A stolen password might seem like a minor inconvenience, but it is one of the most common ways cyber criminals gain access to business systems, sensitive data, and customer information.
Joshua Walsh, Information Security Practitioner at rradar, relentless’s embedded legal and risk management partner, believes there is a persistent misconception that serious cyber incidents mainly affect large organisations. In reality, SMEs are frequently exposed to far simpler vulnerabilities, including compromised credentials and everyday security gaps.
Despite a growing awareness of cyber risk, poor password habits persist. The latest research from NordPass shows that “123456,” “admin,” and “123456789” are still among the most commonly used passwords.

This matters because a weak password is not just an IT problem. Once an attacker gains access to a key system, the consequences can quickly spread across the wider business.
Why passwords are an easy target
Many cyber incidents are not caused by sophisticated technical failures, but by weaknesses in people, processes and everyday business practices. This often happens when warning signs go unrecognised or unreported by employees, and where security protocols are not robust enough to challenge seemingly trustworthy communications.
In many cases, exploiting weak credentials is far easier and more effective for attackers than attempting to bypass advanced technical defences. Passwords remain an attractive target because they act as a gateway to critical business systems, from email and finance platforms to cloud tools and more. Human behaviour can increase the risk, as people are often predictable. Convenience is frequently prioritised over security, leading to weak password choices or reused credentials. This creates a high-reward, low-effort opportunity for attackers, as a single compromised login can provide much broader access than businesses realise.
The business impact
The commercial consequences of a stolen password are often far greater than many SMEs realise. A compromised credential does not just create an IT issue; it can disrupt day-to-day operations, expose sensitive customer or financial data, trigger regulatory scrutiny and create significant reputational fallout.
The damage often extends beyond the initial intrusion. A compromised email account, for example, can allow cyber criminals to impersonate trusted employees, intercept communications or manipulate payment instructions in ways that appear entirely legitimate. Because these attacks often exploit normal business processes rather than technical failures, they can go undetected for longer, increasing the cost and complexity of the response.
For smaller businesses especially, the impact can be commercially significant, from operational downtime and lost productivity to legal advice, incident response support, customer communications and potential insurance claims. What starts with a single stolen password can quickly escalate into a much wider business problem.
Prevention matters
- Cyber resilience is no longer just about responding when something goes wrong. For SMEs, simple preventative measures can make the difference between a minor incident and a major business disruption.
- Steps to strengthen password security
- A strong password should be difficult enough to guess to provide meaningful protection. Here are some practical steps businesses can take:
- Prioritise longer, stronger passwords – Aim for passwords of at least 12 characters, using a mix of uppercase and lowercase letters, numbers and special characters. Short passwords remain significantly easier to crack.
- Avoid predictable password habits – steer clear of personal information, common words, and obvious variations, such as “Password1!” or swapping letters for symbols. Cyber criminals actively design tools to exploit these patterns.
- Use passphrases instead – A long string of random words that’s easy to remember but hard to guess can often provide stronger protection.
- Never reuse passwords – using the same password across multiple accounts creates unnecessary risk. Even if it’s a strong password, one compromised login can unlock several accounts.
- Enable multi-factor authentication (MFA) – Even strong passwords can be stolen through phishing or credential theft. MFA adds a vital second layer of protection, making it significantly harder for attackers to gain access.
- Use a password manager – these help teams generate and securely store strong, unique credentials without relying on memory or insecure workarounds.
- Consider using passkeys where possible – Passkeys are becoming the preferred alternative to traditional passwords because they remove the need to remember or type credentials. They are tied to a trusted device and are far more resistant to phishing, password theft and credential reuse attacks.
As cyber guidance has evolved, some traditional password rules are no longer considered best practice. Forcing employees to change passwords every 60 to 90 days can encourage weaker, predictable variations. Similarly, rigid complex rules can lead to formulaic passwords that are easier for attackers to anticipate.
Instead, businesses should focus on strong, unique credentials, changing passwords when there is a suspected compromise, and layering security through measures such as MFA rather than relying on weak backup methods such as security questions.
For more detailed guidance on strengthening passwords, visit: https://rradar.com/what-makes-a-password-strong/
