Virgin Media O2 research has found 8 in 10 Brits are using the same or near identical passwords across multiple accounts online.
We want the nation to be more aware of how cybercriminals operate and how a weak password, can lead to sensitive data falling into the hands of the wrong people.
This is why we are working with full time bug bounty-hunter and ethical ‘White Hat’ hacker, Brandyn Murtagh as a part of our ongoing ‘Swerve the Scammers’ campaign.
Brandyn has shared some of his top tips to stay password secure:
1. Never reuse the same password – even with a very slight variation (!)
Recycling your password online might seem like a good idea when it comes to remembering your log in details in a rush. However, it means even if just one of your accounts is caught in a data breach, it puts every other account that uses that password at risk.
This is even the case if you use different passwords but make small tweaks from account to account (Adding a capital letter or ! here, changing an I to a 1 there) – hackers know you do this. They have tools that mimic human behaviour and try the most common variations to break the code.
Help minimise the risk by keeping every single password completely unique – a password manager can help you keep track (more below).
2. Always use at least 14 characters and phrases
The longer the password the harder it is to crack, it’s as simple as that. While many sites will require passwords start from just 6 characters, I always recommend a longer password which combines:
- Letters: Both uppercase (A-Z) and lowercase (a-z).
- Numbers: 0-9.
- Special characters (optional): Symbols like @, #, $,
It’s much harder and would take much longer – years even – for a hacker to crack using brute force technology.
Remember 14 is a minimum not the rule, the longer the better.
3. Implement two factor authentication or a passkey, wherever possible
Two-factor authentication or multi-factor authentication (2FA or MFA) means you have to two-step log in process. This would require you to use not just a password but an additional form of identification to verify it’s you and successfully access your account. You might need to enter a unique code or pin sent to your email or phone that will only work for a short period of time.
With MFA or 2FA, should a hacker get hold of your password, it still wouldn’t be enough to pass security on your account unless they have some way to get hold of this second piece of information.
Meanwhile a passkey scraps the password all together, instead using biometrics (think when you use your fingerprint or facial recognition on your phone) to verify a log in. This is ultra-secure because it’s generated from your device and cannot be intercepted by a company data breach.
Not every site will let you do these options, but when it’s an option, always go for it as an extra layer of protection.
4. Use a secure password manager
It’s a bit like a digital vault for your passwords. Not only can it help create unique difficult to hack passwords for you – but also makes remembering all of them that much easier. That’s because it stores them all securely and automatically filling them in when you’re logged into and using a secure device taking the hassle away from passwords.
There are many free password managers out there to get you started, and many web browsers have them automatically set up.
Remember, writing your passwords down either on paper, telling friends or family or on a notes app on your phone is not secure.
5. Too many sites with the same password? Start with the big ones (including financial, email, mobile operator and work accounts) then work your way from there.
While I always recommend unique passwords for every online account, it can be tricky if you’ve spent years using the same password to know where to start. If I was in this position today, these would be the first four things I’d change.
That’s not to say other accounts aren’t important, they are, but these accounts have some of the most sensitive information in there and create the biggest risks – financial or otherwise – for you if they were accessed. There might be a few others you want to prioritise too, particularly if you store credit card information in there.
After that, help make the process more manageable by changing a password every time you log in to other accounts and committing to using new unique passwords in future.
6. Be careful what you put publicly online and avoid using personal details
In a matter of minutes, a hacker can connect the dots between what you say on social media and what you do online; the more you put out publicly, the higher the risk. This is particularly the case if you use personal details that are easy to find, like your family or pets name, or birthday. If I was a black hat hacker, this is the first thing I’d guess.
Keep your social accounts private where possible, and always think before uploading information whether this could be providing a piece of the puzzle when logging in.
7. Avoid using public Wi-Fi, particularly when it comes to secure transactions
While public Wi-Fi is convenient, it’s important to understand today’s security landscape. Modern apps and browsers automatically encrypt most of your communication using protocols like HTTPS, providing a strong baseline of defence against interception.
However, the primary risk remains: malicious hotspots disguised as legitimate networks. Attackers use these to monitor your activity and redirect you to harmful websites.
For this reason, using your phone’s mobile hotspot is the most secure option. If you must use public Wi-Fi, a VPN (Virtual Private Network) is the best way to stay protected, as it fully encrypts all of your device’s internet traffic.
We’ve also developed the “O2 nevers” to help people spot potential fraudsters and their crafty tactics.
O2 will never…
- Ask you to read out your one-time passcode or bank details over the phone
If anyone calls asking for a code that’s been sent to you to secure a great deal, hang up. It’s a scam. - Tell you to ignore security warnings
Security warnings are there for a reason – to help keep you safe. Genuine O2 employees will never ask you to disregard them. - Get angry if you want to hang up and call us back
If you have any suspicion that you might be speaking to a scammer, the best thing to do is hang up and call us back by dialling 202 from your O2 phone. - Pressure you into making a quick decision
Scammers will try to get you to act before you’ve had a chance to think about what’s going on. If you start hearing things like ‘this is a limited one-time offer’ or ‘you need to give me an answer right now’ – hang up. - Ask you to pay to return a device to us
Fraudsters often try to convince victims they’ve been sent the ‘wrong device’ and trick them into sending it back. O2 provides pre-paid labels for device returns and only ever to the official O2 returns address, which is O2 Returns Centre, Communication House, Vulcan Road North, Norwich, NR66AQ. If you’re asked to pay for return shipping, it’s a scam.
If you think you’ve been the victim of fraud – whether that’s because you’ve given details to someone over the phone, or clicked on a link in a suspicious text or email – there are things you can do:
- Contact your bank if you think you may have given out financial information. They can help protect your account and stop transactions
- Change your account and online account passwords
- Forward fraudulent texts to us for free on 7726 and we’ll look into them
- Contact Action Fraud on 0300 123 2040
- Call your Virgin Media or O2 customer services number if you think somebody’s taken out a contract with us using their details
Virgin Media customers can phone 150 from their landline or 0345 454 1111 from any other phone.
O2 customers can call 202 from their O2 phone or 0344 809 0202 from any other phone.