UK consumers urged to secure passwords & digital assets

Cybersecurity specialists and financial services providers are urging UK consumers to rethink how they manage passwords and digital assets as World Password Day highlights rising online threats and a growing "digital inheritance" gap.

Industry figures warn that weak authentication practices now affect both day-to-day security and families' ability to access online wealth and memories after someone dies.

New research from Compare the Market shows that only 11% of UK adults have either drawn up a digital will or securely shared their passwords. Among over-55s, the figure falls to 5%, despite high levels of online activity and growing ownership of cryptocurrency and other digital holdings.

The survey of 2,000 adults suggests many people underestimate the value and complexity of what they own online. Nearly half, 47%, said they did not believe they held any "significant" digital assets, while 19% said they had not thought about their digital legacy at all.

Digital assets now span a wide range of services and accounts, including crypto wallets, non-fungible tokens, cloud photo libraries, email, social media profiles and messaging apps that store years of conversations and images.

The Property (Digital Assets etc) Act 2025, which came into force in the UK last year, classifies such assets as personal property. Legal specialists say the change has started to clarify how executors and trustees can recover digital holdings. Even so, the legislation does not treat them in the same way as physical possessions and bank accounts under traditional estate planning.

Unless digital assets are identified in a will or life insurance trust, they risk falling into unclaimed parts of an estate. Families can then face lengthy processes to regain access, or may never recover funds or sentimental content if providers require proof that has not been prepared in advance.

"We are living in a digital age, yet our approach to inheritance is still largely analogue in some areas. Digital assets, from high-value crypto wallets to family photos stored in the cloud, are now legally recognised assets that may need the same protection as our physical homes."

"The digital drafting gap we're seeing, especially among over-55s, is important. If you do not explicitly name your digital beneficiaries, you risk leaving your loved ones locked out of your most precious memories or unable to access online financial assets," said Emily Barnett, Life Insurance Expert at Compare the Market.

Alongside estate planning concerns, security leaders say day-to-day password behaviour still leaves users exposed to fraud and account takeovers. Gaming marketplace G2A.com and security platform ThreatAware report continued reliance on simple or reused passwords, even as attackers adopt more sophisticated techniques.

"As today marks World Password Day, it is a timely reminder that in today's digital economy, where gaming, commerce and payments all happen online, protecting digital identity is central to security. Recent industry reporting shows that compromised credentials and other identity-based attacks remain among the most common paths to account compromise and broader security incidents."

"Weak or reused passwords are still one of the primary attack vectors, but the threat landscape is also evolving through AI-enabled phishing and social engineering. Threat actors are increasingly using generative AI to scale credential-harvesting campaigns, create more convincing impersonation attempts and produce fraudulent communications that are harder to distinguish from legitimate ones. AI does not fundamentally change how passwords are cracked; it makes stealing them through deception more efficient."

"For users of digital marketplaces and gaming platforms such as G2A.com, that means moving beyond password-only habits. Using a unique password for every service, storing credentials in a reputable password manager, enabling multi-factor authentication, and staying cautious around unexpected login links, urgent prompts or offers that seem too good to be true can significantly reduce risk. Where available, phishing-resistant authentication methods offer an even stronger layer of protection."

"At G2A, we follow zero-trust principles alongside real-time fraud detection, secure payment controls, seller verification and marketplace risk controls. Cybersecurity is a shared responsibility and a continuous process, not a static destination. World Password Day is a useful reminder that both platforms and users need to keep strengthening how they protect accounts and digital identity," said Adrian Podkaminer, Head of Security at G2A.com.

Security practitioners highlight password reuse as a persistent weak point. Attackers can combine email addresses with credentials stolen from low-security sites and then automate login attempts against banking, email and productivity platforms.

"Passwords remain the first line of defence for most services and applications. A weak password, whether short enough to crack by brute force or simply easy to guess, leaves the door wide open. What people still regularly overlook, however, is the risk of reusing the same password across multiple systems, even a complex one."said Jon Abbott, CEO and Co-founder at ThreatAware.

"All too often, someone has a single master password that is genuinely strong, but uses it everywhere, from banking to a low-security site such as a tennis club portal. If that portal is breached and its password database is stolen and cracked, attackers can automatically try that password against every major platform."

"They have your email address and a possible password, so the code simply tests common services such as Microsoft 365, Google and others, then reports back when a combination works. It will also try common variations, such as adding an exclamation mark or the digit 1, because so many people make exactly those tweaks when resetting a password."

"The best approach is to use passwordless authentication where possible, or a password safe. You then only need to remember one strong master password, while the manager generates a unique, complex password for every app and site."

"Your password should be the first line of defence, but never the only one. MFA or SSO should be enabled on every account where it is available. If a critical system does not offer MFA, you need to find a different provider because the risk is simply too high.

"Ultimately, good cyber hygiene goes beyond passwords. It requires stronger visibility across your environment, tighter control over devices and layered security that protects data wherever it resides," said Jon Abbott, Chief Executive and Co-founder of ThreatAware.