Are you one of the millions of people still using “123456” as their password? According to password management company, NordPass, this has been used more than 4.5m times, and it takes less than 20 seconds to crack. But, in the UK, weak passwords will soon be a thing of the past as the government has banned them. 

Why weak passwords are so dangerous

People choose weak passwords because they’re easy to remember, and it’s more common than you might think. According to a recent Bitwarden survey, 39% of people say they use weak login credentials and 26% incorporate personal information. Not only that, but around one quarter use the same password across many sites, which means once it’s been cracked for one site, you’re left vulnerable across others. 

But what makes passwords easy to remember is also what makes them easy to hack. Earlier this year, Orange Spain’s networks went down after a malicious actor obtained a “ridiculously weak” password for an account that manages the global routing table and controls the networks that deliver the company’s internet traffic.

What is the UK doing about it?

To reduce the amount of cyberattacks caused by weak passwords, the UK government has introduced a law as part of the product security and telecommunications infrastructure (PSTI) regime, that will force people to choose more secure passwords. This makes it the first country in the world to do so. 

But how will it work? Manufacturers of phones, televisions and smart doorbells and other such devices are now forced to prompt users to change commonly-used passwords. They also need to remind users to update any default passwords.

The aim of this is to increase cybersecurity protection for consumers, which is becoming increasingly important as people are using more interconnected devices. According to the UK government, 57% of households own a smart TV, 53% own a voice assistant and 49% own a smartwatch or fitness wristband. 

In addition to cracking down on weak passwords, the law also requires manufacturers to publish contact details so bugs and issues can be reported and dealt with. They also have to be transparent on the minimum time customers can expect to receive important security updates. 

Given humans are often the weakest link in cybersecurity, could this be a way of reducing cybercrime?