Simple passwords are now outlawed in the UK

A new Act of Parliament means simple passwords are no longer acceptable on many domestic devices.

Monday, 27 May, 2024

It’s a sad indictment of our collective lack of imagination that the numerical sequence shown in the photo above could be used to log into millions of user accounts online.

According to 2023 research from NordPass, 123456 remains the world’s most commonly used password, with 12345 among the leading alternatives.

Other favourites include – you guessed it – “password”. Clearly, no cybercriminal would think to try this before reverting to a brute force login algorithm to hack user accounts.

National Cyber Security Centre research from a few years ago suggested “qwerty” was a password associated with almost four million breached online accounts.

And before you despair about consumer idiocy, remember that many of these compromised accounts involved default passwords set by ISPs, hardware manufacturers and software firms.

It’s been eight years since the Mirai malware attack saw hundreds of thousands of smart devices compromised due to weak passwords, including broadband routers supplied by some of the UK’s biggest ISPs.

After all, changing the default password on your WiFi router is something few consumers will ever do.

The UK Government has now been forced to legislate against the use of simple passwords, through the Product Security and Telecommunications Infrastructure Act 2022.

After giving manufacturers and software developers a couple of years’ grace, this new legislation finally came into force at the start of May.

Consequently, the era of simple passwords is behind us – at least from a corporate and commercial perspective.

Nanny knows best

Some people might dismiss the idea of state-mandated password management as nanny statism, but it’s necessary in an era of endlessly evolving cybercrime.

In essence, the PSTI Act implements long-agreed proposals about increasing resilience against cyberattacks, with tougher security standards for device makers and fines for non-compliance.

Default passwords like “12345” and “admin” are now banned, and new users must be prompted to change pre-existing passwords.

After all, your online accounts and hardware aren’t just vulnerable to phishing attacks and other types of computer malware.

Hackers in possession of email addresses (often sourced quite legally through data harvesting) will often guess common passwords to try and gain access to user accounts.

Once in, they can plunder personal data, look to access related accounts, make purchases or financial transactions, and even lock you out of your own account by changing the password.

While a combination of web browsers and antivirus packages might prevent (or warn of) potential incursions on desktop devices, there’s little protection for smart speakers or ISP routers.

Products imported directly from overseas may not adhere to this new legislation, but you’ll receive scant sympathy if a cut-price internet purchase’s weak password is subsequently exploited by criminals.

I’ll pass, thanks

If you’re concerned that your own password choices may not be particularly robust, our guide to managing online passwords is a must-read.

In summary, avoid using personally identifiable information like your child’s first name or your address, which someone with a passing knowledge of your affairs could guess.

Choose a password with ten or more characters, incorporating special symbols, memorable acronyms and suffix numbers which you can increase to change the password.

Even if a criminal somehow knew your old password was MFCR!verside8, they wouldn’t necessarily be minded to try entering MFCR!verside9.

Incrementally changing suffix numbers is an easy way to update passwords without forgetting them, though if your memory is poor, password manager software is worth investigating.

Neil Cumins author picture


Neil is our resident tech expert. He's written guides on loads of broadband head-scratchers and is determined to solve all your technology problems!