Don’t pass on the password – 5 things to do to secure your accounts

Passwords are the entry tool to our devices, social media accounts, online banking and even our digital medical accounts. Effectively, they are used in the same way that we use a key or fob to enter our homes, work premises and cars.


If you were asked to write down all of your passwords, would this be something you could do? If your answer to this is ‘Yes because I use one password for everything’, you are not alone. In fact, 51% of people use the same passwords for both work and personal accounts. Doing this carries a significant risk to your personal and work data.


If your password were to be exposed in a data breach, hackers would have the key to all of your accounts and would be able to access things like your bank accounts, social media accounts, work email accounts and the information you are discussing in those emails. Despite this huge risk, 57% of people who have already been scammed in phishing attacks still haven’t changed their passwords.


How do I use a password securely? Passwords - when implemented and used correctly - are a free, easy, and effective way to prevent unauthorised users accessing your devices. The following 5 tips from the National Cyber Security Centre (NCSC) will help you to set up and use passwords securely.


Tip 1: Make sure you switch on password protection Set a password, PIN, fingerprint or face ID to unlock your device. Make sure that your office equipment (so laptops and PCs) all use an encryption product (such as BitLocker for Windows) using a Trusted Platform Module (TPM) with a PIN, or FileVault (on macOS) in order to start up. Most modern devices have encryption built in, but encryption may still need to be turned on and configured, so check you have set it up.


Tip 2: Use two-factor authentication for all accounts If you’re given the option to use two-factor authentication (also known as 2FA) for any of your accounts, you should do; it adds a large amount of security for not much extra effort. 2FA requires two different methods to 'prove' your identity before you can use a service, generally a password plus one other method. This could be a code that's sent to your smartphone (or a code that's generated from a bank's card reader) that you must enter in addition to your password.


Tip 3: Avoid using predictable passwords Avoid using predictable passwords (such as dates, family and pet names). Avoid the most common passwords that criminals can easily guess (like 'passw0rd'). Don't re-use the same password across important accounts. If one of your passwords is stolen, you don’t want the criminal to also get access to (for example) your banking account.


Tip 4: Use a password manager Consider using password managers, which are tools that can create and store passwords for you that you access via a 'master' password. Since the master password is protecting all of your other passwords, make sure it’s a strong one, for example by using three random words.


Tip 5: Change all default passwords One of the most common mistakes is not changing the manufacturers' default passwords that smartphones, laptops, and other types of equipment are issued with. Change all default passwords before devices are distributed to staff. You should also regularly check devices (and software) specifically to detect unchanged default passwords.


Take the next step to protect yourself and your business

Improve your business’s cyber security with free membership at the Cyber Resilience Centre for the South East.


With this membership, you will receive regular tips and guidance on how to firm up your business’s cyber security. We have already produced checklists for you to follow to help you develop best practices, short and easy to follow videos that highlight how to spot the signs of a phishing attack and many other resources.


Receive your digestible welcome pack when signing up today and start protecting your business today.



The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the South East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the South East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the South East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the South East is not responsible for the content of external internet sites that link to this site or which are linked from it.