Are your passwords safe?

Ensuring your accounts have strong password security is a key technical defence and security protocol to protect your internal systems and communications from unauthorised access and hackers. Many organisations unknowingly rely on weak, outdated, and poorly managed credentials. For UK SMEs, the risk is especially acute, a weak security barrier can lead to reputational damage, financial loss, compliance failures, all a result of password related data breaches triggered by phishing and cyber-attacks. Larger organisations are similarly not exempt either; failing to implement appropriate security measures and secure authentication protocols is a simple way to risk your businesses' security. 

What makes a password strong? 

A strong password must be convenient to the account holder (accessible, memorable), hard to identify by external sources, and resistant to automated guessing software. We suggest users:  

  • Aim for at least 12 to 16 characters.  
  • Avoid predictable patterns. Steer clear of sequences like “1234” or “asdfg”, which are easy to guess because they follow familiar keyboard layouts or used in a common numerical order. 
  • Use unique passwords for every account. Reusing the same passwords across systems allows attackers to access multiple systems, and exploit other accounts intensifying already critical data breach 
  • Exclude personal details. Avoid using names, birthdays, company names, or job titles in passwords. These details are often publicly available and memorised easily.  

How can my password be discovered? 

Cyber-criminals use a range of well-documented techniques to uncover passwords. It is of use to note that many of which require only basic tools or moderate technical skill. Some common methods used by hackers include:  

  • Phishing: Impersonating internal contacts (like IT, finance team or senior leadership) to trick users into sharing login details. 
  • Brute-force attacks: Systematically guessing password combinations using automated tools. 
  • Credential theft due to malware or compromised systems: Hackers use malicious software or exposed gaps in firewalls that store credentials, to gain access. This is especially easy if specific internal passwords are saved in browsers or unsecured files. 
  • Manual guessing: Using personal information or predictable formats (e.g. company name, year) to guess passwords. 
  • Careless storage: Having password on display when typing in login credentials, visible on sticky notes or paper around computers in open office environments.  


Best practices for businesses 

To strengthen password security across your organisation, our IT support recommends implementing the following measures: 

Password managers to generate and store strong, unique credentials for each account that can be selectively accessible and convenient. 

Multi-factor authentication enabled where possible to add an additional secondary layer of protection. See our guide on how to enable two-factor authentication on Office 365

Change passwords regularly if in doubt of suspicious login activity, notifications you do not recognise or suspected phishing attempts. 

Train staff regularly on password hygiene, phishing awareness, and secure login practices. 

Audit access routinely remove unused accounts when staff leave or no longer require access and restrict access to only those who need it. 

Replace default credentials immediately (e.g. “admin”, “password”) to prevent easy exploitation of new systems. 

Check your email account for breaches on the website haveibeenpwned.com - this can show whether your email address has been found in any data breaches, giving you a list of places to focus on changing your password.


The National Cyber Security Centre advises each organisation to have an active password policy. It openly discourages reliance on passwords, deeming them to have limited ability to protect data. Even when using passwords correctly, it must be reiterated to businesses and their staff to practise strict control, using MFA where possible and storing all passwords with cryptographic functions to reduce risks and prevent cyber disasters. 

Final thoughts  

Ultimately, maintaining strict password protocols helps keep your business safe and secure. Regardless of scale, businesses that overlook password security substantially expose themselves preventable security incidents. Putting password safety first is not a complex task, simple steps like enabling multi-factor authentication, keeping passwords unique or setting up a password manager can take less than 10 minutes and significantly secure your accounts.