With both data breaches and fines on the rise, workplace password security has become more critical than ever. We've some practical tips to help.
One of the most common causes of a security breach is weak passwords, with people often reusing them for multiple or all accounts. In our recent survey of finance professionals, 59% admitted to clicking on a link or opening an attachment that could have been a phishing scam or cyber attack.
People's attitude to password security is alarmingly lax, which can have costly repercussions for businesses. It is estimated that cybercrime costs the UK economy $27 billion per year. An estimated five billion unique user credentials (e.g. username and password combinations) are available on the darknet to cybercriminals that can grant access to corporate networks or bank accounts.
A cyberattack where hackers use large lists of stolen usernames and passwords to try and gain access to multiple online accounts, hoping that users have reused the same login details across different services.
A social engineering trick where attackers pose as trustworthy sources, like banks or service providers, to trick individuals into revealing sensitive information such as usernames, passwords, or financial details.
An attack method where hackers attempt to access accounts by trying a few commonly used passwords (e.g., 123456, password123, letmein) across many different usernames, avoiding account lockouts by not triggering rapid failed attempts.
A form of spyware that secretly records every keystroke typed on a device. Keyloggers are often used in targeted attacks to capture sensitive credentials, including those for banking, cryptocurrency, or secure logins.
A trial-and-error hacking technique that systematically attempts every possible combination of characters to guess passwords, encryption keys, or hidden website pages.
A simple but common risk where passwords are left visible, such as written on sticky notes, stored in plain text files, or displayed on screens that allow others to see or steal them.
A direct form of attack where someone uses threats, coercion, or intimidation to force an individual to hand over login credentials or other sensitive information.
So, what should you and your colleagues/staff do to reduce this risk and ensure they keep their passwords safe?
Your first line of defence is a well-crafted password. Avoid using common or easily guessed passwords like 123456 or password1. Instead, aim for a password that is:
Don't use easily guessed passwords like 1234, 4321, qwerty, password and password123. Avoid using words that can be found on social media accounts - for example, family names, pets, place of birth, school, favourite holiday, or something related to your sports team or hobby.
Do not use:
Never write your passwords on sticky notes, notepads, or save them in plain text on your device. Avoid sharing them with others, no matter how trustworthy they seem. Reusing the same password across multiple sites increases your vulnerability, if one gets breached, all linked accounts are at risk. If you must write a password down, disguise it using a code or mnemonic only you would understand.
While you don’t need to update your password every week, it’s a good habit to change it periodically, especially if you suspect someone else may have gained access. Regular updates reduce the window of opportunity for attackers to exploit stolen credentials.
As promoted by the UK government's Cyber Aware campaign, using three completely random words, such as dogmoonpurple, makes passwords both strong and easier to remember. Enhance them with symbols, numbers, or by altering letters (e.g. D0gm00npu4p!e) to increase security without sacrificing memorability.
Random password generators can create secure, hard-to-guess passwords that mix uppercase and lowercase letters, numbers, and symbols. Alternatively, turn a sentence or line from a song into a password by taking the first letter of each word and adding symbols and numbers (e.g. "I left my heart in San Francisco" → Ilmh1SF!).
Tools like Dashlane, 1Password, KeePass, or LastPass store all your passwords in an encrypted vault. You only need to remember one master password to access the rest. This makes it easier to use long, unique passwords without the risk of forgetting them.
2FA adds another layer of protection by requiring a second form of identification, such as a text message, email code, or authentication app, before granting access. Even if someone obtains your password, they won’t be able to log in without the second factor.
Use tools like Have I Been Pwned to see if your email addresses or passwords have been exposed in known data breaches. If your email is compromised, hackers can reset other accounts using password recovery links, so it’s critical to secure it with a strong, unique password and 2FA.
A secure password is long (ideally 12+ characters), contains a mix of letters, numbers, and symbols, and avoids obvious choices like names, birthdays, or simple sequences.
A passphrase is a string of unrelated words (e.g., "BlueMonkeySkyLadder!") that's easier to remember but harder to crack. It’s often more secure and user-friendly than traditional complex passwords.
Encourage the use of password managers, provide cybersecurity training, and implement policies that support strong, unique password creation.
Our Essentials Library contains e-learning content designed to help organisations meet fundamental compliance requirements. If you are looking for focused training, our Data Protection Training Package offers a complete solution for your compliance programme. Some of the courses in the libraries include:
We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape. If you would like to access leading insights and compliance tips, you can browse our free resources by topic to find guides, modules, compliance bites and more.
Explore our collection