SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
Data Protection
#
Encryption
#
Biometrics

Poor password policies still threaten business cyber security

Today
Author image
By Jed Nykolle Harme, Editor

Businesses are being warned that poor password management continues to pose a significant risk to online security despite advances in cyber protection tools.

"Poor password management can allow attackers to guess or steal user credentials before putting them up for sale on the black market. Those login details can then be used for credential stuffing attacks to access and take over online accounts and to carry out fraud. Yet despite the risks, more than a quarter of businesses (27%) still don't have a password policy compelling users to set a strong password, according to the Cyber Security Breaches Survey 2025, even though this is considered basic cyber hygiene," said Jon Fielding, Managing Director for EMEA at Apricorn.

Fielding emphasised the importance of robust password policies, highlighting that simply having a policy is insufficient if it does not enforce complexity requirements. "For those businesses that do have a password policy in place, it's imperative that the user is required to set a complex password i.e. of a sufficient length and containing a variety of characters and mix of upper and lowercase letters. However, it's no longer the case that this should be changed on a regular basis and this can even be counterproductive. Making frequent password resets can frustrate users and lead to them making small changes to the original password or making them easier to remember and therefore bruteforce."

He also explained new trends in password management, noting that the widespread adoption of password managers and browser-based tools has helped address common pitfalls like password reuse. "Thankfully, password managers that can generate unique passwords for us are now much more widespread and are integrated into numerous browsers. These have also driven down the problem of password reuse whereby the same password is used for multiple accounts. But our dependency on these password managers does of course run the risk of them being attacked so it's important to safeguard access. In addition to a strong master password, the password manager should also therefore be protected using a secondary measure such as two factor authentication (2FA)."

Fielding cautioned businesses not to overlook the security of peripheral devices such as external drives and USB sticks, which he noted are frequently neglected compared to more conventional endpoints like computers and mobile phones. "What many businesses often neglect is the password protection afforded to their peripherals, instead focusing on the usual endpoints ie desktop, laptop and mobile phone. External hard disk drives or even USB sticks should be encrypted and password protected and, where users are allowed to use their own personal peripheral devices, these requirements should be specified in the acceptable use policy. Protecting these devices in this way ensures that if they do get lost or fall into the wrong hands they will remain unreadable."

Discussing evolving security technologies, Fielding acknowledged that predictions regarding the demise of passwords have not yet materialised. "The imminent death of the password has been predicted on numerous occasions with passkeys and biometrics attempting to usurp it. But the humble password continues to be the primary way many of us protect our data and is likely to remain so for years to come, bolstered by additional security such as multi-factor authentication and zero trust."

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Skyfire & Cequence partner to enable secure AI agent access
Wipro partners with CrowdStrike to boost AI-driven cyber security
Behavioural biometrics seen as key layer, not replacement for passwords
SquareX raises USD $20M to boost enterprise browser security
Cybercrime losses soar to USD $16.6 billion in 2024, outpacing US box office
Top stories
SOCRadar launches Copilot AI to aid security teams
Bugcrowd unveils crowdsourced red team to boost security
Scalefusion launches in UK & Ireland to bolster cybersecurity
X-PHY unveils real-time on-device deepfake detection tool
Checkmarx One brings cloud security tools directly into IDEs