Tip 3: Good passwords (or passkeys)

27th June 2025

Password guidance has changed many times over the years, and will continue to evolve, but there's some easy things you can do to improve your password hygiene.

📑 Use different passwords for different sites and accounts

We know from past attacks that attackers will take lists of passwords you've used at one location and try them elsewhere. By having different passwords on different sites, even if your username is the same, an attacker can't just re-use a known password.

📏 Use longer passwords, for example passwords made up of three or four words

The longer a password is, the harder it is for a computer to brute force. If you need to remember and type in a password, three or four words are easy for you to remember and type but also provide length.

🔐 Ideally, use a password manager

Password managers store passwords for you, entering them automatically on the correct website. These tools can generate strong passwords, either using random characters or combinations of words. Importantly, the chance of using a duplicate password is massively reduced.

What about passkeys?

Modern techniques like passkeys are becoming more common. These are phishing resistant to prevent an attacker taking your username and password and logging into your accounts. To use a passkey you'll need a tool or device that supports them - something that's increasingly common with Android, iPhone / iPad, MacOS, Windows, hardware security keys, and some password managers offering this capability. Before you can login with the passkey, your device will ask you to authenticate to it with biometrics (fingerprint, face ID) or another form of MFA. Once you've implemented passkeys you may even be able to remove your password entirely (just make sure you still have a way to login to your account!).

Follow good password hygiene practices, ideally using a password manager, to help protect your accounts. Also, use Multi Factor Authentication wherever possible to add an extra layer of protection.