Why strong passwords still matter - use our password strength checker

27/03/26 Wavenet
password

Passwords remain one of the most common entry points for cyber attacks. Despite advances in authentication technologies, compromised credentials continue to play a major role in data breaches, ransomware incidents, and account takeovers. This article explains what you can do to help, and includes the top 10 tips for creating secure passwords and a password strength checker so this page can be shared with your users to help them understand and adopt good practices.

What are the key factors involved in keeping credentials secure?

Keeping credentials secure combines strong passwords, password managers,  multi-factor authentication (MFA) and ongoing awareness of emerging threats, including AI-driven attacks. Understanding how these elements work together is critical for protecting business information.

Do strong passwords really matter?

Your password is often the first line of defence against unauthorised access to systems, applications, and data. Weak or reused passwords can allow attackers to bypass even the most advanced security technologies.

Strong passwords help to:

  • Prevent unauthorised account access.
  • Reduce the impact of phishing attacks.
  • Limit the damage caused by data breaches.
  • Protect sensitive business information.

We regularly see how compromised credentials are used as a starting point for wider cyber incidents. This makes identity security a critical foundation of any cyber resilience strategy.

Follow NCSC guidance regarding passwords. This is regularly changing, so it’s well worth a review even if you’ve already read it.

The role of password managers

A password-free future is very much the direction of travel in terms of security. In the meantime, adhering to best practice around password management is still extremely relevant.

Remembering dozens of complex, unique passwords is unrealistic without support. Password managers solve this problem by securely generating and storing credentials in encrypted vaults.

Key benefits include:

  • Automatic creation of strong, unique passwords.
  • Secure encrypted storage.
  • Reduced risk of password reuse.
  • Protection against phishing by only auto-filling on trusted websites.
  • Improved user experience and compliance.

Best practice:

  • Protect password managers with MFA or hardware security keys.
  • Use a long, strong master passphrase.
  • Avoid storing credentials in spreadsheets or unsecured documents.

Why multi-factor authentication (MFA) is essential

Even strong passwords can be compromised. MFA adds a second layer of protection by requiring something you have or are, in addition to something you know.

Common MFA methods include:

  • Authentication apps.
  • Hardware security keys.
  • Biometrics.
  • One-time passcodes.

MFA can prevent the majority of account takeover attempts, even when passwords are stolen.

Best practice:

  • Enable MFA on all critical systems (email, cloud platforms, financial applications, remote access).
  • Avoid SMS-based MFA where possible in favour of app-based or hardware-based options.

AI and the changing password threat landscape

Artificial intelligence is now being used by cyber criminals to improve the realism and scale of attacks.

AI enables attackers to:

  • Generate convincing phishing emails.
  • Create fake login websites.
  • Automate password guessing and credential stuffing.
  • Personalise social engineering attacks using publicly available data.

At the same time, AI is helping defenders detect abnormal login behaviour and identify threats faster. This makes strong identity controls — including passwords, MFA, and user education — more important than ever.

Organisations must ensure that:

  • Employees understand modern phishing techniques.
  • Password policies reflect current attack methods.
  • AI tools are governed and used securely.

Building a secure password strategy

A modern password strategy should include:

  • Long, unique passwords or passphrases.
  • Password managers for safe storage.
  • Mandatory MFA for critical systems.
  • Ongoing user education.
  • Monitoring for compromised credentials.
  • Regular policy and control reviews.

Passwords should be treated as part of a broader identity and access management framework, not as a standalone control.

Top 10 best practices for creating secure passwords

1. Use long passwords or passphrases

Aim for a minimum of 8 characters. Length is one of the most important factors in password security. Longer passwords take significantly more time and computing power to crack.

Passphrases made up of multiple unrelated words are both strong and easier to remember.

2. Use a mix of character types

Using a mix of character types increases complexity and reduces the success of automated attacks.

Examples include:

  • Uppercase and lowercase letters.
  • Numbers.
  • Special characters.

3. Avoid personal information and common words

Do not use names, birthdays, addresses, or dictionary words. Attackers use automated “dictionary attacks” and leaked password databases to guess credentials quickly.

4. Never reuse passwords across accounts

Each account should have a unique password. Reuse allows attackers to move rapidly between systems if one service is compromised.

Password reuse remains one of the most common causes of large-scale account breaches.

5. Avoid predictable patterns

Predictable patterns are among the first combinations tested by attackers.

Avoid simple sequences such as:

  • 123456
  • password
  • qwerty
  • Substituting letters with obvious symbols (e.g. P@ssw0rd)

6. Change passwords when risk increases

Critical business systems should be reviewed regularly as part of security policy.

Passwords should always be changed if:

  • A service reports a breach.
  • Phishing or suspicious activity is detected.
  • Credentials may have been exposed.

7. Be alert to phishing and social engineering

Phishing remains the most effective way to steal credentials.

Always make sure that you:

  • Verify unexpected login or reset requests.
  • Avoid clicking links asking you to confirm passwords.
  • Check website addresses carefully.
  • Never share passwords by email or phone.

Even the strongest password offers no protection if it is handed directly to an attacker.

8. Use multi-factor authentication

Enable MFA wherever possible to add an extra layer of security. Even the strongest passwords can be compromised, but MFA significantly reduces the risk of account takeover.

9. Use a password manager

Password managers generate, store, and autofill strong, unique passwords for every account, reducing the risk of reuse and phishing. Combined with MFA, they provide a robust foundation for identity security.

10. Regularly review and update your company password policies

Passwords and access controls are only effective if supported by clear policies and regular reviews.

Ensure your organisation:

  • Updates password requirements to reflect current threats and NCSC guidance.
  • Enforces rules around password length, complexity, and MFA use.
  • Periodically audits accounts to remove inactive or unused access.
  • Provides training so employees understand modern phishing and AI-driven attack techniques.

Proactive policy management ensures that strong passwords, MFA, and password managers remain effective and aligned with emerging threats.

How strong is YOUR password?

Is your password secure? Here's a handy password checker that will let you know. Don't worry, it's not a "scam" or a test, you don't have to hit "enter" to see the results privately:

Password strength checker

Enter a password below to instantly see how strong it is.

 
 
Enter a password

Password requirements

  • At least 8 characters
  • One uppercase letter
  • One lowercase letter
  • One number
  • One special character

Conclusion

Strong passwords remain a critical foundation of cyber security, but they must be supported by password managers, multi-factor authentication, and user awareness to be truly effective.

As AI-driven attacks become more sophisticated, organisations must adopt a layered approach to access security that goes beyond basic password rules. By combining proven controls with expert guidance, it is possible to significantly reduce the risk of account compromise and data loss.

We support organisations at every stage of this journey, from policy design and technology implementation to ongoing monitoring and managed security services, helping you strengthen identity security and build long-term cyber resilience.

Speak to our team to strengthen your security posture and reduce credential-related risks.

Managed cyber security services Talk to us

Cyber Security, CyberGuard, Blogs

Latest blogs

See all posts
cyber essentials danzell
Cyber Essentials “Danzell update” 2026 – What the new standard means and how to prepare

From 26th April 2026, a significant update to the Cyber Essentials scheme known as the Danzell update will come into effect. While the standard remains a vital benchmark for cyber hygiene, the update introduces stricter controls, deeper validation, and greater clarity in how requirements must be demonstrated.

Read more
it-in-education
What are the IT challenges for education?

The UK education sector is experiencing one of the most challenging cyber and IT landscapes in its history. Schools, colleges, academies, Multi-Academy Trusts (MATs), and universities are more digitally connected than ever, but this dependency exposes them to escalating cyber risks, operational disruption, and increasing pressure on already-stretched IT teams.

Read more
full-fibre
Preparing your UK business for the full-fibre rollout

The UK is undergoing a major digital upgrade as full‑fibre broadband rapidly replaces ageing copper networks. Openreach aims to reach 25 million premises by 2026, bringing faster, more reliable connectivity to businesses nationwide.

Read more
microsoft-copilot
What’s new in Microsoft Copilot for 2026: the complete guide to AI agents, work IQ & next‑gen productivity

Microsoft Copilot has entered its most transformative year yet. In 2026, Copilot moves beyond being a helpful assistant and becomes an action‑taking AI agent capable of running multi‑step workflows, understanding organisational context, and automating real work across Microsoft 365.

Read more
Placeholder thumbnail
The CEO's guide to AI, automation & future technologies in 2026

1. How is AI becoming the new operating system of business? AI has evolved into a strategic operating layer for modern organisations, reshaping operations, cyber resilience, managed IT services, and enterprise security. Companies increasingly rely on AI-powered managed services, managed cyber security solutions, and managed network security to enhance forecasting, optimisation, and workflow execution.

Read more
Placeholder thumbnail
The top IT challenges holding UK businesses back in 2026 - and how to fix them

Technology should accelerate your business - not slow it down. Yet for many organisations, day‑to‑day IT challenges are becoming more disruptive and harder to manage than ever before. As hybrid work expands, cyber threats evolve, and systems grow more complex, businesses face increasing pressure across their digital environments.

Read more