In the wake of recent high-profile cyber attacks targeting major UK retailers including M&S, the Co-op, and Harrods, World Password Day served as a timely reminder of the importance of protecting our digital lives.
Strong password practices remain the first line of defence against unauthorised access, but the traditional password, once the cornerstone of online security, is no longer sufficient on its own.
Password reuse, weak credentials, and phishing remain among the most common causes of breaches.
Attackers know this and continue to exploit it.
Going ‘passwordless’
Increasingly, businesses and individuals are exploring passwordless authentication, a model that replaces passwords entirely with more secure and user-friendly alternatives.
This includes device-based authentication, security keys, or mobile apps that use public key cryptography.
The benefits are stronger protection against phishing and credential theft, reduced IT burden (fewer password reset requests), and a better user experience.
Multi-factor authentication: A must-have
Whether or not you’re ready to go passwordless, Multi-Factor Authentication (MFA) should already be part of your defence.
MFA adds a critical extra layer requiring something you have (such as a phone), something you are (a fingerprint), or something you know (like a PIN).
PINs and biometrics
There’s often confusion between PINs and passwords.
While both are knowledge-based, PINs can offer enhanced security when used locally, such as unlocking a device protected by a Trusted Platform Module (TPM). They never leave the device and are resistant to many common attacks.
Biometrics, like fingerprint or facial recognition, offer even greater convenience. However, they must be implemented carefully, especially in high-risk environments, to safeguard against spoofing and ensure user privacy.
Password managers
Password managers create and store strong, unique passwords. They offer centralised, encrypted vaults, and can simplify secure access across accounts.
Even built-in managers from Google Chrome and Apple Keychain offer a useful step in the right direction, particularly for individual users and small businesses.
However, these are not without their risks. Meanwhile, browser-based tools, while convenient, may be more susceptible to compromise if a device is infected or poorly secured.
No password manager is breach-proof. The key is to choose one that encrypts data locally, use a strong master password, enable MFA, and apply regular software updates.
Take action
To protect your business and personal data:
- Enable MFA on every service that offers it—especially email, banking, and cloud accounts.
- Consider passwordless solutions, particularly for internal systems and employees.
- Always pair biometrics with a secondary factor.
- Implement ongoing, practical user training to ensure security best practices are applied consistently across your organisation.
The recent cyber attacks highlight that no organisation is immune to security threats.
Cyber security is never one-size-fits-all, but the direction is clear: fewer passwords, more layers of protection, and smarter authentication.
