top of page

Why should HR worry about the passwords they are using?

In the new world of flexible working, the HR sector has new opportunities and challenges, with changes to technology just one of a number. However, it hasn’t been just HR adapting to the new world. Cyber criminals have increasingly looked for new ways to exploit victims.

A study from OGL Computers found that HR and recruitment agencies were in the top tier when it came to suffering multiple data breaches, with circa 40% suffering 3-4 breaches!

HR and recruitment agencies are valuable targets for cyber criminals with all the sensitive personal details they hold and the numerous ways that an attacker can focus their attack such as payroll fraud, recruitment scams and corporate espionage to name a few.

So, what do passwords have to do with this?

Weak passwords are an open door to a criminal, but they are also one of the easiest controls to instigate. With weak passwords, criminals don’t need to “hack” in, they can log in and then have free reign within your systems.

What is a weak password?

A weak password is one that is:

List of credentials
  • reused / used on multiple accounts – this is a concern because if one of these accounts are compromised in a data breach then a criminal could use those details to try and gain access to all other accounts. Let’s face it, most of us our email as our username so all that’s missing is the password.

  • can be found on a password list – this is just a list of all known passwords, all the words in the dictionary, common football teams, songs, bands, and their derivatives. If you want to know what passwords might be found on a list have at look at Nordpass’s top 200 most common passwords. If you have a password on there, you need to change it as soon as you finish reading this blog.

  • easily guessed – if you work for bankAMZing then an easily guessed password might be bankAMZing1. Passwords shouldn’t be linkable to you, so do not use family members names or birthdays.

It is commonly known that if we are asked to add a number to our password, most of us will put it at the end, for example Pineapple1. And then if we must change it, we change it to Pineapple2. So, if I was seeking to break into your account and found your previous passwords were pineapple1, pineapple2, I might be quite confident that pineapple3 might be another one.

So, what should a strong password look like?

· Unique – so not reused, on a list or guessable

· Complex – a combination of letters, numbers, symbols and cases.

The NCSC recommends a strategy called Three Random Words.

So, think of something that has happened and take three words from that memory and combine them randomly. In our example from “the tree fell down, smashed the fence and the dog escaped” we get escaped, smashed, tree. If you don’t want to use a memory, use any three unconnected words.

Add some capital letters, so in this example I have capitalised each vowel, and add in some special characters and numbers.

And now you have a strong, unique password. But as this password is now publicly available it is now a weak password, and as people know about it, it could end up on a password list.

I have too many accounts to remember unique passwords!

Most people have between 60 and 100 online accounts! So, to remember that many unique passwords you could either

  • write your passwords down in a place that you keep secure – locked drawer/safe or

  • consider using a password manager. You remember one strong password to get into your manager, but your manager stores the rest for you so you don’t have to remember them, you just look it up, or the manager will autofill your details. You can find more about password managers in our short video.


Strong passwords can only provide so much protection for your accounts.

Passwords can be lost through a data breach or stolen in a phishing attack. To provide more security you really need to enable 2 Factor Authentication (2FA). This can also be known as 2 Step Authentication or Multi Factor Authentication (MFA). If you don’t know about 2FA watch our short video.

Google recently enforced 2FA and that one thing has cut unauthorised access to google email accounts by 50%.

Boxed text showing types of information asked for in MFA. Knowledge - something you know, possession, something you have, inherence, something you are.
Types of information MFA could ask for

Have you been subject to a data breach?

Go to Have I Been Pwned: Check if your email has been compromised in a data breach and enter your email or telephone number and see if you have had a compromised account. The information that might have been lost can be surprising but knowing about it means that you can take action to protect your accounts.

Companies can register their domains and be notified if their domain comes up in any future breaches. This means you might be able to act before a criminal does.

Screenshot from

If you have been breached, make sure that you change the password for the account that has been breached, and for anywhere else you have used that password.


  • Don’t use weak passwords

  • Strong passwords should be unique and complex

  • Enable 2FA on all important accounts (email, social media and anywhere your payment details are stored are a must)

  • Consider a password manager

  • Check your compromise at

  • Become a member of the ECRC and let us help you build the cyber resilience of your company. It's free and there is no sales pitch.

Further guidance & support

The Eastern Cyber Resilience Centre is a not-for-profit membership organisation, run by policing, with the intention of increasing cyber resilience of SMEs within the East of England.

You can contact the Cyber Resilience Centre for guidance and support through our e-mail or use our online booking system to make an appointment with one of our team.

We also provide free guidance on our website and we would always encourage you to sign up for our free core membership. Core members receive regular updates which include the latest guidance, news, and security updates.

Our core membership has been tailored for businesses and charities of all sizes who are based across the seven counties in the East of England.

Policing led – business focussed.


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page