July 11, 2026 ยท by David Gilbert ยท 3 min read ยท Cyber Security

Passwords Are Still the Problem. Here's What I Tell Every Client.

With everything that's changed in cyber security โ€” AI-driven scams, deepfakes, voice cloning, threats that sound like science fiction from a decade ago โ€” the single most common vulnerability I still find sitting on client systems is embarrassingly old-fashioned: weak, reused passwords. Not exotic. Not high-tech. Just genuinely, persistently the thing that opens the door.

The Pattern I See Constantly

Someone's using the same password, or a very minor variation of it, across their email, their banking, their business accounting software, and the loyalty app for their local coffee shop. The coffee shop app gets breached โ€” and small, less security-conscious services get breached constantly โ€” and suddenly the attacker has a password that also happens to unlock their email and their bank. One weak link, breached anywhere in the chain, compromises everything connected to it.

Why "I'll Remember a Strong One" Doesn't Work

I understand the instinct. A complex, unique password for every single account sounds exhausting, and "exhausting" loses to "convenient" almost every time, for almost everyone, including me before I properly sorted my own setup out. This is exactly why a password manager isn't an optional extra anymore โ€” it's genuinely the single highest-impact thing I get a client to change, and it usually takes under twenty minutes to set up properly.

What I Actually Recommend, In Order

  • A password manager, for everyone, no exceptions. It generates and remembers genuinely strong, unique passwords for every account, so you only need to remember one master password instead of forty bad ones.
  • Multi-factor authentication on anything that offers it โ€” email and banking especially. Even if a password does leak somewhere, MFA is the difference between a minor inconvenience and an actual breach.
  • A genuinely strong, unique password on your email specifically, even before everything else, because email is usually the master key โ€” most "forgot password" recovery flows go straight through it.

The Pushback I Get

"I've never been hacked, so I must be fine" is the line I hear most often, and I understand why it feels reassuring. But it's surviving on luck and on not yet being a specifically targeted, valuable-enough target โ€” not on having good security. The data breaches that expose your reused password usually have nothing to do with you at all. They happen to some other service you signed up for once, years ago, that you've completely forgotten existed.

A Quick, Slightly Uncomfortable Exercise

There are reputable services that let you check whether your email address has shown up in a known data breach. I've sat with clients while they checked, and the reaction is almost always the same mix of surprise and quiet horror at how many old, half-forgotten accounts come back. It's not meant to scare anyone โ€” it's meant to make the abstract risk feel concrete enough to actually act on, which a lecture about "best practices" rarely manages on its own.

The Boring Stuff Still Wins

Every flashy new security threat gets the headlines, and the genuinely sophisticated ones absolutely deserve attention and respect. But for most small businesses and most individuals, the actual risk reduction comes from the unglamorous basics done properly and consistently โ€” unique passwords, a manager to handle them, multi-factor authentication switched on. None of this is exciting. All of it works, reliably, against the overwhelming majority of what actually gets people into trouble.