DTP Group has published new survey findings on password reuse among UK adults, as executives from Roboshadow and Mimecast warn that attackers are increasingly exploiting human behaviour and weak cyber discipline rather than password strength alone.

The Leeds-based company found that one in eight UK adults, or 12.45 per cent of respondents, use a single password across every account. Censuswide surveyed 1,000 UK adults, and the results were extrapolated using an Office for National Statistics estimate of 54 million adults.

Applied nationally, the data suggests more than six million people in the UK could rely on a single credential across email, banking, shopping and social media. Just 19.12 per cent said they use a unique password for every account, implying that around four in five adults reuse passwords to some degree.

More than a third of respondents, 36.23 per cent, said they rely on between one and three passwords for all their online services. Nearly 60 per cent use six or fewer passwords in total, a pattern that could leave an estimated 32 million people vulnerable if one breached service exposes other accounts.

The number of digital services people manage has grown faster than the number of unique passwords they use. DTP found that 69 per cent of respondents manage between one and 20 password-protected accounts, while only a minority maintain enough distinct passwords to cover them all.

Official fraud statistics point to a related rise in account compromise. Action Fraud recorded 35,434 reports of social media and email account breaches in 2024, up from 22,500 a year earlier. Investigators and industry analysts often cite weak or reused credentials as a root cause.

Security leaders argue that the conversation around World Password Day now extends beyond password complexity rules. Roboshadow Founder and Chief Executive Terry Lewis said modern tools give organisations more visibility into attempted intrusions, but only if they are used consistently.

“World Password Day made sense when passwords were the front line of security, but in 2026, that’s no longer the case.”

“Today, most organisations already have access to enterprise-grade security by default. Multifactor authentication is widely available, passkeys are native to modern devices, and hardware-backed protections like TPM are standard. The issue isn’t technology. It’s discipline, and whether organisations use it consistently.”

“In the AI era, attackers aren’t manually guessing passwords. They’re using automation to continuously scan, probe and enumerate environments at scale. Whether it’s a weak credential, an exposed API key, or a forgotten device, anything visible will eventually be tested.”

The real shift is that enumeration is no longer silent, and organisations can detect it.

Modern security tooling, including SIEM and SOC capabilities, is now more accessible than ever. That means organisations can see when accounts are probed, when credentials are tested, and when unusual authentication patterns emerge, even in environments using MFA or passkeys. AI hasn’t broken security, but it has dramatically increased the volume and persistence of these attempts. It creates constant background noise from systems being tested, credentials being tried and access points being explored.

The organisations that win aren’t those with the most complex or longest password policies. They are the ones that can see this activity, understand it and respond quickly.

In 2026, security isn’t about better passwords. It’s about cyber discipline and the everyday operational habits that keep environments clean, visible and resilient.”

Industry attention has also shifted to how employees respond to phishing attempts and fake login prompts designed to harvest credentials. Mimecast field Chief Information Security Officer Beth Miller said the quality and timing of these lures has improved as attackers adopt generative AI.

“World Password Day is a useful moment, but the industry keeps having the wrong conversation. The question was never ‘are your passwords strong enough?’ It’s ‘why do attackers keep getting through even when they are?'” Miller said.

“AI has changed the equation. The fake login pages I’m seeing now are indistinguishable from the real thing. The lures are contextually accurate, timed well, and crafted to exploit exactly the pressure employees are already under. Credential theft isn’t a technical failure – it’s a behavioural one, and we’ve been slow to treat it that way.”

“Our State of Human Risk data exposes a three-part problem. First, 91% of organisations acknowledge obstacles to employee compliance – they know their people are a risk factor. Second, 96% recognise their protection is incomplete – they know their defences have gaps. Third, nearly three-quarters are still running fragmented defences where people-focused and technology-focused controls never talk to each other. Attackers don’t exploit what organisations fail to see. They exploit what organisations see but fail to connect. That gap – between recognition and action – is where incidents happen.”

“Passwords aren’t going away, and proper password hygiene still matters. But hygiene alone isn’t a strategy. What organisations need is the combination: identity protection at the access layer, real-time detection at the technical layer, and behavioural instrumentation at the human layer. The third is the most underinvested. It is also exactly where attackers are focused.”

However, the discount retailer has a restructuring plan that it hopes will save it from store closures and redundancies.

Poundstretcher has almost 300 stores and 3,000 staff across the UK.

It was bought by US investment firm Fortress, which also owns Majestic Wine, in 2024 for an undisclosed sum.

In March, the company revealed plans to ask landlords to slash rents across its store estate as it looked to secure its long-term future, but insisted it would not be shutting shops or cutting jobs.

Poundstretcher is reportedly seeking urgent support to avoid administration, putting about 300 U.K. stores at risk. Richard Tice said the pressure reflects wider strain on the high street and blamed Labour policies for worsening trading conditions.

— TU_Crypto_News (@TU_Crypto_News) May 7, 2026

At a hearing on Wednesday, lawyers for the company said that if a restructuring plan was not approved, it would have “insufficient funds” to meet its funding need of £2.8 million, which is due in the week beginning June 28.

This sum would increase to £9.7 million in the week commencing July 26.

In written submissions, Tom Smith KC, for Poundstretcher, said: “In those circumstances, the directors of the plan company will likely have no choice but to file for administration.

“In the administration, the administrators are anticipated to continue trading for a limited period while available liquidity is used to support a sale of the stock… ”

He said that the purpose of the restructuring plan was to restore Poundstretcher to “financial stability” and to enable them to “implement the turnaround business plan”.

The hearing in London was what is known as a “convening hearing”, where barristers ask for a judge’s permission to convene meetings of a company’s creditors to vote on the restructuring plan.

Mr Smith also told the court that since 2020, “the group’s performance has continued to deteriorate due to subdued customer confidence, rising operating costs and inflationary pressures”.

He said: “In light of its financial difficulties, the plan company has prepared the turnaround business plan, alongside Teneo, whom the plan company engaged as financial advisors, with the aim of avoiding administration and restoring the group to profitability.”

Mr Smith said that this involved “shifting the product mix of the plan company to include more well-known household brands” and “optimising the plan company’s store portfolio, by opening stores on a selective basis in locations with higher footfall”.

In a ruling, Mr Justice Hildyard said he was “content” that the matter should proceed to the meetings with the creditors on May 26.

If they vote in favour of the scheme, the plan is set to return to the High Court to be approved by a judge at a “sanction hearing” scheduled for June 4.

What did Poundstretcher say about store closures?

A spokesperson for Poundstretcher said: “We welcome today’s court decision that allows our plan to proceed.

“Our plan is focused on strengthening Poundstretcher’s long-term position and creating a company that can grow in the years ahead.

“There are no planned store closures or redundancies and our stores continue to welcome customers throughout this process.

“Our priority remains serving customers across the UK.”

Will you be sad to see Poundstretcher close? Let us know in the comments

Many organisations do not have a full view of their external attack surface, according to DarkInvader, which links that gap to the way attackers now search for internet-facing weaknesses.

Its analysis found that 43% of UK businesses suffered a cyber breach or attack over the past year, rising to 69% among large organisations. It argues that many security teams still lack full visibility of internet-facing assets, even as phishing, credential exposure and externally exploitable vulnerabilities continue to increase.

The issue centres on the growing complexity of corporate technology estates. Cloud infrastructure, application programming interfaces, third-party integrations and rapidly deployed services have increased the number of systems that sit outside traditional network boundaries.

As these environments expand, assets can be created, changed or abandoned without being properly recorded or secured. That can leave unknown subdomains, exposed services, misconfigured cloud assets and leaked credentials outside the scope of internal monitoring.

This has changed how many attackers approach their targets. Rather than trying to break through internal defences directly, they can scan public-facing systems and data to identify potential entry points without alerting conventional tools.

In practice, an organisation may invest heavily in internal protection while still leaving a route open through systems it does not know it has. Initial access is often gained through assets that sit beyond the view of established security controls.

External focus

The shift has helped drive interest in External Attack Surface Management, or EASM, which aims to give organisations a continuous external view of their digital footprint. The approach focuses on identifying internet-facing assets and monitoring them for vulnerabilities, misconfigurations and other risks.

Unlike more traditional security models, EASM is designed around the perspective of an outside attacker. That means focusing not only on known systems, but also on assets that have been forgotten, deployed informally or introduced through suppliers and other third parties.

The problem is not simply one of technology spending. More broadly, DarkInvader argues, organisations have historically concentrated on protecting internal environments and responding to known vulnerabilities, while the current threat landscape demands a wider understanding of external exposure.

That shift reflects the wider spread of digital services across modern businesses. Companies now operate through a mix of internal systems, cloud services, public-facing applications and outside partners, making it harder to maintain a single accurate inventory of what is exposed to the internet.

Changing priorities

Security teams need to move from a reactive model to continuous exposure management, the company argues. In practice, that means understanding what attackers can see, identifying gaps in coverage and ranking risks according to how likely they are to be exploited in the real world.

Without that external view, even well-funded teams may be working from an incomplete picture of their own environment. The result can be a mismatch between where defensive tools are deployed and where attackers are actually looking.

DarkInvader describes its platform as an EASM service that provides visibility across internet-facing assets. It is designed to discover and map an organisation’s digital footprint, including unknown and unmanaged assets, and monitor them for vulnerabilities and changes.

The platform also examines open-source intelligence, dark web data and other external signals to identify issues such as exposed credentials, misconfigurations and supplier-related threats. That reflects a broader industry trend towards combining asset discovery with ongoing monitoring of the wider online environment around an organisation.

DarkInvader expects the attack surface management market to expand as digital environments become more complex and businesses seek better visibility into external risks. Its central argument is that understanding an organisation’s full external presence is becoming a core part of cyber defence rather than a specialist add-on.

Organisations must now account for assets they do not directly control and, in some cases, may not even know exist. In DarkInvader’s view, the ability to see and manage that full attack surface is increasingly the difference between preventing a breach and discovering it after the fact.