Best practices for Secure Passwords

Strong passwords

Most of the systems you use most likely rely on a password to control access. For security reasons it is key that those passwords are strong passwords. Systems typically have rules around how complex i.e. strong a password needs to be. If your firm can customise those rules make sure you insist on strong passwords. We recommend the below passwords rules:

  1. minimum length of 12 characters
  2. mix of lowercase, uppercase, numbers and symbols
  3. do not use a word that can be found in a dictionary or the name of a person, character, product, or organisation

Additionally stick to these best safety practices:

  1. Never share a password, not even with a colleague, friend or family member
  2. Never send a username and password combination by email, instant message, or any other means of communication
  3. Use a unique password for each system, application or website
  4. Use a password manager. The best password managers will save your passwords securely, automatically generate strong passwords, alert you to update your passwords (e.g. when the product has been hacked) and offer many more security related features
  5. Change passwords immediately on accounts you suspect may have been compromised
  6. Enable multifactor authentication (MFA) whenever available.

Two-factor authentication

Additional to a passwords, most modern systems now also allow you to set a second factor (2FA) to further secure your account. 2FA requires a second type of credential to sign into an account e.g. a one-time code either generated by an authenticator app or sent to you by SMS. This adds another layer of security in case someone guesses or steals your password. If the 2FA option is available to you be sure to switch it on.

Regular review

Update your passwords regularly, so any logins that would have been exposed as part of a hack are rendered useless. Do not hesitate to consider an alternative product or service if you have doubts about reputation of the product or service. In ant case Most software is updated regularly, so do review at least yearly the systems you use so you can improve your password rules and 2FA settings where possible.


For more GDPR-related information, see our GDPR Knowledge Base on Data Security or our post on GDPR Compliance checklist for the SME.


GDPR Data encryption