Your Accounts

Passwords & Passphrases

Foundational

Your password is the key to your work and, through it, to customer data. The two things that make a password safe are simple: make it long and unique, and never reuse it anywhere else. A password manager does the hard part for you — so you only ever have to remember one strong passphrase.

Attackers don't usually "guess" passwords one by one. They take huge lists of passwords leaked from other websites and try them against work accounts — which works whenever someone reused the same password. They also try short or common passwords automatically in seconds. Length and uniqueness defeat both.

You are not expected to memorise dozens of strong passwords — that's what the company password manager is for. Remember one strong passphrase to unlock it, and let it generate and store the rest.

Make passwords strong

DoUse the company password manager to create and store a long, random, unique password for every account.
DoMake your one master passphrase long — several random words together are both strong and easy to remember (e.g. four unrelated words).
DoTurn on multi-factor authentication wherever it's offered, so a password alone isn't enough to get in (see Multi-Factor Authentication).
ConsiderLetting the password manager warn you about reused or breached passwords, and fixing them when it does.
AlwaysUse a different password for every account, so one leak can never unlock the others.

Keep them safe

DoChange a password straight away if you suspect it may have been seen, guessed, or caught up in a breach — and tell IT/security.
Do notWrite passwords on sticky notes, in a notebook, in a spreadsheet, or in a document on your desktop.
Do notUse easy-to-guess passwords — names, birthdays, "Password123", the company name, or anything someone could find on your social media.
NeverReuse a work password on a personal site, or a personal password at work.
NeverTell anyone your password, or type it in because a message, email, or phone call asked you to.

Ask yourself

AskIs this password used anywhere else — at all?
AskIs it long enough that nobody could guess or crack it quickly?
AskIs it stored in the password manager, not on a note or in a document?

Why it matters: A reused or weak password is the most common way attackers walk straight into a work account — no hacking required, just a password leaked from somewhere else. Long, unique passwords kept in a manager, plus multi-factor authentication, turn your accounts from the easiest target into a very hard one, for almost no daily effort.