Easy to hack passwords banned in the UK
by Helen C. May 2024
Passwords are the frontline of defence for most people when protecting their data online and there is now a new law in the UK which bans people from having certain easy to hack passwords.
New laws came into effect this week in a significant step to protect consumers from the soaring number of cyber-attacks that are affecting both businesses and individuals. It is now mandated that internet connected smart devices must meet minimum-security requirements which are set out in the new laws.
What do passwords do?
Passwords can be thought of as house keys. The password being the key and the information being our house. The key lets you in and is unique to your house – it won’t let you in next door’s house, just like a password does. If you give your key to someone or you lose it, then your house is not secure and other people can gain access. Passwords are the gatekeepers to our information, and it is vital that they are strong.
All a hacker needs to get in is your account name and a password. Now your account name is usually an email address or your name, so it is vital that your password is secure enough to protect your data.
When a data breach happens in a business, often what’s stolen is a huge list of email addresses, which means that cyber criminals are one step closer to your information and that is one of the reasons the government have changed the legislation.
The 5 most common passwords used by businesses in the UK
NordPass have been keeping track of the password habits of business executives across several levels of management, revealing that the top 5 passwords are:
1: 123456
2: password
3: 12345
4: 123456789
5: qwerty
Alarmingly, these passwords can often take hackers less than a minute to crack. Is your password on the list?
The need for this legislation is clear, and the government has pledged £2.6 billion as part of the wider National Cyber Strategy, which aims to protect and promote UK national interests in cyberspace and online.
In today’s world where Smart devices are owned by nearly 99% of UK adults and the average UK home has 9 connected smart devices this legislation is a crucial step forward in cyber security.
Speaking about the impact of the new law, Minister for Cyber, Viscount Camrose said:
“From today, consumers will have greater peace of mind that their smart devices are protected from cyber criminals, as we introduce world first laws that will make sure their personal privacy, data and finances are safe.”
A world-first
The UK is the first country in the world to these laws which mean that all internet enabled devices, including phones, games consoles and even fridges, must meet legally required standards to protect consumers from hacking and cyber-attacks.
Data and Digital Infrastructure Minister Julia Lopez said: “Our pledge to establish the UK as the global standard for online safety takes a big step forward with these regulations, moving us closer to our goal of a digitally secure future.”
In a recent Which? investigation they found that a home filled with smart devices could be facing over 12,000 hacking attacks in just one week. They also discovered that across just five devices in 1 week, 2,684 attempts were made to guess weak and default passwords.
This means that the average UK home faces 4,697 password hacking attempts to guess weak and default passwords a week. That is 20,409 attempts in a year.
Strong passwords should form an integral part of any cyber security strategy and the changes made on Monday not only recognise this but have brought into law the need for strong passwords. Hopefully this will highlight the importance of strong passwords across all devices, whether mandated in law or not. It is essential that strong passwords are always used to keep your data secure.
What makes a strong password?
Lots is written on this and there is a lot of guidance floating around the web about what makes a strong password, so let’s keep it simple:
- Your password should be unguessable and random, with no identifiable information used that could be found easily on the web or guessed after a quick glance at a social media page. We recommend a minimum of 20 characters, using upper and lower case letters, symbols and numbers, but the longer and more random the more secure it will be. Aim to have something that does not read like standard English and that you wouldn’t find in a dictionary.
Good password example: P9*joo&Ghj^rdf£40slE3JH
Bad password example: Panda
- Always create a new password for each site you use. Lots of random unique passwords, like the example of a good password above, are essential.
- Never re-use the same password across multiple sites.
- Change your password frequently, more frequently when you are using a site which contains more sensitive or personal data, such as a bank.
- Never keep your password on a piece of paper or somewhere where it can be easily accessed by others and don’t share it.
These steps will help you to create a strong password, but we recommend a multi-faceted approach to using passwords to keep your data safe and keep the hackers at bay.
The new law
As part of the law, manufacturers will need to take steps to tackle the growing threat of cyber-crime and provide improved security for consumers. In a nutshell, the law means that:
- Passwords which can be easily guessed by hackers and create vulnerabilities in the security system are banned. This includes passwords like “12345” or “admin”. If users try to use this kind of password, they will be prompted to change it.
- Manufacturers are now required to publish contact details so that consumers can report bugs easily and they can be dealt with in a timely manner.
- Manufacturers and retailers have to be clear and open with consumers about the times they can expect to receive important security updates.
A step for businesses and consumers
National Cyber Security Centre (NCSC) Deputy Director for Economy and Society, Sarah Lyons said: “Businesses have a major role to play in protecting the public by ensuring the smart products they manufacture, import or distribute provide ongoing protection against cyber-attacks and this landmark Act will help consumers to make informed decisions about the security of products they buy.”
The importance of this step should not be underestimated by businesses or consumers as it is a vital step forward in the fight against cyber crime and the devastating consequences it can have on businesses and individuals alike. It is important to be aware of these changes and understand how they affect both businesses and consumers.
Ms Lyons, continued:
“I encourage all businesses and consumers to read the NCSC’s point of sale leaflet, which explains how the new Product Security and Telecommunications Infrastructure (PSTI) regulation affects them and how smart devices can be used securely.”
One way to help keep your device safe is to not only have a strong password, but to have good password hygiene. This includes keeping your password somewhere safe and having a multi-layered entry that goes beyond using a password using multi-factor authentication.
Keeping your passwords safe
Although the new laws that have come into place do not mandate these steps, taking the steps to strengthen your password defence system gives you a more robust cyber security strategy that is harder for cyber criminals to hack.
Multi-Factor Authentication
Multi-Factor Authentication (MFA) adds another security step to the process of getting to your data. By providing further verification steps before letting you into your account, this means that a hacker cannot simply gain access by knowing your username and password. They would need, for example, a code sent to your phone or found in your password manager, which makes your account harder to hack.
MFA can often be turned on for free on accounts where critical information is held and if using a password manager, you can often get one-use codes which need to be typed in after the password in order to gain access to accounts, keeping information safe.
Password Managers
A password manager is the safest place to store your passwords. You can create, or the password manager will create passwords for you, and store your strong passwords securely, knowing you only need to remember one password to get into your password manager. The passwords are held on encrypted databases which cannot be seen by the business so only you know what your passwords are. The passwords can also be set-up with two-factor authentication.
Password manager apps can easily be downloaded onto your phone or PC and provide workable ways to have long passwords without needing the memory of an elephant.
Taking a multi-faceted approach strengthens your defence system and helps to keep your data secure, just implementing one of the above with a strong password helps keep your information safe. We recommend a strong unique password for each site, with all passwords stored safely in a password manager and using multi-factor authentication everywhere you can.
These legislative changes are hoped to increase the confidence of consumers in the safety of the products they use and buy, so it is important for businesses and consumers to know about the changes and the reasons why.