Passwords are the first barrier between your work data and cybercriminals, yet most of us reuse the same one everywhere. If a single account is breached, attackers immediately try that password on your other accounts, from your mailbox to your business tools. Three simple habits will protect your office logins far more effectively.
1. Long, unique passwords
Make your passwords long and different for every important account, such as your email and social media profiles. The more characters a password has, the harder it is to crack, and you should never reuse the same one across accounts. For your most important accounts, combine a long password with two-factor authentication so that one leaked password is not enough to get in. If you write a password down, keep it locked away rather than on a sticky note.
2. A password manager
Hardly anyone can remember more than a handful of strong passwords — and trying to is a losing battle. The recommended solution is a password manager: it keeps all your accounts and passwords secure, so you only have to remember one strong master password. It also generates completely random passwords for you: just choose the length and character types. According to Safeonweb, storing your passwords in a manager is currently the most secure option, and the free and paid versions are equally safe.
3. Two-factor authentication (2FA/MFA)
Wherever possible, turn on two-factor authentication. On top of your password, a second step is required: a prompt on your phone, a code from an authenticator app, a hardware security key or a passkey. Even if your password leaks, an attacker cannot sign in without that second factor. Prefer prompts or keys; codes sent by text message can be vulnerable to phone-number attacks. Never share a verification code — no legitimate organisation will ask you for one.
Extra safeguards
Generate and safely store a set of backup codes in case you lose your phone, and add recovery details (a recovery email and phone number) so you can regain access if something goes wrong. Only tick 'Don't ask again on this device' on machines you don't share with anyone. And if you ever spot a breach — for example on haveibeenpwned.com — change the affected password immediately, everywhere you used it, and enable 2FA.