Despite numerous public awareness initiatives, high-profile breaches, and regulatory scrutiny, weak and easily guessable passwords like “admin” and “123456” continue to be a significant issue for UK businesses. This situation highlights a deeper, systemic problem within the country’s cybersecurity framework.
This challenge stems not from a lack of awareness or education, but rather from deficiencies in credential management, cultural reinforcement, and policy enforcement at the organizational level.
In early December, the National Cyber Security Centre (NCSC) released updated guidance on credential management. This guidance emphasizes a greater reliance on technical defenses and organizational processes, with passwords being just one aspect of a broader access control and identity management strategy.
This marks a shift away from user-centric security models, placing the responsibility on organizations to secure user credentials and the systems they depend on.
The UK government’s recommendations include reducing reliance on passwords, assisting users in managing password overload, and overseeing shared access. The pressing question for British security leaders is not whether this guidance is valid, but how to implement it effectively within their organizations.
Why the Guidance is Important and Necessary
The NCSC’s latest guidance is a crucial advancement as it reframes password management from being a user burden to a security control that should be automated, centralized, and inherently protected.
Recent studies indicate that nearly 20% of organizations still lack formal credential controls, relying instead on shared spreadsheets, hard-coded passwords, or no management system at all. Given this context, it’s no surprise that weak passwords are prevalent in both consumer and enterprise environments.
The Password Overload Problem
Password overload is a symptom of our digital age. Research suggests that the average individual manages around 250 accounts, with 168 passwords for personal accounts and 87 for business accounts.
The NCSC warns that the necessity to create such a vast number of passwords can lead to ‘password overload,’ prompting users to develop coping strategies such as reusing passwords, writing them down, or choosing predictable passwords.
Some users may turn to browser-based password managers as a solution. However, these tools were not designed to meet enterprise-level access controls or governance needs. They can also introduce operational risks due to limited visibility, inconsistent policy enforcement, and vendor lock-in.
For individuals, reputable third-party password managers offer a straightforward safeguard, promoting strong, unique credentials while alleviating memory reliance. At the organizational level, however, password management must be governed and enforced as part of a comprehensive identity strategy.
This approach addresses the government’s concerns regarding ‘password overload’ and ultimately enhances organizational security with minimal cost or disruption.
Reducing Reliance on Passwords
While passwords are unlikely to vanish overnight, their significance is gradually diminishing as attackers increasingly exploit them.
The challenges surrounding passwords remain unchanged, but the methods of credential compromise and exploitation are evolving. Techniques such as AI-driven cracking, credential stuffing, and phishing are lowering the barriers to compromise, while inconsistent organizational practices continue to create vulnerabilities.
The emergence of passkeys and passwordless authentication signifies a shift towards stronger, built-in controls that reduce dependence on human behavior, especially as credentials remain a primary target for attackers.
Managed Shared Access
For UK organizations, managing shared access through Privileged Access Management (PAM) is essential for mitigating risks in increasingly complex IT environments. For boards and executive teams, unmanaged privileged access poses both security threats and governance failures.
This risk is heightened in the UK by regulatory expectations regarding accountability, auditability, and operational resilience. Shared and privileged accounts are prime targets for attackers, particularly when credentials are reused, poorly monitored, or manually managed across teams.
PAM addresses these issues by enforcing least-privilege access, securely storing and rotating shared credentials, and providing clear visibility and auditability regarding who accessed what, when, and why.
In the event of a breach, PAM solutions can significantly limit lateral movement by restricting unnecessary privileges and isolating high-risk accounts, enabling organizations to contain incidents more swiftly.
Beyond security, PAM also offers tangible operational advantages, including fewer credential-related incidents, enhanced protection of sensitive data, and a reduced IT helpdesk burden, making it a foundational control for UK organizations facing regulatory pressures and an evolving threat landscape.
Identity as a New Perimeter
Organizations must prioritize treating identity as the new perimeter and implement comprehensive credential lifecycle management.
This involves securing every phase of a user’s digital identity, from onboarding and access provisioning to ongoing authentication, privilege adjustments, and timely deprovisioning when roles change or employees depart.
By managing credentials holistically rather than in silos, organizations can minimize attack surfaces, limit lateral movement, and ensure that access remains aligned with actual business needs.
In a landscape where users, devices, and applications operate beyond traditional network boundaries, robust identity governance becomes the cornerstone of effective security.
Weak passwords are not an inevitability; they result from insufficient controls, inconsistent policy enforcement, and outdated behaviors.
With effective password management, strong oversight of privileged access, and a zero-trust mindset, organizations can significantly reduce their vulnerabilities and, in doing so, mitigate one of the most exploited attack vectors facing UK businesses today.
We've featured the best private browser.
This article was produced as part of our publication's Expert Insights channel, showcasing the best and brightest minds in the technology industry today. The views expressed here are those of the author and do not necessarily reflect those of our publication. If you are interested in contributing, find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro