Sign in Subscribe
protect your organisation

Tip 3: Good passwords (or passkeys)

Jonathan

2 min read
The text "security tips for your organisation" on a blue/green background.To the right is a silver shield and padlock.In the background are dots linked by lines suggesting a network.
🛡️
This post is one in a collection of tips to help you protect yourself, your business, or your organisation online. The series was published from 23rd June 2025 over two weeks and you can view other posts in the series here.

Password guidance has changed many times over the years, and will continue to evolve, but there's some easy things you can do to improve your password hygiene.

📑 Use different passwords for different sites and accounts

We know from past attacks that attackers will take lists of passwords you've used at one location and try them elsewhere. By having different passwords on different sites, even if your username is the same, an attacker can't just re-use a known password.

📏 Use longer passwords, for example passwords made up of three or four words

The longer a password is, the harder it is for a computer to brute force [1]. If you need to remember and type in a password, three or four words are easy for you to remember and type but also provide length.

🔐 Ideally, use a password manager

Password managers store passwords for you, entering them automatically on the correct website. These tools can generate strong passwords, either using random characters or combinations of words. Importantly, the chance of using a duplicate password is massively reduced.

What about passkeys?

Modern techniques like passkeys are becoming more common. These are phishing resistant to prevent an attacker taking your username and password and logging into your accounts. To use a passkey you'll need a tool or device that supports them - something that's increasingly common with Android, iPhone / iPad, MacOS, Windows, hardware security keys, and some password managers offering this capability. Before you can login with the passkey, your device will ask you to authenticate to it with biometrics (fingerprint, face ID) or another form of MFA. Once you've implemented passkeys you may even be able to remove your password entirely (just make sure you still have a way to login to your account!).

Follow good password hygiene practices, ideally using a password manager, to help protect your accounts. Also, use Multi Factor Authentication [2] wherever possible to add an extra layer of protection.

Banner image: Generated by Google Gemini from the prompt "Generate a new banner image. There should be a dark background with a network of nodes overlaid. A shield and a padlock should be on the right, on top of the nodes. On the left should be the text "Security tips for your organisation". That exact text should be used. Make the network nodes have a green and blue gradient."

[1] - Brute forcing passwords can be a big topic, so I might cover it in a future post unrelated to this series.

[2] - Not all systems allow you to use MFA when using passkeys, as you've already passed biometrics or other MFA to allow the passkey to be used.

This post was also shared via LinkedIn as post from my company, Jonco IT & Security Ltd.