How does "Password1" affect a leisure or tourism business?

Leisure and tourism might not seem the most likely target for cybercriminals but with the scattergun approach many cybercriminals use it is not surprising that this sector can find themselves at the mercy of this new crime type. And the sector has lots that a cybercriminal wants, namely data. Personal data of customers and payment data as well.

Image of aqua aerobics lesson

But what does this have to do with “Password1”?

The quickest way to get into a system isn’t to “hack” in, it is to log in, using the username and password of someone who already has access. According to Verzion 80% of hacking-related breaches are linked to passwords making them a key target.


Most people have a company email address which is going to be something like jo.bloggs@mycompany.co.uk and this is frequently used as the username as well. So, with a little bit of research most people could figure out someone’s username.


Passwords are a little bit harder to guess, but research has shown that we are creatures of habits and there are a few things we all seem to do.

  • when we are asked to add a number to a password, most of us will add it to the end

"Rocks1"

  • over half of users have their name or date of birth in their password or use other easily discoverable information such as pet’s, partner’s or children’s name

"Fluffy"

  • for work passwords we tend to use the company name somewhere

"MyCompany1"

  • we tend to reuse passwords on multiple sites/systems, with employees reusing the same password an average of 13 times according to LassPass

Criminals can create lists of these common passwords and then try the username/password combination to try and gain access to your systems. But they don’t just create these lists themselves, they harvest previously known passwords from other criminal’s data breaches, which is why the last statistic is particularly important. If a password ends up as part of a data breach, then you must assume that everyone knows it, meaning you can’t use it anymore.

Example of lists of email addresses and password combinations

What can you do?

  • See what passwords you and your staff have which are already known. Why not run a poll to see who has the most/least breaches? Haveibeenpwned.com is a website where you can enter your email address and telephone number and see if your information has been captured in a data breach. As a business owner you can also register your domain and get notified when your domain pops up in another breach.

Screenshot of the Have I Been Pwned website
  • Have a clear password policy for staff and tell them why having strong, unique passwords are essential. If you need some help with this, our affordable student services offer security awareness training. Why don’t you make a booking to discuss further?

Image of laptop with virtual meeting ongoing
  • Enable Two Factor Authorisation wherever you can, but especially on your emails and social media accounts. Even with the best passwords, once someone knows that password then the system is not secure. With 2FA, even if the password and username are known, the criminal won’t have access to the second verification factor so they shouldn’t be able to just “log in”.

Image of two companents of 2FA - the something you know (password) and something you are (biometrics)
  • If your staff have a lot of passwords to remember, consider getting an enterprise password manager so they only have to remember one and the password manager generates and remembers the rest – goodbye reused passwords.

Collage of most popular password managers: lastPass, 1Password, Dashlane, keeper, roboform, onelogin
  • Join the ECRC with free membership. Core members receive regular updates which include the latest guidance, news, and security updates as well as a series of "little steps" emails designed to get your business cyber resilient.

Further guidance & support

The Eastern Cyber Resilience Centre is a not-for-profit membership organisation, run by policing, with the intention of increasing cyber resilience of SMEs within the East of England.


You can contact the Cyber Resilience Centre for guidance and support through our e-mail enquiries@ecrcentre.co.uk or use our online booking system to make an appointment with one of our team.


We provide free guidance on our website and we would always encourage you to sign up for our free core membership. Our core membership has been tailored for businesses and charities of all sizes who are based across the seven counties in the East of England.


Policing led – business focussed.




The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.