It seems that we need a username and password for almost every device, mobile app, or service that we use. Streaming films, shopping online, sending emails, reviewing bills and checking social media all involve using some form of a username and password combination.

Why do we use the same passwords?

As we become more digitally connected, the need for robust data protection grows. As so many apps and programmes require passwords for people to access, it’s no wonder why passwords are often recycled and reused. Coming up with unique and strong passwords to protect each account can seem inconvenient and overwhelming, and reusing the same few passwords seems like an easier solution to gaining quicker and more efficient access. 

However, there is a cyber security risk in doing this.

Passwords are usually the first line of defence that any user has against cybercrime. Yet, surprisingly, many of us continue to casually use the same passwords across our online services, not realising how dangerous this is. Using weak or outdated passwords offers very little protection, particularly as cyber threats are growing more advanced and sophisticated.

For elderly people, it’s important to be extra careful, as they are often targeted due to predisposed fears of technology. To build your confidence online, we’d recommend Age UK’s free resources for staying safe on the internet, which include plenty of easy-to-understand material about protecting your information.

Therefore, it’s imperative that we take more stringent action when it comes to using passwords for more than one online service, as our personal information could be more at risk than ever before. This article explores why strong passwords are crucial and also provides guidance on how we can implement better password control.

The risks of weak and reused passwords

Weak passwords like ‘john123’ or ‘password1’ are incredibly easy to guess, and any cybercriminal using an automated tool to crack passwords would breeze through these ‘barriers’ of protection. 

While they may have been suitable in the early stages of accessing services online, nowadays, with technology so widely accessible, these passwords need to be much stronger. Should a cybercriminal access the account behind these passwords, data or financial information could be compromised, and malware could potentially be installed, among other risks.

According to NordPass, many of us in the UK stick to glaringly easy and weak passwords, such as ‘123456’, ‘guest’ or ‘qwerty’, among many others. With this in mind, it’s no wonder why password hacking has increased by 74% in the last year, suggesting that nearly 1000 passwords are hacked every second, according to the 2022 Microsoft Digital Defence Report.

Reusing the same password across sites only adds to your data and information vulnerability, especially if it’s weak. If a cybercriminal accessed one of your profiles or logins with one password crack, that also means any others that require access with the same password are also at higher risk.

To avoid being an easy target, it’s highly recommended that you use a unique, complex password for each of your online accounts. It might seem convoluted, but it’s easier than you might expect.

Best practices for strong passwords

• Create passwords with a minimum of 8-12 characters that include a mixture of capitalised and lowercase letters, numbers and symbols. The more characters that you can use, the stronger the password.
• Avoid using common identifiers like your name, date of birth, addresses, pet names and more. Doing so will make it more straightforward for a cybercriminal to guess.
• Suggest using a mnemonic, short or memorable phrase to help you remember your complex passwords. 
• Make good use of password manager tools such as LastPass, 1Password or Bitwarden. These tools can generate and remember a large amount of complex, unique passwords for all of your sites. Integrating them within your browser can allow for easier logins and automated password entry. These tools will only require you to enter a master password on occasion.
• Enable two-factor authentication (TFA) on your profiles and accounts if you can. Doing so will add a robust, additional layer of security that will prompt you to verify your login request. If someone else tries this, your trusted device(s) will be prompted to their unlawful attempt, and you can reject the request. Your alerts and prompts can range from SMS messages and emails to biometric verification.
• Try to change your passwords regularly. It can be good to get in the habit of changing passwords every few months.
• Never openly share your passwords with anybody, not even your employer. Legitimate and ethical companies will never ask you for your password information.
• Consider adopting different passwords for all of your personal accounts and your work or business accounts. 
• According to the National Cyber Security Centre, a good way to make passwords more difficult is to incorporate three random words. Consider using this as a starting point to make each one more memorable.
• Train yourself on recognising phishing emails, malicious links and social engineering tactics. Never enter your password on any other site other than the verified, secure URL. You’ll know which one by spotting the padlock icon in the URL display bar in your browser, which signifies the site has a valid SSL certificate, which encrypts data.
• Always change default passwords on any devices that you own and/or share, such as WiFi routers, shared desktops and smart home appliances.
• Educate your friends and family about taking similar approaches. Good cyber security awareness is important for everybody. 

Establishing stronger security across businesses

Using stronger, complex passwords should not be limited to our personal lives. Organisations and businesses in Sussex must have robust cyber security measures in place to ensure that their customer, client and employee data remains secure. 

This includes:

• Implementing strong password policies for all employees, including third-party contractors, vendors and stakeholders. Companies must remind users to change passwords regularly and also forbid them from using the same password on more than one system.
• Monitoring networks and user activity for warning signs of vulnerabilities or possible entry points using managed detection and response (MDR) services. The earlier a business can detect a breach, the better.
• Restricting user permissions to only allow necessary access for authorised, relevant employees. 
• Implementing MFA or TFA for all relevant systems or logins as much as possible, which is particularly important for administrator accounts and teams that are hybrid or remote working.
• Deploying robust antivirus programmes, ideally with strong anti-malware, firewall and internet security features built into the programme. These can block potential threats before they reach a system.
• Updating all critical system and network software with recommended security patches and core system updates. Unpatched software is a common exploitation point for criminals, so when the patches are available, install them.
• Running regularly-scheduled system and data backups, ideally storing them on servers both onsite and in the cloud. Should any malware or ransomware be installed, backups provide an effective disaster recovery option.
• Educating teams about the importance of regular cyber security awareness, explaining the risks of weak passwords and the types of risks they could be exposed to if not careful.
• Businesses can also invest in assessments from third-party vendors that give them a full report of all their possible vulnerabilities, such as penetration testing or red team exercises.

It’s clear to see that we have a duty to protect our information as well as others. By making our passwords more secure and becoming more aware of the security risks that exist in the depths of the internet, we can help reduce the likelihood of threats and safeguard everyone’s data more securely.