Weak Passwords and Password Policies: A Growing Concern
In 2025, you might expect the threats posed by AI and increasingly sophisticated phishing attack methods would be the biggest cyber security risks. However, it’s often the basics that are overlooked and leaving organisations exposed.
In this blog, we explore how weak passwords and inadequate password policies continue to be a significant security risk for organisations and consumers.
In This Blog
Major Breaches Expose Weak Password Policies
The Open Worldwide Application Security Project (OWASP) Foundation claims that “In each of the recent high-profile hacks that have revealed user credentials, it is lamented that most common passwords are still: 123456, password and qwerty.” (source: The OWASP Foundation)
Recent events in the UK have further highlighted the pressing issue of weak password policies and the need to implement and adhere to robust internal processes and governance that mitigate the risk of credentials being compromised.
A recent, massive data breach exposed 184 million logins for companies like Apple and Google. The compromised dataset, discovered in an unprotected online database, included usernames and passwords for various online services and email providers. Cyber security researcher Jeremiah Fowler believes that infostealer malware, often deployed in phishing emails and malicious websites, was used to obtain and compile the compromised dataset. (source: WIRED)
Retail Hacks in the News: Weak Password Reset Process and Social Engineering
In our recent blog post, we explored the recent incidents involving household names Marks & Spencer (M&S), Co-op and Harrods. It is believed that attackers used a combination of social engineering, impersonating employees and manipulating the IT helpdesk into resetting user account passwords. This allowed threat actors to bypass standard authentication procedures and gain unauthorised access to sensitive information, including customer account details, payment information, delivery details and login credentials.
Many of the compromised credentials had also been reused across multiple platforms, deepening the impact of the breaches. Investigations revealed that both incidents originated from lapses in password complexity requirements and inadequate monitoring for previously compromised credentials. These events underscore how the combination of human manipulation and weak password hygiene leaves organisations, regardless of size or reputation, vulnerable to attack. (source: rradar)
At the recent Manchester Digital E-Commerce Conference, we conducted a live hack on a demo online store to show how quickly a compromise similar to the incidents involving M&S and Co-op can occur.
Weak Passwords Remain a Leading Security Challenge for Web Applications
While most professionals are well-versed in the mechanics of phishing, recent industry reporting underscores how weak passwords continue to amplify the impact of increasingly sophisticated and AI-powered phishing campaigns. According to a report by Verizon (2024 Data Breach Investigations Report), in 2020 over 60% of breaches in web applications were successful due to compromised or easily guessed passwords. In 2024 the report indicates that this percentage was closer to 40%, so while there has been a reduction the level of vulnerability remains high. (source: Verizon)
This downward trend suggests that some web application providers are responding to the threat by strengthening authentication requirements. However, the enduring presence of weak credentials among known vulnerabilities highlights the ongoing challenge facing developers and security teams. Notably, applications that permit simplistic, easily guessed, or previously compromised passwords consistently attract the attention of attackers, especially when paired with emerging phishing techniques.
Sophisticated phishing attacks, now frequently using AI-driven tools that customise messages for individual targets, are particularly effective when organisations lack robust password requirements or sufficient Authentication methods. As highlighted by Microsoft’s Digital Defence Report, AI-generated phishing emails have become such a prevalent threat that Microsoft has reassigned 34,000 engineers to security initiatives, including developing phishing-resistant MFA and strengthening defences against AI-driven threats.
The combination of advanced phishing and weak authentication remains a primary driver of large-scale cyber incidents across sectors, making the case for stronger password policies and ongoing credential monitoring.
Risks Associated with Weak Password Policies
Weak password policies not only increase organisational vulnerability to phishing and the sale of sensitive data on the dark web but also pose significant risks when they allow users to reuse old or previously compromised passwords. Allowing the continued use of credentials exposed in past breaches—such as those affecting major companies highlighted above—dramatically raises the likelihood of unauthorised access. Without robust policies in place that prevent password reuse, simple password structures or flag known breached passwords, organisations leave a door wide open for attackers to exploit. According to ID Agent organisations with compromised credentials, including passwords that are reused across different platforms, increase their likelihood of experiencing a cyber incident by 2.56x.
Alarming Statistics and the Danger of Reused Passwords Found on the Dark Web
Recent cyber security analyses continue to reveal the magnitude of compromised credentials on the dark web. According to recent findings from leading VPN provider Surfshark, over 3.2 million British user accounts have been compromised in data breaches during the first half of 2025, this equated to approximately 7 British accounts being compromised every minute in Q2 of this year. (source: Tech Digest)
Globally, the pool of compromised accounts on the dark web seems almost infinitely greater. In 2022 Digital Shadows reported that more than 24.6 billion records—primarily emails and passwords—were available on underground forums and cybercriminal marketplaces. (source: Dark Reading)
According to Market.us Scoop, stolen data, including compromised account credentials, are used by 65% of active cyber criminals globally, highlighting the danger that weak or compromised passwords pose by being instrumental in other cyber attacks.
Alarmingly, NordPass found that the most common passwords in these dumps—like “123456” and “password”—made up over 85% of all breached credentials, underscoring the critical risk of password reuse for users and organisations alike. (source: NordPass)
The consequences are severe: reused passwords allow attackers to exploit one breach to access multiple accounts, fuelling cyber attacks such as credential stuffing and a cascade of other threat vectors. As cyber criminals leverage advanced phishing tactics and the anonymity of the dark web, the persistence of weak and repeated passwords remains a significant problem in today’s digital landscape.
Best Practices for Reducing Risk from Weak Password Policies
Implementing comprehensive password security measures is essential for reducing organisational exposure to cyber threats. The following best practices can help mitigate the risks associated with weak password policies:
- Enforce Strong Password Requirements: Mandate the use of complex passwords that combine uppercase and lowercase letters, numbers, and special characters. Prohibit commonly used or compromised passwords and require a minimum password length.
- Implement Multi-Factor Authentication (MFA): Require MFA or two-factor authentication (2FA) for all users, especially for accessing sensitive systems, to provide a crucial layer of security beyond the password.
- Set Regular Password Change Intervals: Establish policies that require users to reset passwords at regular intervals and prevent the reuse of previous passwords, reducing the window of opportunity for attackers.
- Utilise Password Managers: Encourage or provide access to reputable password managers to help users create, store, and use strong, unique passwords across all accounts, minimising the temptation to reuse or simplify credentials.
- Continuous Dark Web Monitoring: Employ tools or services such as CyberLab Control to monitor for compromised credentials on the dark web, allowing for swift response if employee or organisational data is found in breach dumps.
- Comprehensive Staff Training: Deliver regular cyber security awareness training for all employees, with a focus on recognising phishing attempts, the importance of password hygiene, and how to respond to suspicious activity.
- Ongoing Policy Review and Enforcement: Routinely review and update password and authentication policies to adapt to emerging threats and ensure enforcement with automated checks wherever possible.
The Final Word: Enhancing Security Through Effective Password Management
The risks associated with weak password policies are substantial, and organisations must take proactive measures to mitigate these threats.
Implementing robust password policies, educating employees about phishing attacks, and continuously monitoring the dark web for compromised data are essential steps in safeguarding sensitive information.
Detect. Protect. Support.
Find Your Data on the Dark Web
Data breaches happen every day, at companies large and small, with stolen credentials commanding a premium on the Dark Web.
With over 24 billion sets of usernames and passwords currently for sale on the dark web, it has never been more important to keep control of your credentials.
Our advanced scanning software crawls the dark web for your compromised business credentials.
Where it finds stolen data, we identify the source of the breach, alert you instantly, and provide advice on how to keep your accounts secure.
You may be surprised how much of your information is already out there.
Leave a Reply
You must be logged in to post a comment.