Despite years of public awareness campaigns, repeated high-profile breaches and ongoing regulatory scrutiny, the use of weak, guessable passwords such as “admin” and “123456” persists in the UK. This problem is emblematic of a deeper, systemic issue in the country’s cybersecurity posture.
However, this is not a failure of awareness or education, but a failure of credential management, cultural reinforcement and policy enforcement at an organizational level.
CEO and Co-Founder of Keeper Security.
In early December, the National Cyber Security Centre (NCSC) published updated guidance on credential management. Specifically, the guidance “advocates a greater reliance on technical defenses and organizational processes, with passwords forming just one part of your wider access control and identity management approach.”
This represents a shift away from user-centric security models and puts the onus on organizations to secure user credentials and, ultimately, the systems the organization relies on to operate.
Among the suggestions outlined by the UK government are clear calls to reduce reliance on passwords, help users cope with password overload and manage shared access. The challenge for British security leaders is no longer whether this guidance is sound, but how to operationalize it effectively across their organizations.
Why the guidance is important and necessary
The NNCSC’s latest guidance is an important step forward because it reframes password management not as a user burden, but as a security control that should be automated, centralized and protected by design.
Recent research shows that nearly one in five organizations still operate without formal credential controls, relying on shared spreadsheets, hard-coded passwords or no management system at all. Against this backdrop, it is unsurprising that weak passwords remain widespread across both consumer and enterprise environments.
The password overload problem
Password overload is a symptom of our digital society. Research suggests the average person has about 250 accounts, with 168 passwords across personal accounts and 87 passwords across business accounts.
There’s a risk, as the NCSC points out, that the requirement for the creation of such a vast quantity of passwords could result in ‘password overload’ and force end users to devise their own coping mechanisms, like password re-use, writing passwords down and predictable passwords.
Another coping mechanism that some users may rely on is using browser-based password managers.
While browser-based password managers offer convenience, they were never designed to support enterprise-grade access controls or governance requirements.. They also introduce operational risk through limited visibility, inconsistent policy enforcement and vendor lock-in.
For individuals, reputable third-party password managers remain one of the simplest safeguards – supporting strong, unique credentials while reducing reliance on memory. At an organizational level, however, password management must be governed and enforced as part of a broader identity strategy.
This satisfies the government’s caution around ‘password overload’ and, ultimately, makes the entire organization safer, with minimal cost or disruption.
Reducing reliance on passwords
Passwords are unlikely to disappear overnight – but their role is steadily diminishing as attackers increasingly exploit them at scale.
The problems around passwords remain the same, but the way credentials are being compromised and exploited is rapidly changing. AI-accelerated cracking, credential stuffing and phishing continue to lower the barrier to compromise, while inconsistent organizational practices continue to provide easy entry points.
The rise of passkeys and passwordless authentication reflects the industry’s shift toward stronger, built-in controls that remove reliance on human behavior at a time when credentials remain the primary target for attackers.
Managed shared access
For UK organizations, managing shared access through Privileged Access Management (PAM) is critical to reducing risk in increasingly complex IT environments. For boards and executive teams, unmanaged privileged access represents both a security exposure and a governance failure.
In the UK, this risk is increasingly amplified by regulatory expectations around accountability, auditability and operational resilience. Shared and privileged accounts remain a prime target for attackers, particularly where credentials are reused, poorly monitored or manually managed across teams.
PAM helps address this by enforcing least-privilege access, securely storing and rotating shared credentials, and providing clear visibility and auditability over who accessed what, when and why.
In the event of a breach, PAM solutions can significantly limit lateral movement by restricting unnecessary privileges and isolating high-risk accounts, helping organizations contain incidents more quickly.
Beyond security, PAM also delivers tangible operational benefits, including reduced credential-related incidents, stronger protection of sensitive data and a lower IT helpdesk burden, making it a foundational control for UK organizations navigating regulatory pressure and an evolving threat landscape.
Identity as a new perimeter
For organizations, the top priority is to treat identity as the new perimeter and implement end-to-end credential lifecycle management.
This means securing every stage of a user’s digital identity, from onboarding and access provisioning to ongoing authentication, privilege changes, and timely deprovisioning when roles change or employees leave.
By managing credentials holistically rather than in silos, organizations can reduce attack surfaces, limit lateral movement, and ensure that access is continuously aligned with real business needs.
In an environment where users, devices, and applications operate far beyond traditional network boundaries, strong identity governance becomes the foundation of effective security.
Weak passwords are not an inevitability. They are the result of inadequate controls, inconsistent policy enforcement and outdated behaviors.
With robust password management, strong privileged access oversight and a zero-trust mindset, organizations can significantly reduce their exposure and, in doing so, weaken one of the most exploited attack vectors facing UK businesses today.
We've featured the best private browser.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.