Password policy guidance

Create strong passwords

A string of eight random symbols is hard to remember, awkward to type, and not as difficult for a computer to discover as you might expect. A short phrase of six to eight words with punctuation is easier to remember, easier to type, and significantly harder to compute. It also lends itself well to variation when it is time to change.

For example, a passphrase like correct.horse" battery-staple is far stronger than P@55w0rd! and much easier to recall.

Use different passwords for different services

Not all websites and applications encrypt stored passwords properly. If one service is compromised, any other service where you used the same password is also exposed. Using a different password for each service limits the damage to that one service.

A password manager can help with this. It stores your passwords in an encrypted vault so you only need to remember one strong master password. Most operating systems and browsers include one, and there are reputable standalone options available.

Change important passwords regularly

Important passwords — particularly email, banking, and any service that controls access to others — should be changed every month or two. This protects against accidental exposure through phishing, where someone creates a service that looks familiar to you in order to capture your password.

Do not share passwords

Others are more likely to save passwords in browser history or write them down. If data is inadvertently exposed, it can also affect relationships if you had recently shared the password with someone, even if they are not the cause of the problem.

If multiple people need access to a service, use individual accounts rather than sharing credentials. This also provides an audit trail of who did what.

Use different email addresses for different services

Using a unique email address for each service helps identify sources of spam and adds an additional layer of protection. If a service is compromised, you can see which address was exposed.

Plus-addressing makes this straightforward — you can create variations of your email address on the fly, such as you+shopname@example.com, and they will still arrive in your inbox. See our guide to plus-addressing for details.

Multi-factor authentication

Multi-factor authentication (MFA) adds a second step when logging in — typically a code from an app on your phone, a hardware key, or a text message. Even if your password is compromised, the attacker cannot log in without the second factor.

We strongly recommend enabling MFA on any service that supports it, particularly email, cloud storage, banking, and any administrative or control panel access. Authenticator apps (such as FreeOTP, Aegis, or similar) are preferred over SMS codes, as text messages can be intercepted.

For services we manage, we can configure MFA requirements and advise on the most appropriate approach for your setup.

Create a password policy

If you manage a team or organisation, consider writing a short password policy and sharing it with colleagues, staff, and anyone who accesses your systems. It does not need to be complex — a page covering the points above is a good start.