Usernames and passwords are a way of controlling access to important data and computer systems that your business uses. A username and password are associated with an account that gives a person access to some resource, for example email, cloud storage or accounting software.

Passwords should ‘long enough and strong enough’.

A good way of making sure a password is long is to combine at least three or four words in a phrase. Make this phrase strong by choosing words at random, or by composing a phrase that only you would know.

Choose words at random by looking around and picking objects that you see: for example, ‘VanCurtainFloss’. Or come up with a phrase that is easy to remember, but very hard to guess: ‘HolidayInBundoran’.

Passwords should be unique: avoid reusing passwords for important accounts such as your email.

Don’t share your passwords with anyone. All employees should have separate usernames and passwords for any accounts they need access to.

Some people may find it too hard to remember all the username and password combinations that they need to use.

One solution is to keep a notebook that records all your login details and to update it any time you change a password. This notebook should be kept in safe place (e.g. a locked drawer) away from your computer.

Others prefer to use a password manager application such as 1Password or Bitwarden. A password manager works like a vault that stores all your login details. It is secured with a master password, which should be long and very hard to guess.

Once you have entered your master password, the password manager automatically fills in your login details when you visit a website. Usernames and passwords can also be copied and pasted from a password manager.

Even a strong password can be stolen by a cyber attacker, for example in a phishing attack. The idea behind MFA (sometimes called Two-factor Authentication) is to combine several different ‘factors’ to help identify you to a computer system more securely. MFA systems typically combine:

• Something you know (e.g. a password)
• Something you have (e.g. a mobile phone or security key)
• Something you are (e.g. facial recognition or your fingerprint with Windows Hello)

Some MFA systems will text a numeric code to your mobile phone when you try to log in to the system using your username and password. You must enter this code at the login screen to gain access. Authenticator apps for your smartphone work in a similar manner.

Use MFA everywhere it is offered.

Employees should only be given access to those resources which are needed to do their job. For example, unless someone is working in accounts, they shouldn’t be given access to payroll data.

Depending on how your business uses IT, access control can be set up:

• on individual devices
• on cloud-based services
• using shared drives and company-wide access control policies set by your network administrator.

It is especially important to have processes in place to handle access control when people are joining or leaving the company. New staff should be given access to any resources needed to do their job (so that they are not forced to use someone else’s login details). When an employee leaves the company, all their accounts should be disabled so that they can no longer access your business data.

Passkeys are an alternative to passwords that are now being offered for many online services such as Google Workspace and MS Office 365. Passkeys use public key cryptography to authenticate users in a way that is resistant to phishing attacks and doesn’t require a password to be entered for every service you use.