DTP Group has published new survey findings on password reuse among UK adults, as executives from Roboshadow and Mimecast warn that attackers are increasingly exploiting human behaviour and weak cyber discipline rather than password strength alone.

The Leeds-based company found that one in eight UK adults, or 12.45 per cent of respondents, use a single password across every account. Censuswide surveyed 1,000 UK adults, and the results were extrapolated using an Office for National Statistics estimate of 54 million adults.

Applied nationally, the data suggests more than six million people in the UK could rely on a single credential across email, banking, shopping and social media. Just 19.12 per cent said they use a unique password for every account, implying that around four in five adults reuse passwords to some degree.

More than a third of respondents, 36.23 per cent, said they rely on between one and three passwords for all their online services. Nearly 60 per cent use six or fewer passwords in total, a pattern that could leave an estimated 32 million people vulnerable if one breached service exposes other accounts.

The number of digital services people manage has grown faster than the number of unique passwords they use. DTP found that 69 per cent of respondents manage between one and 20 password-protected accounts, while only a minority maintain enough distinct passwords to cover them all.

Official fraud statistics point to a related rise in account compromise. Action Fraud recorded 35,434 reports of social media and email account breaches in 2024, up from 22,500 a year earlier. Investigators and industry analysts often cite weak or reused credentials as a root cause.

Security leaders argue that the conversation around World Password Day now extends beyond password complexity rules. Roboshadow Founder and Chief Executive Terry Lewis said modern tools give organisations more visibility into attempted intrusions, but only if they are used consistently.

“World Password Day made sense when passwords were the front line of security, but in 2026, that’s no longer the case.”

“Today, most organisations already have access to enterprise-grade security by default. Multifactor authentication is widely available, passkeys are native to modern devices, and hardware-backed protections like TPM are standard. The issue isn’t technology. It’s discipline, and whether organisations use it consistently.”

“In the AI era, attackers aren’t manually guessing passwords. They’re using automation to continuously scan, probe and enumerate environments at scale. Whether it’s a weak credential, an exposed API key, or a forgotten device, anything visible will eventually be tested.”

The real shift is that enumeration is no longer silent, and organisations can detect it.

Modern security tooling, including SIEM and SOC capabilities, is now more accessible than ever. That means organisations can see when accounts are probed, when credentials are tested, and when unusual authentication patterns emerge, even in environments using MFA or passkeys. AI hasn’t broken security, but it has dramatically increased the volume and persistence of these attempts. It creates constant background noise from systems being tested, credentials being tried and access points being explored.

The organisations that win aren’t those with the most complex or longest password policies. They are the ones that can see this activity, understand it and respond quickly.

In 2026, security isn’t about better passwords. It’s about cyber discipline and the everyday operational habits that keep environments clean, visible and resilient.”

Industry attention has also shifted to how employees respond to phishing attempts and fake login prompts designed to harvest credentials. Mimecast field Chief Information Security Officer Beth Miller said the quality and timing of these lures has improved as attackers adopt generative AI.

“World Password Day is a useful moment, but the industry keeps having the wrong conversation. The question was never ‘are your passwords strong enough?’ It’s ‘why do attackers keep getting through even when they are?'” Miller said.

“AI has changed the equation. The fake login pages I’m seeing now are indistinguishable from the real thing. The lures are contextually accurate, timed well, and crafted to exploit exactly the pressure employees are already under. Credential theft isn’t a technical failure – it’s a behavioural one, and we’ve been slow to treat it that way.”

“Our State of Human Risk data exposes a three-part problem. First, 91% of organisations acknowledge obstacles to employee compliance – they know their people are a risk factor. Second, 96% recognise their protection is incomplete – they know their defences have gaps. Third, nearly three-quarters are still running fragmented defences where people-focused and technology-focused controls never talk to each other. Attackers don’t exploit what organisations fail to see. They exploit what organisations see but fail to connect. That gap – between recognition and action – is where incidents happen.”

“Passwords aren’t going away, and proper password hygiene still matters. But hygiene alone isn’t a strategy. What organisations need is the combination: identity protection at the access layer, real-time detection at the technical layer, and behavioural instrumentation at the human layer. The third is the most underinvested. It is also exactly where attackers are focused.”

Castleforge and Galaxy Data Centres have won planning consent to expand their Redhill data centre campus near London, including a new 15MW facility.

The project is part of a broader expansion at the campus, where the partners have already invested more than GBP £100 million. They now plan a further GBP £200 million investment, taking the gross project value to about GBP £500 million.

Site details

The approved scheme will add a two-storey data centre with four data halls and an office block on the existing 3.1-hectare Foxboro Business Park estate. The site sits just outside London, where operators and investors have been seeking land and power as available capacity tightens.

The development will support a local waste heat recovery initiative. Waste heat from the facility will be reused on site, and the design allows for future export to a neighbouring residential heat network.

Market pressure

The expansion comes as the London data centre market faces growing pressure on supply. London remains Europe’s largest data centre market and the world’s second largest after Northern Virginia. Vacancy has fallen sharply in recent years as demand for colocation space has risen.

Figures cited by the partners show colocation vacancy in London falling from 21.3% in the first quarter of 2021 to 7.4% by the fourth quarter of 2025. They also pointed to estimates showing 302MW of capacity in London’s pipeline, even as development constraints around the capital make new schemes harder to bring forward.

Demand for data centre space around London has been driven by growth in artificial intelligence, cloud computing and hybrid workloads. Operators have also sought sites with reliable power access and strong connectivity to established hubs such as Slough and Docklands.

The Redhill campus currently spans 11,800 square metres across three buildings and serves customers including Fortune 500 businesses in financial services, artificial intelligence and other sectors.

For Castleforge, the scheme adds to a portfolio focused on the built environment. For Galaxy, it reflects the growing role of specialist operators and advisers in a market where access to power, planning and operational expertise is becoming increasingly important. The borough council’s planning committee approved the application.

Executive view

Mike Adcock, Head of Investments, Castleforge, said the approval marked an important step for the project.

“Securing planning consent for our new development at Redhill is a major milestone in our plans to deliver high-quality, sustainable digital infrastructure to one of the world’s most important data centre markets.

Demand for capacity in and around London continues to outpace supply, and this consent enables us to bring forward the additional power and scale required to serve enterprise, hyperscale and edge customers. We are particularly proud of the project’s sustainability credentials, including the potential to export waste heat to local homes, which reflects our commitment to creating places that deliver lasting value for both customers and the surrounding community,” said Adcock.

Paul Leong, Chief Financial Officer and Partner, Galaxy Data Centres, said the approval was central to the partners’ plans for the site.

“This planning consent is a pivotal step in realising the long-term vision we set out when we acquired Redhill alongside Castleforge.

The new facility will significantly expand the capacity available to our customers and ensure Redhill is positioned to meet the evolving needs of edge, hyperscale and enterprise users. We are proud to be delivering a development that combines operational excellence with meaningful sustainability outcomes, and we look forward to bringing the project forward in close collaboration with the local community,” said Leong.

The project has been designed to achieve a BREEAM rating of Very Good and includes low- and zero-carbon technologies. Those features are likely to carry weight in a market where local authorities, communities and customers are paying closer attention to the environmental impact of data centre development.

Redhill’s appeal rests partly on its proximity to London without being in the most constrained central locations. With available land and power around core metropolitan areas under pressure, outer hubs and established campuses have become more attractive to investors looking to expand near major demand centres.

The approval gives Castleforge and Galaxy a route to increase capacity at a campus with operating buildings and existing customers, at a time when operators across Europe are competing for scarce development opportunities.

However, the discount retailer has a restructuring plan that it hopes will save it from store closures and redundancies.

Poundstretcher has almost 300 stores and 3,000 staff across the UK.

It was bought by US investment firm Fortress, which also owns Majestic Wine, in 2024 for an undisclosed sum.

In March, the company revealed plans to ask landlords to slash rents across its store estate as it looked to secure its long-term future, but insisted it would not be shutting shops or cutting jobs.

Poundstretcher is reportedly seeking urgent support to avoid administration, putting about 300 U.K. stores at risk. Richard Tice said the pressure reflects wider strain on the high street and blamed Labour policies for worsening trading conditions.

— TU_Crypto_News (@TU_Crypto_News) May 7, 2026

At a hearing on Wednesday, lawyers for the company said that if a restructuring plan was not approved, it would have “insufficient funds” to meet its funding need of £2.8 million, which is due in the week beginning June 28.

This sum would increase to £9.7 million in the week commencing July 26.

In written submissions, Tom Smith KC, for Poundstretcher, said: “In those circumstances, the directors of the plan company will likely have no choice but to file for administration.

“In the administration, the administrators are anticipated to continue trading for a limited period while available liquidity is used to support a sale of the stock… ”

He said that the purpose of the restructuring plan was to restore Poundstretcher to “financial stability” and to enable them to “implement the turnaround business plan”.

The hearing in London was what is known as a “convening hearing”, where barristers ask for a judge’s permission to convene meetings of a company’s creditors to vote on the restructuring plan.

Mr Smith also told the court that since 2020, “the group’s performance has continued to deteriorate due to subdued customer confidence, rising operating costs and inflationary pressures”.

He said: “In light of its financial difficulties, the plan company has prepared the turnaround business plan, alongside Teneo, whom the plan company engaged as financial advisors, with the aim of avoiding administration and restoring the group to profitability.”

Mr Smith said that this involved “shifting the product mix of the plan company to include more well-known household brands” and “optimising the plan company’s store portfolio, by opening stores on a selective basis in locations with higher footfall”.

In a ruling, Mr Justice Hildyard said he was “content” that the matter should proceed to the meetings with the creditors on May 26.

If they vote in favour of the scheme, the plan is set to return to the High Court to be approved by a judge at a “sanction hearing” scheduled for June 4.

What did Poundstretcher say about store closures?

A spokesperson for Poundstretcher said: “We welcome today’s court decision that allows our plan to proceed.

“Our plan is focused on strengthening Poundstretcher’s long-term position and creating a company that can grow in the years ahead.

“There are no planned store closures or redundancies and our stores continue to welcome customers throughout this process.

“Our priority remains serving customers across the UK.”

Will you be sad to see Poundstretcher close? Let us know in the comments