NEVER USE WORK AND PERSONAL EMAIL PASSWORDS FOR ANY OTHER ACCOUNTS
General advice
Any device that contains business related information or can be used to access business related information should be, as a minimum, protected by a strong password. This also means if you use a personal (rather than business) device to access business related information then it must have a strong password, too.
A strong password will be at least 12 characters and contain a combination of upper and lowercase letters and a number. Avoid names, dates and addresses.
Ensure all laptops, desktops, tablets and phones are password protected (on certain devices a PIN, face recognition or fingerprint may be available and should be enabled).
Where available 2-step verification is strongly recommended. If it’s available use it.
Ideally, use a unique password for every account.
Storing passwords – password managers
Do NOT store account information in your browser (eg Chrome or Edge or any other browser), in a spreadsheet (eg Excel) or Word (or similar) document. They are not secure.
DO store all your account information in a reputable password manager eg Bitwarden. It does the heavy lifting for you, so you don’t need to remember all your unique passwords.
Storing passwords – DIY
If you absolutely do not want to use a password manager, even though this is our strong recommendation, then consider using a pattern based manual system. The downside of a pattern based manual system is that it’s not as secure as a password manager and if the pattern is observed by others, then the security is broken. However, it is resistant to the widely used credential stuffing attacks used by hackers (and you don’t need to remember the password manager password).
A simple pattern-based system uses the same pattern of letters and numbers for every account, only subtly changing the pattern for each account. The pattern needs a mixture of upper- and lower-case letters, a number, a non-alphanumeric character and no repeating numbers or letters, as this covers virtually all suppliers’ password requirements.
For example, the pattern can be as simple as:
<number><word 1><supplier initials in upper case><word 2><non-alpha character>
For this example, assume the number you will always use is “7”, word 1 is always “peanut”, word 2 is always “frantic”, and the non-alpha character is “@”
Then your base pattern will always be:
7peanut<supplier initials in upper case>frantic@
For Sainsbury the password would be 7peanutSfrantic@
And for BT the password would be 7peanutBTfrantic@
As you can see, the pattern is easy to remember and it’s easy to generate a password for a new supplier. However, if the pattern is recognised as a pattern by another person, then security will be lost, so be sure to keep your passwords hidden from view while you are typing.
Initiating the change
In our experience probably the biggest problem with initiating a change to your password is inertia. Having to store all your passwords in a Password Manager from scratch is tiresome (even if the better ones – like BitWarden – will prompt you to save your password when it detects one it isn’t already storing).
One way to overcome this inertia is to:
- Make sure that every new password you create is either stored in your password manager or is created according to your password pattern (as detailed above).
- Over time make a conscious effort to change an existing password to one that complies with your new storage mechanism every time you come across one that hasn’t been updated.
- Change passwords associated with banks and other financial institutions as a priority.
Also, keep an eye on https://haveibeenpwned.com/ as this will tell you if any of your passwords have been exposed.