#Privacy: Studies show UK consumers vulnerable due to weak passwording

Millions of Brits using weak and ‘exposed’ passwords for online accounts, new analysis shows

CybSafe analysis shows over a quarter of Brits and three quarters of UK businesses vulnerable to simple password attacks

Canary Wharf, London – Millions of Britons and hundreds of thousands of UK businesses are using cracked or weak passwords for online accounts, according to new research from the cyber security and data analytics company, CybSafe.

CybSafe conducted a blind-analysis of the passwords used by over 21,000 staff at a sample group of 250 UK companies for the prevalence of ‘exposed passwords’ – that is, passwords which have been previously compromised in data breaches.

Comparing passwords from these accounts with data from haveibeenpwned.com – the data breach tracking website run by security researcher, Troy Hunt – the CybSafe investigation found that 10 per cent of users had exposed passwords and that almost three quarters of UK businesses were employing staff with these exposed and weak passwords.

“The issue of exposed passwords is often not well understood by the general public,” explains Oz Alashe, CEO of CybSafe. “There’s a fairly common assumption that so long as you’re not using a short combination, like ‘123’, and/or an obvious combination, like the name of your child or a favourite football team, that you’re therefore safe.

“But complicated doesn’t always equal safe. Many don’t realise that their passwords have been compromised in old data breaches, and examples of exposed passwords aren’t always obvious. The password ‘ji32k7au4a83’, for example, may look like a safe and random combination of numbers and letters, but as analysis shows, this password has appeared in over 140 data breaches.”

The CybSafe team also examined the prevalence of ‘weak passwords’, which they classified as any passwords with an entropy below 60 bits. Over a quarter (27 per cent) of those studied were found to be using these weak passwords, and over 71 per cent of UK businesses were found to be employing staff with weak passwords. Collectively, CybSafe’s data indicates that 74 per cent of UK businesses are employing staff who are using vulnerable password combinations – either weak passwords, exposed passwords, or both.

“The prevalence of both weak passwords and exposed passwords pose an extraordinary threat to UK businesses through credential stuffing and brute force attacks,” adds Alashe. “The phenomenon of exposed passwords, in particular, is not a well-understood issue.

“Using strong, varied passphrases across different accounts is the most effective thing people can do to protect themselves and their company from experiencing a successful cyber attack. Leaders need to be thinking about the role that security training and awareness programmes can play in encouraging their people to adopt these best practices.”

Following the study, participants were informed if their passwords were found to be weak or exposed. Exactly two thirds of these decided to change their passwords.


Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place before 2nd October, and receive VIP access to PrivSec Global which includes priority access to limited space sessions, workshops, networking opportunities and exclusive content.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.