Using passwords to protect your data

Use this page to make sure you're getting the most out of using passwords.

Your charity’s laptops, computers, tablets and smartphones contain important and sensitive data. This could be personal information about your beneficiaries to details of your online accounts. This data must be available to you, but not available to unauthorised users.

Passwords are free, easy and effective. They prevent unauthorised users from accessing your devices. But there's a lot of confusing advice around. So stick to these principles that we learned from the National Cyber Security Centre.

Set a screen lock password, PIN, fingerprint or face unlock on your mobile devices.

Password protection is not just for smartphones and tablets. Make sure your laptops and computers are password protected as well.

You should also make sure to encrypt your computers. This is different from adding password protection. Most modern devices have encryption built in. Check to make sure it’s turned on and set up properly (configured). Follow the guidelines from your operating system (such as Windows).

Use two-factor authentication (also known as 2FA) for any of your accounts if you have the option. It adds a large amount of security for not much extra effort. Two-factor authentication requires two different methods to 'prove' your identity. Generally, this is a password plus one other method. For example, a code sent to your smartphone that you must enter as well as your password.

Strong passwords help to protect your charity’s valuable data. Make sure you tell trustees, staff and volunteers how to set secure passwords. Passwords should be easy to remember, but hard for somebody else to guess.

• A good rule is to use three or four random words to create a strong password.
• Use numbers and symbols if needed, for example 3redhousemonkeys27.
• Avoid using the most common passwords, which criminals can easily guess (such as P4$$w0rd or QWERTY).
• Never use personal details for your password, such as family names, addresses etc.

Your charity’s IT systems must generate a unique password for each user. The systems must not need trustees, volunteers or staff to share accounts or passwords.

• Make sure that every user has personal access to the right systems.
• Give people the least access needed to do their job. Don’t give them permissions for systems they don’t need to use. This will lower the risk of wider damage if a user downloads malicious software (like a virus).

• Only enforce password access to a piece of software or system if you really need to.
• Do not enforce regular password changes. Passwords only need to change when you suspect that someone might know the details (a compromise of the login credentials).
• Provide a place where people can write down passwords for important accounts. This secure storage will keep passwords safe. Make sure people don’t use the same storage for the device itself.
• Make sure everyone can reset their own passwords as people will forget passwords.
• Consider using password managers. These are tools that can create and store passwords for you that you access via a 'master' password. This way people only have to remember one strong password.

Change all default passwords before distributing devices within your charity. Manufacturers set default passwords on equipment like smartphones and laptops. People often forget to change them.

• Is your Windows computer encrypted? Find out how to be sure. Follow Microsoft’s step-by-step instructions. You can do the same for your Apple computer using their FileVault product. Read Apple’s guide on how to use FileVault.
• Working on a password policy for your organisation? Or want to find out how to choose a password manager to recommend? Try the National Cyber Security Centre’s passwords resource collection.