Passwords for business
Passwords and PINs are used to identify and authenticate you. Sometimes they are the only defence to protect your organisation’s information against unauthorised access.
If a password is captured, guessed or stolen, an attacker can pretend to be you and potentially:
- send emails from your accounts
- withdraw money from your bank accounts
- steal your intellectual property
- access files on your computers.
Tip: Using strong passwords that are hard to guess is important, and using two-factor authentication provides an extra layer of protection for your business.
Do things safely in your business – use strong passwords
When it comes to creating passwords, the longer they are, the stronger they are.
A passphrase is a type of password. It is used to verify access to a computer system, program or service. Passphrases are most effective when they are:
- used with multi-factor authentication
- unique – not a famous phrase or lyric and not re-used
- longer – phrases are generally longer than words
- complex – naturally occurring in a sentence with uppercase, symbols and punctuation.
Do not include the following things in your passwords:
- repeated characters
- single dictionary words, your street address or numeric sequences (such as 1234567)
- personal information
- anything you have previously used.
Important: Don’t share your passwords! They should be a secret known only to you or the people in your organisation who need to know them.
Also be aware that changing passwords frequently can lead to people taking shortcuts, for example just making a small change to remember them. This can lead to weak passwords being created.
Using strong passwords lowers your overall risk of a security breach, but they do not replace the need for other effective security controls, such as installing updates to your operating system and anti-virus software as soon as they’re released.
Use two-factor authentication
Two-factor authentication simply means there are two checks in place to prove your identity. An example is entering a password and then a code is sent to your mobile phone.
Two-factor authentication increases the security of your accounts, because if a criminal captures your password, it is much harder for them to access your accounts if they need a second or even a third factor to authenticate.
If two-factor or multi-factor authentication is available for the systems you use, enable it. You should also consider using two-factor authentication for staff to log into:
- administrator accounts, for example, social media
- remote access to your network.
Two-factor authentication apps
There are also free two-factor authentication apps provided by third parties that you can use instead of having a SMS code sent to your mobile. Do your research and find a solution that is right for you.
Download our step-by-step guides on how to turn on two-factor authentication for:
How to remember complex passwords
Use a password manager
A password manager generates and remembers secure passwords and some also synchronise across devices. This means all you need to do is remember one, strong master password to access it. In addition, many password managers support two-factor authentication to access them.
The downside is that if the password manager or your master password is breached, all your information is accessible.
Important: Using a strong password lowers the risk of a security breach, but strong passwords do not replace the need for other effective security controls. Learn more about doing things safely.
Apply the most secure passwords to the accounts that need the highest protection.
|Password tier||Account risk||Account types||Action|
|Tier 1||High risk account||
||Use unique and complex passwords|
|Tier 2||Low risk accounts||
||Less complex passwords are required|
Protect your passwords
Keep your passwords secure by taking measures to protect them:
- Don't share your passwords with anyone.
- Don't provide your password in response to a phone call or email, regardless of how legitimate it seems.
- Don't provide your password to a website you have accessed by following a link in an email or message – it may be a phishing trap.
- If you don’t trust a website, don’t trust it with your password.
- Don’t use password protected services on a public computer or over a public Wi-Fi hotspot.
Treat PINs in the same way you would a password and don’t use:
- obvious patterns like 1234, 4321 or 7777
- postcodes, birthdays or other significant dates and numbers.
What to do if things go wrong
If you think your password may have been compromised, change it immediately and check for any unauthorised activity on the associated account.
Learn how to protect your business with our Small Business Cyber Security Guide.