Strong passwords are essential because they protect your business systems, sensitive data, and user accounts from unauthorised access. Weak or reused passwords are one of the top causes of security breaches — and cybercriminals use automated tools to crack them in seconds. To create a strong password in 2025, use at least 12 characters, include a mix of uppercase, lowercase, numbers and symbols, avoid dictionary words, and never reuse the same password across systems.
Weak passwords are still one of the most exploited vulnerabilities in small and mid-sized businesses — despite advances in security tech.
Why Are Strong Passwords STILL So Important?
Passwords are still the first line of defence for most of your systems — from email accounts to remote desktops, file shares, and cloud services.
Here's why they matter:
-
Passwords are a primary target — Cybercriminals don’t need to “hack” when they can guess or buy your passwords. With automated brute-force and dictionary attacks, they can test thousands of combinations in seconds.
-
Password reuse spreads risk — If a password is compromised in one system, hackers can use it to access others — especially in organisations where staff reuse passwords across services.
-
Poor passwords bypass other protections — Even with firewalls and antivirus in place, a weak password can render them useless if someone gets access through a compromised login.
-
Compromise = cost — A breached account can lead to stolen data, ransomware, regulatory penalties, or business downtime — all from a password that was too simple or used twice.
According to the NCSC, some of the most common breached passwords in the UK are still “password123”, “qwerty”, and “Liverpool”.
What makes a weak password?
You probably have a pretty good idea of what makes a password weak but here’s a quick overview. We’ll show you what a strong password looks like below
Of course, we’d hope you’re not using something as simple as ‘password’ or ‘12345’ but some people must be using them to make them as popular as they are. Look at this list from Nordpass which shows the most used passwords and how long they take to crack (hint: almost no time at all).
It goes without saying that passwords made up of sequential or repeated numbers, obvious words like ‘qwerty’ or ‘password’ or even common names are simply not going to cut it. Hackers will try any of these as a first port of call.
Equally if your password includes certain personal information such as your name, age, location, children, pets, favourite football team or artist, you could be at risk.
Remember, a lot of this information is freely available through social media accounts and general online activity. If someone wants to hack your account, they will look here for options.
And they won’t be doing it manually either.
How to Create a Strong Password
Creating strong passwords isn’t about making them hard to remember — it’s about making them hard to guess and unique for each service.
Here’s what a strong password looks like:
-
Length matters: Minimum 12–16 characters. Longer = better.
-
Mix it up: Use a combination of uppercase, lowercase, numbers, and special characters.
-
Avoid common patterns: No dictionary words, names, dates, or simple substitutions like “P@ssw0rd”.
-
Make it unique: Never reuse passwords across multiple systems.
-
Consider a passphrase: A random phrase like “Cloud-Skater9!TreeDrum” is easier to remember and harder to crack than “R3dC@r2024”.
How do passwords get hacked?
Serious cyber criminals run programs that try hundreds and thousands of password options in order to find the right one. If yours is one of the ones in the list above, it’ll get found out quickly. If it’s a targeted attack, it’s possible that your personal information could be used against you.
They can also find other ways of narrowing down the possibilities to get closer to the truth. You could play a game to mimic the process (why not get your team involved). Ask yourself the following questions.
Is the 1st character a capital letter? Are there numbers on the end? Does it have between 6 and 12 characters? Does it include a name?
If the answer is yes to any one of those questions, then unfortunately you have used some common password tropes. If the hacker can establish any part of that password, they (or rather their program) can work out the rest much quicker.
Lastpass, a password vault provider, found that there were 280 million malicious login attempts per day, including 300,000 attempted logins per hour from a single botnet. That means they’re out there in great number.
Your password is also more likely to get hacked if you’re using the same password for multiple sites. If one of these sites experiences a data breach, and passwords are stolen and shared on the Dark Web, anywhere else you use that password is compromised.
Hackers can also get hold of passwords by using phishing or social engineering scams. They attempt to trick the user into entering their password or handing over information that could be used to access your account.
For further ways that passwords get hacked this article has an in depth list. The question is how do make your password hard as nails?
Going Beyond Passwords: MFA and Passwordless
Strong passwords are important — but they’re not enough on their own.
For all critical systems, Multi-Factor Authentication (MFA) should be enabled. It adds a second step (like an app approval or biometric check) after the password, making it much harder for attackers to gain access even if a password is stolen.
If your business is using Microsoft 365, consider rolling out:
-
Microsoft Authenticator MFA
-
Conditional Access policies
-
Passwordless logins via Windows Hello or FIDO2 keys
How To Strengthen Password Security Across A Business
-
Enforce password complexity and length policies through Group Policy or Microsoft Entra ID.
-
Deploy MFA organisation-wide, starting with high-risk roles and admin accounts.
-
Ban common or breached passwords using Microsoft’s custom banned password lists.
-
Roll out a company-wide password manager to reduce reuse and simplify secure storage.
-
Educate staff regularly with security awareness training. Most breaches still begin with human error.
-
Monitor and audit logins for unusual activity using Microsoft 365 or third-party tools.
How can we help?
In order to help businesses with their cyber security strategy we offer a completely free data management review which allows us to understand your current position recommend the best way forward. If you need any assistance checking your existing cyber security configuration or would like to discuss improving your organisation’s levels of protection, then please get in touch, we have offices around the country including Hull, Peterborough and Scunthorpe.