Some things should be hard to crack. Passwords. Not Easter eggs 🐇🐣

Easter is for hidden treats, not weak passwords.

While Easter eggs are meant to be found, your company passwords should be much harder to crack. Weak, reused or shared passwords can give cyber criminals a simple route into email accounts, cloud systems, finance platforms, CRMs, documents & customer data.

The good news is that stronger passwords do not need to be complicated.

Why passwords still matter in 2026

Passwords are still a major part of business security.

The UK Government’s Cyber Security Breaches Survey 2025/2026 found that 43% of UK businesses reported a cyber security breach or attack in the last 12 months. It also found that 74% of businesses have a password policy, but only 47% use two-factor authentication across networks or applications.

That shows a clear gap. Many businesses have rules written down, but not enough have the right protection in place.

A good password policy should be backed by practical guidance, password managers, multi-factor authentication, secure sharing & regular account reviews.

Why “complex” passwords are not always better

For years, people were told to use capital letters, numbers, symbols & substitutions.

That often led to passwords like:

P@ssw0rd123!

The problem is that attackers know these patterns. Swapping letters for numbers or adding an exclamation mark does not make a weak password strong.

That is why the National Cyber Security Centre recommends using three random words. They are easier to remember, longer than many traditional passwords & harder to guess when chosen properly.

How to create a strong three-word password

A good three-word password should be random, unique & long enough to resist guessing.

Good examples:

  • lamp-river-cactus
  • window-toast-marble
  • planet-coffee-bucket

Bad examples:

  • easter-egg-chocolate
  • company-name-2026
  • football-team-score
  • child-name-birthday

The words should not be linked to your company, family, pets, hobbies, football team, location or anything someone could learn from social media.

You can use separators such as hyphens, dots or underscores if the system allows them. The main strength comes from the length & randomness.

Do not reuse passwords

A strong password becomes weak if it is reused.

If one account is breached, criminals can try the same password against email, Microsoft 365, banking, finance tools, social media & supplier portals.

Every important account should have its own unique password. For business users, your email password should never be reused anywhere else.

Use a password manager

A password manager helps staff create, store & use strong unique passwords without needing to remember them all.

It also reduces risky habits such as:

  • Saving passwords in spreadsheets
  • Sharing passwords over email or Teams
  • Reusing the same password
  • Writing passwords on notes
  • Making small changes to the same password

For businesses, a password manager gives better control, visibility & security.

Turn on multi-factor authentication

A strong password should not be the only defence.

Multi-factor authentication adds another check when someone signs in. This could be an app prompt, security key, biometric check or passkey.

MFA should be enabled wherever possible, especially for:

  • Email
  • Microsoft 365
  • Google Workspace
  • Remote access
  • Cloud storage
  • Finance systems
  • CRM platforms
  • Admin accounts

Use passkeys where available

In 2026, passkeys are becoming more common & are recommended by the NCSC where supported.

Passkeys are harder to phish because there is no traditional password to type into a fake login page. They are not available everywhere yet, but businesses should start using them where possible.

A sensible approach is:

  • Use passkeys where available
  • Use MFA where passkeys are not available
  • Use a password manager for unique passwords
  • Keep admin accounts separate
  • Review access regularly

A quick password checklist for businesses

Ask yourself:

  • Do staff use unique passwords for work accounts?
  • Is MFA enabled for email & cloud systems?
  • Are shared passwords stored securely?
  • Are admin accounts protected separately?
  • Are old employee accounts disabled quickly?
  • Are passwords ever shared by email or chat?
  • Do staff know how to create a strong three-word password?

If the answer to any of these is “not sure”, it is worth reviewing your setup.

Need help managing company passwords?

Good password security should make life easier for staff & harder for criminals.

LVL1 helps businesses put practical password security in place, including password managers, Microsoft 365 security, multi-factor authentication, passkey readiness, onboarding, offboarding, admin account protection & Cyber Essentials preparation.

If your business needs help managing passwords & access securely, speak to us.

Leave a Reply

Your email address will not be published. Required fields are marked *