Select Page

Brits with weak and compromised passwords putting businesses at serious risk

Canary Wharf, London, 21st November 2019 – Millions of Britons and hundreds of thousands of UK businesses are using cracked or weak passwords for online accounts, according to new research from the cyber security and data analytics company, CybSafe. 

CybSafe conducted a blind-analysis of the passwords used by over 21,000 staff at a sample group of 250 UK companies for the prevalence of ‘exposed passwords’ – that is, passwords which have been previously compromised in data breaches. Comparing passwords from these accounts with data from – the data breach tracking website run by security researcher, Troy Hunt – the CybSafe investigation found that 47 per cent of UK businesses were employing staff with exposed passwords.

“The issue of exposed passwords is often not well understood by the general public,” explains Oz Alashe, CEO of CybSafe. “There’s a fairly common assumption that so long as you’re not using a short combination, like ‘123’, and/or an obvious combination, like the name of your child or a favourite football team, that you’re therefore safe.

“But complicated doesn’t always equal safe. Many don’t realise that their passwords have been compromised in old data breaches, and examples of exposed passwords aren’t always obvious. The password ‘ji32k7au4a83’, for example, may look like a safe and random combination of numbers and letters, but as analysis shows, this password has appeared in over 140 data breaches.”

The CybSafe team also examined the prevalence of ‘weak passwords’, which they classified as any passwords with an entropy below 60 bits, and found that 71 per cent of companies were employing staff with weak passwords. Collectively, CybSafe’s data indicates that 74 per cent of UK businesses are employing staff who are using vulnerable password combinations – either weak passwords, exposed passwords, or both.

“The prevalence of both weak passwords and exposed passwords pose an extraordinary threat to UK businesses through credential stuffing and brute force attacks,” adds Alashe. “The phenomenon of exposed passwords, in particular, is not a well-understood issue.

“Using strong, varied passphrases across different accounts is the most effective thing people can do to protect themselves and their company from experiencing a successful cyber attack. Leaders need to be thinking about the role that security training and awareness programmes can play in encouraging their people to adopt these best practices.”

Following the study, participants were informed if their passwords were found to be weak or exposed. Exactly two thirds of these decided to change their passwords.


About CybSafe

CybSafe is a British cyber security and data analytics company. CybSafe’s artificially intelligent software platform leverages science, data and cognitive computing technology to provide the world’s first truly intelligent awareness, behaviour and culture solution.

This is the end of tick-box awareness training.

CybSafe is headquartered at Level39, the prestigious technology community, based in Canary Wharf, London. 


Press contact

Seb Goodman




Unique users in passphrase DB 21,676

Users with a pwned OR weak pw 6,821 31.46798302%

Users with weak PW 5,789 26.706957%

Users with a pwned PW 2,069 9.545119026%

Unique Clients measured 253

Clients with a pwned or weak PW 187 73.91304348%

Clients with weak pw 180 71.14624506%

Clients with a pwned PW 119 47.03557312%


Password entropy definition: a measurement of how unpredictable the password is and we measure its strength at CybSafe as very weak (< 28 bits) , weak (28-35 bits) , reasonable (36-59 bits) or strong (> 60 bits).

For the purpose of the statistics we sent you, we considered low entropy passwords anything below the “strong” mark, so anything with an entropy < 60.


Business size:

Micro 27

Small 92

Medium 81

Large ent 54