Most breaches begin with a password - a weak one, a reused one, or one captured through phishing. The guidance below covers the practical steps that make the biggest difference to keeping your accounts safe.
Create strong passwords
A string of eight random symbols is hard to remember, awkward to type, and not as difficult for a computer to discover as you might expect. A short phrase of six to eight words with punctuation is easier to remember, easier to type, and significantly harder to compute. It also lends itself well to variation when it is time to change.
For example, a passphrase like correct.horse" battery-staple is far stronger than P@55w0rd! and much easier to recall.
Use different passwords for different services
Not all websites and applications store passwords securely. If one service is compromised, any other service where you used the same password is also exposed. A different password for each service limits the damage to that one service.
A password manager helps with this. It stores your passwords in an encrypted vault, so you only need to remember one strong master password. Most operating systems and browsers include one, and there are reputable standalone options available.
Change important passwords regularly
Important passwords - particularly email, banking, and any service that controls access to others - should be changed every month or two. This protects against accidental exposure through phishing, where someone creates a service that looks familiar in order to capture your password.
Do not share passwords
If multiple people need access to a service, use individual accounts rather than sharing credentials. Individual accounts also provide an audit trail of who did what.
Others are more likely to save shared passwords in browser history or write them down. If a password is inadvertently exposed, a recently shared password can also strain relationships, even where the other person is not the cause of the problem.
Use different email addresses for different services
Using a unique email address for each service helps identify sources of spam and adds an extra layer of protection. If a service is compromised, you can see which address was exposed.
Plus addressing makes this straightforward - you can create variations of your email address on the fly, such as you+shopname@example.com, and they still arrive in your inbox. See our guide to plus addressing for details.
Multi-factor authentication
Multi-factor authentication (MFA) adds a second step when logging in - typically a code from an app on your phone, a hardware key, or a text message. Even if your password is compromised, an attacker cannot log in without the second factor.
We strongly recommend enabling MFA on any service that supports it, particularly email, cloud storage, banking, and any administrative or control-panel access. Authenticator apps (such as FreeOTP, Aegis or similar) are preferred over SMS codes, as text messages can be intercepted.
For services we manage, we can configure MFA requirements and advise on the most appropriate approach for your setup.
Create a password policy
If you manage a team or organisation, consider writing a short password policy and sharing it with colleagues, staff, and anyone who accesses your systems. It does not need to be complex - a page covering the points above is a good start.
If you have specific security concerns or require a custom solution, please get in touch.