In financial services, clients rely on advisers not only to safeguard their investments but also to protect their most sensitive personal and financial information. Yet one of the most common weaknesses within adviser firms lies in how passwords are created, stored, and shared.
With advisers and staff often juggling credentials for multiple platforms—client portals, trading systems, compliance tools and banking apps, it’s unreasonable to remember 50+ complex, unique passwords. This leads to advisers reusing passwords across multiple systems.
The number of compromised credentials is staggering
In June it was reported that 16 billion stolen logins for Apple, Google, Facebook and other companies were circulating online, and that 80-86% of hacking related breaches involve stolen or weak passwords. When you compound this with the lack of adoption of password managers, and the more convenient trend of reusing the same, or similar passwords, you can see why attackers favour this low effort style of attack.
Regulatory Expectations
Both the Financial Conduct Authority (FCA) and the Information Commissioner’s Office (ICO) expect firms to implement proportionate technical and organisational measures to protect client data. Under UK GDPR regulations, firms are legally required to ensure the confidentiality, integrity, and availability of personal data.
Weak password practices fall short of these obligations and could lead to:
· Data breaches reportable under GDPR: Loss of personal data must be reported to the ICO within 72 hours. Something as simple as a compromised password could result in a data breach of personal data.
· FCA scrutiny: Firms must demonstrate strong operational resilience and effective risk management. Password mismanagement undermines both.
· Financial penalties and reputational damage: The ICO has issued significant fines to firms that suffered cyber-attacks after failing to adopt basic security measures, including poor password controls.
A password manager directly addresses these regulatory concerns by embedding robust, auditable security into day-to-day operations.
What is a password manager?
At the basic level it’s a secure vault for all your logins. You only need to remember one master password (or use Face ID/fingerprint/SSO- Single Sign On), and the password manager does the rest, including creating strong, complex passwords that you don’t need to see or remember, as it auto fills login details for you.
Browser and mobile password managers
You’ve probably noticed that your web browser (Chrome, Safari, Edge, etc.) or mobile account (Samsung Pass / AppleID) offers to save your passwords and auto-fill login details. Passwords stored in your browser are linked to an email, and passwords stored by your device are linked to your Samsung Pass / Apple ID.
These types of password managers are designed to make your life easier, not necessarily offer you the highest level of protection. Whilst it’s convenient to have passwords automatically filled in for you, browser and mobile password managers store passwords against your email account (Google, Apple ID, etc.), which can be easily accessed if someone gains access to your login. In fact, hackers are increasingly targeting browser passwords through malware and data breaches.
Always use multi-factor authentication
If you’re using a browser password manager today, it’s essential to use multi-factor authentication on your email account, which is logging into the browser. Without it your browser passwords are at a significant risk. If someone has access to your email password, they can log into a browser and view your list of passwords.
If the password you’re using for your email account is reused elsewhere, you’re at an even greater risk of having the logins accessed, as there are more sites and services where your email password could be compromised and sold online.
Why use a Dedicated Password Manager
A standalone password manager is a dedicated app or service designed solely to store and manage your passwords securely, often using end-to-end encryption and zero-knowledge architecture, keeping your data private and secure, even if their servers are hacked. These tools were created specifically to protect your sensitive information, which is why they are far more secure than the built-in password managers in web browsers.
Enterprise licences typically offer advanced features like centralised admin controls, user provisioning, audit logs, compliance tools, and secure password sharing across teams. Standalone password managers include as Dashlane, 1Password and NordPass.
What are the benefits of Dedicated Password Managers?
· Simplicity: A password manager removes the burden of remembering unique passwords by storing credentials securely and generating complex passwords automatically. This dramatically reduces your risk of falling victim to credential stuffing attacks, where hackers use stolen passwords from one site to break into others.
· Secure sharing: Avoid insecure practices like emailing passwords. Share credentials securely, revoke access instantly and choose from varying levels of permissions, e.g. allowing staff to use the password but never view it, whilst others have full admin rights.
· Import passwords: Password managers allow you to import passwords from browsers or mobile devices by exporting files, then securely transferring them into your encrypted vault. Remember to delete your passwords from the old location once they’ve moved.
· Ability to save secure notes: Provides safe storage for data that isn’t necessarily linked to a website, decreasing the chance of staff storing information insecurely.
· Secure access anywhere: With advisers frequently working across different offices, attending client meetings in multiple locations and working remotely, password managers ensure secure synchronisation across devices.
· View of overall password health: Helps you to identify weak, reused, or compromised credentials, making it easier to strengthen security proactively.
· Reducing risk exposure: Attackers continue to target email credentials and carry out browser-based attacks. Removing passwords from browsers or being tied to email accounts also removes those single points of failure.
· Autofill with phishing protection: Password managers autofill only on websites whose URLs exactly match the saved login credentials, so they won’t fill in passwords on phishing sites with deceptive or incorrect addresses.
· Ownership transfer: If a staff member leaves, access to their passwords can be reassigned easily, reducing operational disruption.
· Dark web monitoring: Password managers notify you when your credentials are compromised and being sold online, enabling you to respond quickly to the threat and avoid unauthorised access to your systems and client data.
· Audit logging: You’ll have visibility into who accessed what data and when—supporting internal investigations.
· Extending security beyond the office: Many providers offer free personal licenses for staff. By improving password hygiene outside of work, firms reduce the likelihood of compromised personal accounts being used as a backdoor into business systems.
· Compliance advantages: Adopting a password manager isn’t just about convenience—it’s a compliance-strengthening measure that demonstrates proactive risk management in line with FCA SYSC rules.
· Single Sign On (SSO) support: Streamlines secure access by allowing employees to log in once using their corporate credentials, reducing the risk of staff setting weak master passwords, and improving compliance.
Switch to a password manager today
While browser password managers are better than nothing, they can’t compete with the security, cross-platform functionality, and ease of use that a dedicated password manager offers. As a financial adviser, your clients’ sensitive information is in your hands, and it’s crucial to protect it with the best tools available. A dedicated password manager isn’t just a nice-to-have — it’s an essential part of your cybersecurity toolkit.
Here's some password managers we recommend - NordPass, Bitwarden and Dashlane.
Take the CPD-accredited password manager test here
Test your understanding with these multiple-choice questions and receive a CPD certificate worth 30 minutes of CPD.
Never miss an update
The cyber landscape is constantly evolving, staying informed and proactive can help businesses mitigate risks.
Sign up to our fortnightly 'Adviser Insight' newsletter for expert insights - use the 'Sign up' button on the left-hand side to receive our updates.
This article is for financial professionals only. Any information contained within is of a general nature and should not be construed as a form of personal recommendation or financial advice. Nor is the information to be considered an offer or solicitation to deal in any financial instrument or to engage in any investment service or activity.
Parmenion accepts no duty of care or liability for loss arising from any person acting, or refraining from acting, as a result of any information contained within this article. All investment carries risk. The value of investments, and the income from them, can go down as well as up and investors may get back less than they put in. Past performance is not a reliable indicator of future returns.
