Traditionally these sorts of resolutions have revolved around improving health and quitting things that do us no good. But this year, rather than trying to stop smoking, or becoming a vegan, why not clean up some bad password hygiene? Why not make one change that may not cut inches from the waist, but might improve your cyber security strength?

2020 has shown that cyber-crime is a growing threat in the world, and one of the easiest and simplest changes everyone can make to improve their security is to enhance their passwords.

Did you know 59% of people use the same password for everything? And out of these passwords, you’d be surprised at how many of them are commonly used.

A government investigation, carried out by the National Cyber Security Centre, found the most hacked passwords globally, and the results are, well, predictable.

Believe it or not, the most commonly hacked password is,123456, with 23.2 million cases. In second place, 123456789, with 7.7 million cases. Other honourable mentions include ‘Liverpool’, ‘Chelsea’, ‘Batman’, ‘Blink182’, and of course, ‘password’ – yes, there are 3.6 million cases where the password was ‘password.’

Something as important as personal data, shouldn’t be protected by something as easy to guess as a football team, first name, or the word ‘password.’

Why? Because 90% of passwords can be hacked in less than six hours. 

And once cracked, a hacker can access emails, personal data, contacts, social media, payment methods, and addresses – of course, if the same password is used for everything, then the impact becomes greater as the hacker can access all these examples simultaneously.

In a work environment, this is especially risky due to the types of information that could potentially be stored on a work device. Employees should have strong passwords that only they know. Research has shown that 18% of employees share their passwords amongst each other to collaborate or, in some cases, because this was ‘company policy.’ These factors make for very bad password hygiene in the workplace.

So what is good password hygiene?

Outdated methods would have us believe that a 14-character password, with a small mixture of letters and numbers, is strong enough to secure your accounts. So, something like Walesrugby1999 would be good enough. In the modern world, this quite clearly isn’t good enough, especially in a workplace environment where these passwords protect sensitive data.

A good password can be explained by breaking passwords down to their fundamentals and detailing how exactly their strength is measured.

The randomness of data is called Entropy, which is measured in Bits. This sounds complicated but it’s relatively easy to understand. Here’s an example – a coin toss, which has two outcomes to guess, heads or tails, could be described as having 1 Bit. Winning the lottery, which unfortunately is around a 1/286 million chance, can be said to be 28 Bits. As you can see, the harder an outcome is to guess, the more Bits involved: essentially Bits equal strength.

In modern computing, 128 Bits is the minimum strength for encryption algorithms.

How does this apply to password strength?

A password’s strength can be measured by its length multiplied by the entropy per symbol – the ‘randomness.’ For example, a number would have an entropy of about 3.322, so you would need 39 random numbers to achieve 128 Bit entropy.

Unless you happen to be Rain Man, you probably won’t be able to remember a sequence of 39 numbers, so adding a mixture of random symbols and letters can help towards shortening the password while also maintaining strong entropy. Of course, 128 Bits isn’t necessary for everything but should be the standard for sensitive types of information.

But again, to reiterate, these letters should also be random and not just be your favourite football team.

Password Advice for individuals

Here are some simple actions you can take to protect yourself and your data, and your business from hackers and improve your password hygiene in 2021:

  • ‘Randomness.’ As mentioned, the entropy of each symbol increases the strength of a password. The more random your password is, the harder it is to crack.
  • A mixture of characters. So, symbols, numbers, letters; and try not to do these in any orders.
  • A long password, in fact, the longer the better.
  • Don’t use common phrases or words, especially ones that are personal to you. That means no birthdays, no names, and no pets.
  • Keep passwords to yourself! No sharing passwords and try not to store passwords in plain text anywhere, especially not next to your computer.
  • Use a password manager, no one expects you to remember all of your passwords when they are that ‘complex’. Devices often now encourage you to use a complicated password generator, so you don’t have to come up with them yourself, but thankfully, there will be a place on your device which stores them securely for you to refer back to.

To summarise, a password should be long, random, use a mixture of symbols, and should not use any actual word or phrase, especially one that is important to you: and don’t forget, you should use a different password for everything!

Password Advice for Organisations

The best advice for organisations when considering network security, is to assume the threat is already inside. Embrace a zero-trust approach and ensure that, any user or device that wants to connect to a resource must re-establish trust before access is granted.

The approach will combat the increased threat from shifts in modern day working such as further cloud adoption, mobile application usage and remote working, all of which can be contributors to credential theft, feeding the rise in privilege access as an attack vector.

After all, 94% of you have experienced this attack according to Identity Defined Security Alliance (IDSA), 99% of these would have been highly preventable, with a more robust security posture in place.

So with that, let’s hope for a good 2021. Some of you may run that marathon and some of you might give up meat, but let’s all take it upon ourselves to improve our cyber-security and password hygiene.


Your trusted source for innovation, technology insights, and market trend analysis.

Why Choose NCL?

For over a decade, we’ve developed a strong reputation amongst our customers and partners for consistently delivering services which help businesses perform optimally and securely. This is why the relationships we’ve developed over the years have become long-standing and deeply trusted.

We’re very proud to have provided continuous IT support to the MoD for over 12 years. This length of service is a testament to the trust the MoD place in our people to deliver results, time and time again. Today, we provide situational awareness of the MoD’s globally-deployed application performance while assisting in troubleshooting issues and collaborating with other delivery partners to solve problems faster.

The lessons we’ve learned in Defence are applied to our engagements with customers in the enterprise sector too, ensuring robust network and cyber management for medium to large scale organisations. We use our long-standing experience in end-to-end performance management as a foundation for all of our services, so we can better define a customer’s complete requirements and deliver a more effective solution, whatever the field of technology. Offering market-leading technology and trusted managed services from ‘Floodlight’ - our own UK sovereign SOC, we work closely with customers in Driving Digital Vigilance across industry sectors.

NCL ‘Industry Insights’ Monthly Newsletter

The NCL monthly newsletter will provide a concise roundup of all the need to know information for IT teams and leaders.