SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
Encryption
#
Biometrics
#
MFA

World Password Day highlights risks & best practices for firms

Yesterday
Author image
By Jed Nykolle Harme, Editor

Experts from the cybersecurity sector have highlighted the ongoing importance and challenges of password management as World Password Day brings renewed attention to online security practices.

Jon Fielding, Managing Director, EMEA at Apricorn, addressed the risks linked with poor password management, stating, "Poor password management can allow attackers to guess or steal user credentials before putting them up for sale on the black market. Those login details can then be used for credential stuffing attacks to access and take over online accounts and to carry out fraud. Yet despite the risks, more than a quarter of businesses (27%) still don't have a password policy compelling users to set a strong password, according to the Cyber Security Breaches Survey 2025, even though this is considered basic cyber hygiene."

Fielding went on to highlight the importance of having effective password policies where they are in place. He explained, "For those businesses that do have a password policy in place, it's imperative that the user is required to set a complex password i.e. of a sufficient length and containing a variety of characters and mix of upper and lowercase letters. However, it's no longer the case that this should be changed on a regular basis and this can even be counterproductive. Making frequent password resets can frustrate users and lead to them making small changes to the original password or making them easier to remember and therefore brute force."

Discussing the use of password managers, Fielding noted, "Thankfully, password managers that can generate unique passwords for us are now much more widespread and are integrated into numerous browsers. These have also driven down the problem of password reuse whereby the same password is used for multiple accounts. But our dependency on these password managers does of course run the risk of them being attacked so it's important to safeguard access. In addition to a strong master password, the password manager should also therefore be protected using a secondary measure such as two factor authentication (2FA)."

He also remarked on the often-overlooked risks associated with portable devices, saying, "What many businesses often neglect is the password protection afforded to their peripherals, instead focusing on the usual endpoints ie desktop, laptop and mobile phone. External hard disk drives or even USB sticks should be encrypted and password protected and, where users are allowed to use their own personal peripheral devices, these requirements should be specified in the acceptable use policy. Protecting these devices in this way ensures that if they do get lost or fall into the wrong hands they will remain unreadable."

Fielding concluded his commentary with a reflection on the continuing relevance of passwords, stating, "The imminent death of the password has been predicted on numerous occasions with passkeys and biometrics attempting to usurp it. But the humble password continues to be the primary way many of us protect our data and is likely to remain so for years to come, bolstered by additional security such as multi-factor authentication and zero trust."

Michela Resta, Data Privacy and Cyber Security Solicitor at CyXcel, emphasised the personal dimension of password security, saying, "Everyone knows they shouldn't use their child's name or their date of birth as a password. But the real habitual change comes when people understand why. We live our lives online. A quick scroll through social media can reveal your children's names, your football allegiances, or the street you grew up on. This data, while seemingly innocent, can become the building blocks of a hacker's social engineering playbook. It's therefore advised that passwords steer clear of anything that can be gleaned from your social media feed and instead adopts a mix of upper- and lower-case letters, numbers, and special characters."

Resta also highlighted the organisational responsibility in enforcing password protocols. She stated, "World Password Day is not just important for individuals, organisations also have a role to play. For organisations, good password hygiene is not just having a password policy but enforcing it. If a policy mandates ten-character passwords with a mix of symbols, numbers, and uppercase letters it is fundamental that your systems back this up and does not let users bypass the rules or recycle their old passwords."

She added a caution about the limitations of passwords, noting, "However, we must all remember, passwords, no matter how strong, aren't 'hacker' proof. Even with Multi-Factor Authentication, risks like device compromise and social engineering can lead to a breach. This underscores the importance of organisational resilience. It is essential that organisation not only implement strong cyber security measures but also maintain a well-developed and regularly tested incident response plan. Conducting tabletop exercises can ensure that in the event of a breach, organisations are equipped to respond effectively and minimise impact."

Sam Peters, Chief Product Officer at ISMS.online, broadened the scope beyond passwords and pointed to additional security factors. Peters said, "World Password Day marks the importance of strong and secure password use, but good password hygiene is only one element in a robust cybersecurity posture. Social engineering attacks and business email compromise (BEC) are still among the most effective ways for attackers to take advantage of the human element of a business and gain access to key systems, data and funds."

Peters set out industry best practices, stating, "The ISO 27001 framework outlines information security best practices such as multi-factor authentication, role-based access control and employee information security training and awareness. These are core security measures businesses need to consider alongside good password hygiene."

Sharing recent data on workplace security behaviour, Peters added, "Over a third of respondents (35%) in our latest State of Information Security Report stated that employees had used personal devices for work purposes without proper security measures, which leaves gaps threat actors can easily exploit. This highlights the importance of organisation-wide training and awareness – as well as the importance of implementing information security best practices."

Peters concluded, "World Password Day presents an opportunity for businesses to analyse their existing security efforts and identify areas for improvement."

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Tuskira launches AI Analyst Workforce to automate threat defence
Low-tech phishing scams on the rise as criminals shift tactics
Graylog unveils Spring 2025 release with enhanced security tools
Barracuda warns of surge in advanced phishing email threats
AI-powered cyberattacks surge as criminals exploit new tools
Top stories
PentenAmio merger targets secure global cyber defence growth
UK credit card balances & missed payments on the rise
Lionfish launches Aquarium AI for instant market insights
Half of consumers trust brands more when using passkeys
Minimus launches with USD $51 million to cut 95% of CVEs