You’d think in 2025 organisations would be most at risk from AI-driven threats and sophisticated phishing campaigns, but it’s easy to overlook the basics. Yet, weak passwords and poor password policies remain one of the most persistent and preventable cybersecurity risks facing organisations today.
Recent breaches have exposed just how vulnerable businesses are when password hygiene is neglected. The OWASP Foundation continues to report that common passwords like “123456” and “password” are still widely used, even in high-profile hacks. A recent breach revealed 184 million compromised logins from companies including Apple and Google, with infostealer malware playing a key role in harvesting credentials.
UK retailers such as Marks & Spencer, Co-op, and Harrods have suffered attacks where social engineering and weak password reset procedures allowed threat actors to bypass authentication and access sensitive customer data. Many of the stolen credentials had been reused across platforms, amplifying the damage.
The risks don’t stop there. Weak password policies allow users to reuse previously compromised credentials, increasing the likelihood of unauthorised access. According to ID Agent, organisations with reused passwords are 2.56 times more likely to suffer a cyber incident. Surfshark reports that over 3.2 million British accounts were compromised in the first half of 2025 alone.
To combat these threats, organisations must enforce strong password requirements, implement multi-factor authentication, and regularly monitor for compromised credentials. Password managers, staff training, and continuous policy reviews are also essential steps in building a resilient security posture.
Ultimately, effective password management isn’t just a technical necessity, it’s a frontline defence against today’s most common and costly cyber threats. By prioritising password security, organisations can significantly reduce their exposure and protect both their data and reputation.
Read the full story and get the best practices on the CyberLab Blog >
