World Password Day: The Importance of Creating Strong Passwords

Every year, on the first Thursday of May, the internet pretends to care about passwords for roughly 24 hours before going back to using "Liverpool1" for everything including the nuclear codes. Welcome to World Password Day, the least sexy holiday in the calendar and, frankly, the most important one.

The State of the Nation

The most common password on earth is still, in 2023, "123456". The second is "password". The third is "qwerty". If any of your logins currently use one of these, you are not running a business, you are running a charity for cybercriminals.

The average UK business suffered 788 attempted cyberattacks per week last year. The vast majority rely on credential stuffing, which is a fancy term for "trying the same password on 4,000 sites until one works". Your dog's name is not protecting anything.

What Actually Makes a Password Strong

• Length over complexity: A 16-character passphrase beats an 8-character scramble. "CorrectHorseBatteryStaple" is stronger than "P@ss1!".
• Unique per account: One breach should not unlock your entire digital life. Reuse is the cardinal sin.
• Random, not memorable: If you can remember it, a computer can probably guess it. Let a manager do the remembering.
• Not a dictionary word: Brute force chews through dictionaries in milliseconds.

Password Managers Are Not Optional

If you are still keeping passwords in a Word document called "passwords.docx", we need to have a serious talk. A proper password manager (1Password, Bitwarden, Dashlane, take your pick) generates random 20-character passwords, stores them behind one master password, and syncs across your devices. It costs about three quid a month and will save you from the day you really, really did not want.

Your browser's built-in manager is better than nothing, but it is not as good as a dedicated one. For a broader look at staying safe online, our piece on keeping your online accounts safe covers the full list.

Two-Factor, Always

Even the best password in the world can be phished. Two-factor authentication (2FA) adds a second step, usually a code from an app like Authy or Google Authenticator, and makes stolen passwords useless on their own. Turn it on for email, banking, social media, cloud storage, and your website CMS. Especially your email. Your email is the master key to everything else.

SMS 2FA is better than nothing but vulnerable to SIM swapping. Use an app-based code or a hardware key where possible.

For Businesses

If you run a team, password hygiene is not optional. One employee with "Summer2023!" reused across six systems is a boardroom-level risk. Rolling out a team password manager, enforcing 2FA, and running quarterly reviews of who has access to what takes a morning and prevents a fortnight of agony.

We have seen small Newcastle businesses lose entire client databases because a freelancer's personal Gmail got popped. The cleanup is not cheap, and your insurance will ask pointed questions. Our web team can lock down the technical side at the same time.

The Human Layer

Technology only gets you so far. The weakest link in any security setup is the person who clicks a dodgy link at 4pm on a Friday because the email looked like it was from the boss. Train your team to pause, check the sender, and ring the person if in doubt. Paranoia is a professional skill these days.

Strong passwords will not win you any style points. Neither will a locked front door. But one of them will stop you losing everything you built, and the other one will lose you everything you built. Pick wisely.