5/15/2025 12:00:00 AM

Bytesyze Cyber Series: How to create a strong password

The cyber threat landscape is rapidly evolving. It is becoming increasingly sophisticated, impacting individuals and businesses alike. To help you stay one step ahead of cybercriminals, we’re exploring a different aspect of cybersecurity each month in 2025 as part of our bitesize series.

As World Password Day was on Thursday 1 May 2025, this month’s focus is on how to create a strong password.

The risks of not having strong passwords

Weak passwords leave you exposed to security breaches. Hackers can attempt to get their hands on your passwords in a few ways, including brute force attacks, social engineering, data breaches or even a malevolent adversary.

Once they gain access, they can steal sensitive information and use it to perform malicious activities. As well as someone gaining unauthorised access, it can also lead to identity theft, reputational damage and financial repercussions.

 

Can I use one strong password across multiple platforms?

If you use the same password across multiple accounts and the password gets compromised, hackers could try credential stuffing attacks. This is where a compromised password is used across multiple accounts in an attempt to gain access.

Unfortunately, no matter how strong your password is, there is always a chance that it can fall into the wrong hands, either by being hacked or from having your details leaked in a data breach.

 

How to make a secure password

Maintain your cybersecurity and keep your data safe with our top tips on how to create a strong password.

  1. Avoid the most common passwords

The latest statistics show that many people are still opting for common passwords rather than creating strong passwords. The latest NordPass study shows that the top five most common passwords in the world are[1]:

  1. 123456
  2. 123456789
  3. 12345678
  4. Password
  5. qwerty123

It’s remarkable how many variations of ‘qwerty’, ‘abcde’ and ‘password1’ are still in use today. Other examples of weak passwords include: iloveyou, dragon, monkey, football, princess, sunshine, shadow, michelle, matthew, welcome, trustno1, hello, chocolate, tigger, minecraft, facebook.

Instead, try to choose a password that is:

  • At least 14 characters long.
  • Uses a combination of upper- and lower-case letters, numbers and special symbols.
  • Is not easy to guess like a relative’s name, pet’s name or any birthday.
  • Avoid using sequential numbers or letters, such as 1234 or jklm.

 

  1. Create a random password using three words

The National Cyber Security Centre (NCSC) recommends combining three completely unrelated words to create an unusual password that is both long enough and strong enough to evade a hacker.[2] An example of this could be branchpaincurtain.

 

  1. Utilise multi-factor authentication

Once you’ve selected a strong password, you should set up multi-factor authentication on all eligible accounts. This is sometimes called two-step verification, two-factor authentication or multi-factor authentication, but essentially, they all mean the same thing. Enabling this feature means that when someone attempts to log in to your account, they will trigger a second form of authentication after inputting your username and password. You will then be sent a code (or asked for an additional password or a fingerprint) to confirm that it is really you trying to access your accounts before they will grant access.

The majority of banks, social media sites and retailers now offer this as an added layer of security against hackers.

 

How often should I update my password?

There has been some debate on how frequently you should change your password. Cybersecurity experts McAfee recommends that you change your password every three months, unless you suspect you have been hacked by a cybercriminal, in which case you should change it immediately.[3]

However, the National Cyber Security Centre (NCSC) suggests that frequent password changes may be counterproductive. The NCSC recognises that if you need to create a new password frequently, it is likely that you will get passwords muddled up easier, meaning users will opt to write them down.[4]

The NCSC also recommends that organisations help employees cope with password overload by no longer enforcing regular password expiry.[5]

 

Should I use a password manager?

Did you know the average person has 168 passwords to remember? More than half of these (87) are for business-related accounts.[6] Although we are told it is best practice to have a unique password for each account, it’s no surprise that people fall into bad practices such as having one password that you use across multiple accounts or writing passwords down.

That’s where a password manager can help. This allows you to store all your passwords securely, meaning you never need to click on the dreaded ‘Forgot your password’ button again. Password managers can be beneficial in multiple ways, not only can they remember your passwords, but they can help identify fake websites, and notify you if your password appears in a data breach.[7]

There are lots of options for password managers available such as Google Password Manager so it’s best to conduct some research to see what the best password manager for you is.

Bear in mind that if you opt for a password manager, there are pros but also cons. For example, if a cybercriminal manages to hack your password manager, they have access to all your accounts. Additionally, if you forget the password to your password manager, you will not be able to gain access.

Worried about cybercrime?

When it comes to cybercrime, many SMEs don’t have sufficient cyber insurance. But the reality is, the risk of cybercrime to your business far outweighs many other risks that you would cover for without a second thought. It’s time to get real about cybersecurity. Speak to your usual Towergate adviser to find out more.

About the author

Marc Rocker, Head of CyberMarc Rocker, Head of Cyber has been with Towergate for over 15 years advising commercial clients of all sizes on their business insurance needs.

As Head of Cyber Insurance, Marc has responsibility for ensuring that the advice and products that Towergate provides meet clients’ needs. Marc is a member of the British Insurance Brokers’ Association (BIBA) cyber technical committee.







 

Sources

[1] nordpass.com/most-common-passwords-list

[2] ncsc.gov.uk/collection/top-tips-for-staying-secure-online/three-random-words

[3] How Often Should You Change Your Passwords? | McAfee

[4] ncsc.gov.uk/collection/passwords/updating-your-approach

[5] ncsc.gov.uk/collection/passwords/updating-your-approach

[6] How many passwords does the average person have? | NordPass

[7] Password managers: using browsers and apps to safely store... - NCSC.GOV.UK

 

Consistent with our policy when giving comments and advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of specific problems, we recommend that professional advice be sought.