What's On

Password security for SMEs – why it’s important they can’t be guessed

How many times a day are you asked to input a password online? Your work email, personal email, online banking account, social media, to name just a few, all require a password and it can be tempting to use the same one for everything.

But stop right there! Using the same password for all your online activity, or one that is easy to guess, carries a heavy risk of cyber-attack. So, SMEs that don’t have adequate password security in place are leaving themselves vulnerable.

In February it was reported that as many as 2.2 billion email accounts had been compromised in what could be the biggest data breach in history, with hackers sharing the leaked passwords and emails on cyber-criminal forums.

Cyber-attacks are an ongoing risk for SMEs and businesses should do all they can to protect their password security.

Cyber attackers use a range of techniques to discover passwords. This includes:


IT systems can be searched for password information that is stored electronically;


Attackers can intercept passwords as they are transmitted over a network;

Social Engineering

This is where the attacker uses a variety of techniques, including phone calls and social media, to trick people into revealing their passwords;

Stealing passwords

If you store your passwords insecurely then you are leaving yourself vulnerable to attack e.g. passwords written on a note stuck to your computer;

Manual guessing

Many people use personal information in their passwords, such as the name of their spouse, child or pet, all of which can be figured out with minimal research on the hacker’s part;

Key logging

This is when a person’s keystrokes on a computer, phone or tablet are recorded.

With the array of techniques that attackers use, it’s essential that SMEs have a robust and workable password security policy.

It is advisable to:

• Ban the most common passwords
• Monitor failed logins and train staff to recognise and report suspicious activity
• Never store passwords in plain text format
• Prioritise administrator and remote user accounts

On average people use the same password for four different websites and the average UK citizen has a total of 22 online passwords. That’s a lot of passwords to remember however, there are measures you can put in place to help your staff to remember them.

This includes:

• Only using passwords where they are necessary
• Putting systems in place that allow staff to securely record and store their passwords
• Only asking staff to change their passwords if there is suspicious compromise
• Allowing staff to reset passwords easily and cheaply

You can help staff to improve their password security by:

• Advising against using predictable passwords
• Encouraging them to use different passwords at work and at home
• Making them aware of the limitations of password strength meters
• Putting technical defences in place so less complicated passwords can be used

With cyber attackers becoming smarter and more sophisticated, businesses should also consider Multi-factor authentication (MFA), which adds an extra layer of security that can help reduce the risk of cyber-attacks. You may have already come across MFA through your online banking, where you use a secure key pad on top of your passwords to access your accounts.

In a nutshell, MFA is an authentication method in which the user is granted access only after successfully presenting two or more pieces of evidence (or factors) that they possess on them.

Factors generally used in MFA are:

• Knowledge – something only the user knows

• Password
• Phrase etc.

• Possession – something only the user has

• Disconnected Tokens
– Separate device (usually provided by vendor, bank etc)

• Connected Tokens
– Card Readers
– Wireless Tags

• Software Tokens
– Authenticator App

• Inherence – something on the user

• Biometrics
– Fingerprint
– Face
– Voice
– Iris

Latest Tweets

Latest News

  • Post GDPR – what SMEs should be doing one year on from GDPR
    It’s almost a year since the EU General Data Protection Regulation (GDPR) came into force. Described as the most important change in data privacy regulation in 20 years, its aim was to update laws that protect the personal information of individuals, and organisations that don’t comply could face

    read more ...