The first Thursday of May each year marks ‘World Password Day’, a global event dedicated to raising awareness about the importance of securing passwords and following the best online security practices. With cyber-attacks and data breaches an almost daily occurrence globally, Brett Russell, Head of Product and CISO at MetroFibre, provides a sobering reality check why that complex password may no longer be good enough, and what to do about it. World Password Day is a reminder for individuals and businesses to examine the security of all their online login credentials.
Open a Search Engine and type “Have I Been Pwned”.
The first result should take you to a well-known site created by cybersecurity expert Troy Hunt, an Australian security researcher and the founder of ‘Have I Been Pwned’, a service that allows people to check whether their email addresses have appeared in known data breaches. It is one of the simplest and most effective reality checks any internet user can do.
Now type in your email address. Then check any older email addresses you may still remember using.
If your details do not appear anywhere, that is a very good sign. But for many people, the results can be unsettling. The site may show that your email address has appeared in one or more breaches, often alongside details about what kind of information was exposed. In some cases, that may include passwords, usernames, locations, phone numbers or other personal data stolen from platforms and services you once trusted. Have I Been Pwned also offers a free notification service so people can be alerted if their email address appears in future breaches.
That is the point where many people realise an uncomfortable truth: your password length may not matter as much as you think it does once it has already been exposed somewhere else.
For years, people have been told to create passwords that are long, complex and difficult to guess. That advice is not wrong. But it is no longer enough on its own. If the same password has been used on multiple sites and just one of those sites suffers a breach, attackers can begin trying those credentials elsewhere. Suddenly, even a strong password becomes a liability.
This is one of the biggest weaknesses in how many people think about online security. They assume password strength alone is the answer. In reality, password uniqueness matters just as much.
If a compromised password unlocks only one account, the damage is limited. If it unlocks five, 10 or 20 accounts, the risks escalate quickly. Your email, banking apps, work systems, shopping accounts, streaming services and social platforms can all become part of the same chain of exposure.
The danger becomes even greater when people rely on familiar password patterns. Adding a number to the end, changing the year, swapping one symbol for another, or following the same structure across multiple accounts may feel clever and manageable. But those patterns are precisely what attackers and automated tools are designed to detect and exploit.
So what should consumers do?
The first step is to accept that remembering a different, long and complex password for every account is simply not practical for most people. That is why password managers have become such an important part of modern digital hygiene. A password manager acts like a secure vault. It stores your passwords, generates strong and unique credentials for every site or system, and protects them behind a single master password. The biggest advantage is not just security. It is convenience. A good cloud-based password manager can work across phones, tablets, browsers and desktop devices, synchronise automatically, and securely fill in your login details when needed.
For many users, the obvious question is whether storing passwords in the cloud is itself a risk. It is a fair concern. But reputable password managers encrypt your data before it is stored, so what sits in the cloud is effectively unreadable without your master password. In other words, a well-designed password manager can offer both strong security and the ease of use that people need in real life.
Used properly, password managers also solve the single biggest problem exposed by sites like Have I Been Pwned: password reuse.
They make it possible to have a different, strong password for every single system and site you use, without needing to remember them all yourself. That is a major shift from hoping your password is “good enough” to building a far more resilient overall security habit.
Consumers should also add another important layer wherever possible: two-factor authentication. Even if a password is compromised, a second verification step can make it much harder for an attacker to gain access.
The broader lesson here is simple. Cybersecurity is no longer just about choosing a harder password. It is about reducing risk across your entire connected life.
That is why I would encourage every internet user to take one practical step today: open a search engine, type “Have I Been Pwned”, and check your email addresses. It is a small action, but it can be a powerful wake-up call. It shows just how easily personal information can be exposed through breaches, and why relying on one “good” password is no longer a sound security strategy.
At MetroFibre, we believe that better connectivity should go hand in hand with better digital awareness. Fast, reliable internet opens up enormous opportunity for households, families and businesses. But safe, confident internet use requires more than speed. It requires smarter security habits too.
Because in today’s connected world, the real question is not whether your password is long or complex enough. It is whether your overall approach to security is strong enough to protect you when the next breach happens.
- Brett Russell, Head of Product and CISO at MetroFibre
