Blog

The Top 10 Password Dos and Don’ts

Password Security: Essential Protection for Your Business in 2026

With cyber-attacks continuing to target New Zealand businesses at an alarming rate, password security remains your first line of defence against digital threats. Recent data shows that over 70% of cyber incidents now target small to medium enterprises, making robust password practices more critical than ever for protecting your business data.

Our team has compiled this essential guide to password best practices that should form the cornerstone of your organisation’s cybersecurity policy. These recommendations are particularly important for law firms, NGOs, health organisations, and government agencies handling sensitive information.

Password Security DO’s:

1. Create strong, unique passwords
Use passwords with at least 12-16 characters, including a mix of uppercase letters, lowercase letters, numbers, and special symbols. Consider using passphrases – four random words combined can be both secure and memorable.

2. Enable multi-factor authentication (MFA)
Turn on MFA wherever possible. Modern authentication apps or hardware tokens provide much stronger security than SMS-based codes.

3. Use a reputable password manager
Tools like Bitwarden, 1Password, or LastPass can generate and securely store unique passwords for every account. This eliminates the need to remember multiple complex passwords.

4. Keep software updated
Ensure your password manager and all security software receive regular updates to protect against the latest threats.

5. Verify website authenticity
Always check URLs carefully, especially when accessing banking, legal, or health platforms. Bookmark important sites and access them directly rather than clicking links in emails.

Password Security DON’Ts:

6. Don’t reuse passwords
Never use the same password across multiple important accounts. A breach at one service could compromise all your accounts.

7. Don’t use personal information
Avoid using names, birthdates, addresses, phone numbers, or any information that could be found on social media or public records.

8. Don’t rely on simple substitutions
Replacing letters with numbers (like “P@ssw0rd”) doesn’t create strong passwords. These patterns are easily cracked by modern tools.

9. Don’t store passwords in browsers
While convenient, browser password storage is less secure than dedicated password managers and can be easily accessed if your device is compromised.

10. Don’t ignore security alerts
Take breach notifications seriously. Change passwords immediately when services report security incidents.

Additional Security Considerations:

• Implement endpoint detection and response (EDR) solutions alongside traditional antivirus software
• Be cautious with public Wi-Fi networks – use a reputable VPN service when working remotely
• Regularly audit user access permissions and remove accounts for former employees
• Consider implementing single sign-on (SSO) solutions to reduce password fatigue while maintaining security
• Train staff to recognise phishing attempts and social engineering tactics

Strong password practices are fundamental to protecting your organisation’s sensitive data and maintaining client trust. If you’re concerned about your current password security or need help implementing these best practices across your organisation, contact our team for expert guidance tailored to your industry’s specific requirements.

Simon Falconer
Director, Resolve Technology
When he’s not finding a reason to buy the latest gadget, Simon is probably setting it up, breaking it, and fixing it again — all before breakfast.