Case study: Increasing password security



Find out what happened when we spoke to Paul C, a network engineer in a small business based in Peterborough which provides online resources for business customers, about keeping his customers’ data safe and how you can do the same.

Tell us about your recent experience with your systems and user passwords?

We discovered an update we made to our customer portal four years ago, including hashing and salting all the passwords, inadvertently copied across numerous insecure passwords. Since these were passwords often generated before our password requirements were updated (dating back years), simple passwords existed that we weren't aware of.


We cannot now see these passwords, so the only way to find them was by brute-forcing them using a publicly available "common password list". We audit all customer login attempts, valid and invalid. Our reporting shows that we've not suffered a brute-force attack against our systems.

How did you check the passwords?

We developed code we could run in-house to bypass the website validation page and generate a hash for each of the 1 million top passwords. It was a simple process to compare each hash against the hash stored for the user. Because we know how to apply the salt, this enabled us to check the passwords quickly. Because we don't need to match usernames and passwords, we have the advantage over a hacker. The process took about two hours to run against our 2,000 users on a desktop PC.



Can you give some examples of the passwords issue that you found?

Here are a few of the ones we discovered that stood out:

  • formula1

  • Apple123

  • Hawaii50

  • Arsenal1

What have you done to mitigate the bad practice?

As part of the review, we immediately increased the complexity requirements when changing passwords and changing the initial one-time-use password. Once the possibility of vulnerable passwords was discovered, we also increased our intruder detection response by locking out the user for a while after three incorrect password attempts.


We are alerted immediately if this happens, so we can check to ensure an attack isn't underway across multiple users. All users discovered to have passwords that can be brute forced have had their passwords reset, so they will require changing at the next login. As many of the users log in very infrequently, this should prove minimally disruptive. Although 2-factor authentication is available to customers, it is still an optional requirement for them to implement it for their login.

What advice would you give to other SMEs?

Check your users' passwords against the "common password lists" available online (if you can compare hashes). Even if you think that your systems are secure from this kind of brute-force attack, it would be worth knowing whether software updates carried out across the years (potentially many years) have left vulnerabilities you think won't be there. It may simply highlight some lower complexity passwords that could save you or your customers their data or reveal a potentially catastrophic flaw waiting to be exploited.


Remember, if your password is not on the list then cyber criminals are less likely to be getting in. If you need assistance with auditing your systems, please get in touch to find the right solution for your business today.






The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.