLadder!") that's easier to remember but harder to crack. It’s often more secure and user-friendly than traditional complex passwords.

How can organisations help staff manage secure passwords?

Encourage the use of password managers, provide cybersecurity training, and implement policies that support strong, unique password creation.

Want to learn more about GDPR?

Our Essentials Library contains e-learning content designed to help organisations meet fundamental compliance requirements. If you are looking for focused training, our Data Protection Training Package offers a complete solution for your compliance programme. Some of the courses in the libraries include:

• Data Protection Training Course
• General Data Protection Regulation Training Course
  
  

We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape. If you would like to access leading insights and compliance tips, you can browse our free resources by topic to find guides, modules, compliance bites and more.