Passwords are still the biggest weak spot in cybersecurity.
Not AI. Not advanced malware. Passwords.
Every year businesses get compromised because someone in the team uses something daft like Arsenal2024 or Password123!. And in the UK this is especially common because we have predictable habits. Football clubs. Kids’ names. Pets. Dates of birth.
So here is a breakdown of the biggest password mistakes companies make, why they matter, and what to do instead.
If anyone in your company uses one of these, change it today.
Automated hacking tools can crack these immediately.
Adding a few numbers or symbols does not make them safer.
1. Reusing the same password everywhere
If one login gets breached, everything that shares that password is instantly at risk.
One weak password can take down the whole business.
2. Using emotional or predictable words
People pick what is familiar.
Football clubs. Dog names. Kids’ names. Favourite bands. Home towns.
Hackers expect all of this and test these words first.
3. Using predictable substitutions
Swapping letters for numbers like 3 for E or 0 for O is completely useless now.
Attackers check for those patterns automatically.
4. Storing passwords badly
Post it notes. Notebooks. Notes apps. Shared spreadsheets.
If a staff member can see someone else’s password, so can anyone shoulder surfing or stealing a laptop.
5. Not using a password manager
Trying to remember multiple strong passwords is impossible.
A password manager solves this but many UK businesses still rely on memory, notes, or WhatsApp messages.
If you use a “root word” as the stable part of your password system, never use an English dictionary word.
Hackers test dictionary lists immediately.
Better options:
• Spanish words
• Welsh words
• Foreign words in general
• Or made up nonsense words
These are much harder to brute force because they are not in any dictionary.
Examples of good root words:
• Traves
• Gwynt
• Ceniz
• Fribondo
• Nalmex
Anything that does not make sense in English is ideal.
Here is a quick breakdown of the reputable password managers worth considering.
NordPass
Very secure, simple, solid for teams.
Keeper
Strong admin controls, good for businesses, excellent auditing.
1Password
Great design, widely trusted, excellent for teams and families.
Bitwarden
Open source, very good value, strong free plan.
RoboForm
Simple, good multi device support, good for everyday users.
Proton Pass
Privacy focused, encrypted, growing rapidly.
LastPass
Very popular, lots of features, easy for non technical staff.
However, it has had several security incidents in the past, which damaged confidence.
Some businesses still use it happily, others prefer to avoid it.
It is not unusable, but it is important to understand the history.
Here is the part people rarely say out loud.
No password is ever 100 percent secure.
Not the long ones, not the clever ones, not the ones with punctuation all over them.
Everything can be cracked given enough time and resources.
The real goal is layers of security, not perfection.
Your formula is one layer.
Your password manager is another.
Your training is another.
Together, these layers reduce risk to a practical level.
Sharing passwords through email, WhatsApp, or spreadsheets is incredibly risky.
A proper password manager avoids all of this.
A good password manager lets you:
• Share access with staff without revealing the actual password
• Give access to groups instead of individuals
• Remove access instantly if someone leaves
• Avoid constantly changing passwords
• Keep everything encrypted
• Track who has access to what
This is essential because not everyone leaves a company on good terms.
Some people leave upset, annoyed, or holding a grudge.
You want to be able to remove their access in five seconds, not spend the next two days updating login details everywhere.
A strong password should be:
• Long
• Unique for every login
• Mixed case
• Includes numbers
• Includes at least two special characters
• Not dictionary based
• Not reused
• Stored safely
Here is the clean, practical formula that works without confusing anyone.
Pattern:
SiteCode + PersonalNumber + PersonalRootWord + SpecialChars
Where:
SiteCode:
Take the first 3 letters of the website
Shift each letter one forward in the alphabet
Make them uppercase
Gmail → g m a → h n b → HNB
PersonalNumber:
A number you never forget
Example: 4279
PersonalRootWord:
A non English or made up word
Example: Fibin
Special characters:
Pick two you always use
Example: !?
Gmail
HNB4279Fribondo!?
Facebook
GBD4279Fribondo!?
LinkedIn
MJO4279Fribondo!?
Twitter
UXJ4279Fribondo!?
Each one is:
• Long
• Unique
• Includes numbers and symbols
• Easy to recreate
• Hard to guess
• Based on one consistent rule
• Stronger than 99 percent of what staff normally use
Good security is not one thing. It is a combination of:
• Strong password policy
• Unique passwords
• Avoiding dictionary words
• Using a password manager for all sharing
• Removing access instantly when someone leaves
• Training staff
• Monitoring for breaches
• Updating passwords after suspicious activity
This is how modern businesses protect themselves.
While we are discussing passwords it is also worth mentioning user names.
Hackers use automatic bots to automate the hacking process at speed. Testing thousands of websites per hour and this is becoming more advanced with the advent of AI.
Websites created with WordPress, for example, creates the first user name as admin and subsequent user names based on the user’s name and so makes it easier for the bots to guess and help the hackers.
Cpanel, the most common website hosting, also creates a standard user name, using the letters of the domain name. These should also be edited when creating your hosting.
A lot of CRM and other software come with ‘admin’ as the user name and ask you to edit the password but we also encourage you to edit the name for the admin user to something that the bots wont guess.
You should never use Admin or admin and if the software allows you should use a user name and not an email address and make it harder to guess. Instead of using ‘steve’ or first and last name like ‘‘steveharwood’ add the first couple of letters of your middle name or just part of your surname. Something like ‘stevewharwood’ or ‘stevewh’.
Combine that with a strong password and you will considerably reduce the risk of getting hacked.
Weak passwords are one of the easiest ways for attackers to break into a business.
Strong passwords and a password manager fix most of the problem in under an hour.
Your goal is not to be perfect. Your goal is to be secure enough that attackers move on to an easier target.