Why Employee Passwords Matter More Than You Think

I originally wrote a post about password habits back in 2020. In the light of recent headline making cyber attacks and data breaches impacting the likes of Co-op, M&S, and the Harris Federation, I thought it was worth dusting off the topic for 2025.

The post I wrote in 2020 focused more on the password habits of the individual, but these habits can have serious implications for businesses, if proper organisational security and password practices are not put in place.

Password Habits Are Still A Big Issue

For the past 6 years, NordPass have put out a report analysing password habits. It contains the top 200 most common passwords, how many uses each has had, and the time it would take them to be cracked in a brute force attack. It always makes for unsettling reading.

What’s even more unsettling is that not much has changed since I covered the list in 2020. The most current list (2024) is still full of the usual easy to crack suspects.

Filtering by just the UK, here are the top 15:

Football fans are not doing themselves any favours…

That Liverpool Fan Might Have Admin Access

Now, picture this. One of these passwords is a favourite of yours, or an employee with admin access to your website. You may have the best firewall and website security infrastructure in place, but it doesn’t matter if the bad guys can log straight in.

A password that can be cracked in under a second, or stolen credentials can give a malicious actor admin access to your website in seconds. From there, think of the havoc they could wreak.

What’s the point of hanging up strings of garlic, crucifixes, and stockpiling bottles of holy water, if you’re just going to invite the vampire right in?

The Potential Fallout From Poor Password Habits

When it comes to cybersecurity, your biggest vulnerability might not be an unpatched server or outdated software, it could be something as simple as a weak employee password.

Despite advancements in encryption, firewalls, and cloud security, a surprising number of data breaches still happen because of poor password practices.

A recent article from the BBC shares the unfortunate story of KNP. They were a 158 year old transport firm. Were is sadly the the correct tense in this case.

As the article details, it is believed that a single employees weak password was all it took for hackers to gain access to their computer systems. From there they encrypted their data, and locked them out of their own systems. This led to the company closing its doors, and 700 people losing their jobs.

The Problem With Passwords

From “123456” to “Qwerty!”, people still use easily guessable passwords far too often, and because so many employees reuse passwords across work and personal accounts, one breach on a third-party platform can compromise your entire system.

Even businesses with sophisticated infrastructure can fall victim to:

• Phishing attacks – that steal login details.
• Brute-force attempts – that guess weak passwords.
• Credential stuffing – where hackers try known password/email combinations across multiple platforms.

Why It’s A Business Risk

Poor password hygiene isn’t just an IT issue, it’s a business risk. A compromised email or admin login can lead to:

• Data theft (especially dangerous in sectors like healthcare, education or finance).
• Malware injection or ransomware attacks.
• Reputational damage.
• Significant downtime or revenue loss.
• Non-compliance with GDPR, ISO 27001, or industry-specific standards, and potential fines.
• In the worst case scenario (like the example mentioned above) the loss of the business all together.

Best Practices To Strengthen Password Security

Here’s how to build a stronger foundation for password and login security across your team:

1. Use a Password Manager

Encourage (or enforce) the use of password managers like 1Password, NordPass, or LastPass to generate and store strong, unique passwords for every platform.

2. Enable Two-Factor Authentication (2FA)

Wherever possible, implement 2FA, especially for admin logins, email platforms, CMS access (like WordPress), and financial tools. This adds an extra layer of protection even if a password is compromised notifies you of login attempts.

There are numerous methods available of two-factor authentications now, including:

• Unique codes sent to phones or email addresses.
• Authenticator codes generated by apps.
• Passkeys linked to specific devices.

3. Educate Your Team

Provide regular training on phishing, safe browsing, and how to spot suspicious activity. Cybersecurity awareness is not just an IT problem, it’s a culture.

4. Set Clear Policies

Have a documented password policy that outlines expectations, required complexity, and rotation frequency. Make sure it’s part of your onboarding and off-boarding process.

5. Monitor & Audit

If you’re managing a large team or using cloud infrastructure, consider tools that monitor for compromised credentials or unauthorised logins.

For more ideas and potential risks to educate your employees about, check out my previous post, which includes a list of top tips for passwords and general personal online security.

Cybersecurity is never just about technology, it’s about people. When your team understands the role they play in protecting company data, everyone benefits.

If you need support auditing your website, implementing best practices, or securing access to your WordPress or WooCommerce site, contact us at Impact Media. We’re here to help you keep your site safe, fast, and secure.

Ready to enhance your WordPress site’s security?

Drop us an email or give James a call to learn how our comprehensive security solutions can protect your website from emerging threats while maintaining optimal performance and reliability.