IT security teams across Britain are preparing to sacrifice their Bank Holiday Monday to the ancient and thoroughly unwinnable battle of explaining to colleagues that adding an exclamation mark to their password does not represent a meaningful engagement with the concept of cybersecurity.
The annual ritual, which traditionally falls on the first Monday in May, comes after new figures from the National Cyber Security Centre revealed that ‘123456’ and ‘password’ continue to occupy prominent positions in the nation’s most commonly breached passwords, despite these credentials having been publicly identified as a security risk since approximately 1997.
Graham Mitchell, head of IT security at a Birmingham-based logistics firm, said he had already received seventeen emails from colleagues attempting to change their passwords to variations of ‘Summer2025!’, apparently under the impression that referencing a season and wielding an exclamation mark constituted full compliance with the new policy.
“One person tried ‘Password1234!’ which I suppose shows some ambition, though not in a direction I would describe as helpful,” he said. “Another went with ‘P@ssword123’, clearly believing that the @ symbol might throw off a hacker who has never seen a Hotmail address from 2003.”
The struggle to implement basic password hygiene has reportedly intensified since the introduction of mandatory password changes every ninety days, a policy which IT departments acknowledge has done little except encourage employees to add sequential numbers to their existing inadequate passwords until they reach ‘Password127!’ sometime in late 2027.
Jennifer Hartley, a systems administrator at a Berkshire insurance company, noted that she would be spending the Bank Holiday fielding calls from colleagues who had locked themselves out of their accounts after forgetting whether they were currently on ‘Charlie2024!’ or ‘Charlie2025!’, Charlie being the name of a golden retriever who died in 2019 but whose memory lives on in forty-three percent of the company’s login credentials.
“We tried implementing a password manager last year,” she said. “People now store the password manager password in a Word document called ‘Passwords.docx’ on their desktop, which rather defeats the purpose.”
The NCSC guidance recommends using three random words for password security, though early reports suggest this has mainly resulted in variations of ‘teacupbiscuitrain’ and ‘mondaysausagedog’, the latter being particularly popular among employees who are still using photographs of Charlie the golden retriever as their screensaver.
IT departments have emphasised that they will be working through the Bank Holiday not because there is any genuine emergency, but because somebody from Accounts will inevitably attempt to reset their password at 11.47am on Tuesday morning and will need to be gently talked through the process for the eighth time this quarter.
The NCSC confirmed that despite years of public awareness campaigns, data breaches, and increasingly desperate pleading from security professionals, a statistically significant portion of the British workforce continues to believe that cybercriminals have not yet thought to try typing ‘123456’ into the password field.