top of page

How random is your password?

On the first Thursday of every May we celebrate World Password Day which is an opportunity to encourage everyone to improve their password security.

We all rely on passwords to protect our online identities, our finances, social media accounts, email communications and software used in our working lives, from criminals hoping to breach our systems.

Last week the Cyber Security Breaches Survey for 2023 was published. This is research conducted to inform government policy on cyber security and help make the UK cyberspace a secure place to do business. It found that 31% of micro businesses have been subject to an attack or breach, rising to 69% for large businesses. So, this is a very real threat to organisations of all sizes, and that’s why it’s important to consider how secure your password is.

Making your password long and complex is a great start. Why is this important? Every character you add makes it much more difficult to crack.

According to research for a ‘Scientific American’ article a few years ago, a 12-character password takes 62 trillion times longer to crack than a six-character password. This means that if a computer was able to crack a six-character password in one second, it would take more than two million years to crack a 12-character password.

The National Cyber Security Centre recommends using three random words as a password. Why three random words? Well, if you use this approach, it means that your password will generally be longer than a password made from one word; and it’s also easier to enter than a password made up of random characters.

We have previously referred to the Hive Systems chart (below), and it is a really useful tool to test your password strength. I regularly use this when delivering presentations and workshops, and the feedback is that it really brings it home as to whether a password is strong.

How many of us have reused the same password for multiple accounts? A Google study suggested that almost two thirds of us use the same password across multiple accounts as well as using the same password for both work and personal accounts. The danger is that once the criminal works out your password, they have access to multiple accounts.

Implementing a strong password is just the first stage though. By adding the additional protection of Two Factor Authentication (2FA), sometimes called Multi Factor Authentication (MFA), you are significantly reducing the risk of your account being compromised. Accounts set up to use 2FA need a second factor to gain access. This could be a code that's sent to you by text message, or a code generated by an Authenticator app.

For more information on how to do this, The National Cyber Security Centre has provided guidance on how to implement 2FA on email and social media accounts: Turn on 2-step verification (2SV) - NCSC.GOV.UK.

If you’re not already part of the WCRC membership community, join for FREE today! We provide national guidance, resources, regular cyber updates and member-only content to support small businesses, charities and other third sector organisations to become more aware and better protected against online risks.


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for Wales is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for Wales provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for Wales does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for Wales is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page