Password Best Practice

We strongly recommend the following:

  • Passwords should not be shared with anyone – if they have to be shared (for example we may need to know to provide remote support), then they should be changed asap afterwards. As we move towards GDPR’s May start date, sharing passwords would be considered a compliance failure, so this is really good practice
  • Passwords should be at least eight characters (and preferably at least 11 or 12)
  • Passwords should contain three of the following four character types:
    • Upper case letters
    • Lower case letters
    • Numbers
    • Special characters – eg !£$^&() etc
  • Passwords should not be re-used within the last ten passwords
  • Passwords should be unique to each logon – for example, the same password should not be used for logging on to the PC as logging on to Sage Online
  • Passwords should be set to regularly expire but not frequently – 6-12 months is okay, especially for an 11-12 character password
  • Passwords should not use dictionary words, personal information (eg date of birth, daughter’s name etc)
  • Passwords should not be written down

Password management can be hard work, and this can lead to poor practices – it’s commonly understood that most people lose track of a password with more than 10 characters, so we have a few suggestions to help:

  • Use a phrase – for example H3lpM3Ob!W4nK3n0b! (HelpMeObiWanKenobi)
  • Use a password management tool like Lastpass or KeePass – we’d suggest these need to be approved by the business before use, and they are implemented in a manner that the business can support/administer. We use a service provider product called Passportal Occular that that we’d recommend and can provide – it has many business level features, in particular it’s very good at dealing with identifying password issues when staff leave!
  • Use a password coding scheme that allows you to note down an encoded version of a password/passphrase (see below for an example)

Password Coding Scheme

The intention of this system is to allow users to manage large numbers of credentials. It requires a number of “base” passphrases to be selected and then uses a short coding scheme to identify the format of the passphrase – this code can be written down somewhere safe but accessible, but separately from the list of passphrases!!!

For example the following strong passphrases could be chosen:

  • A1#  could be Ob!W4nK3n0b!
    where capital A means the password uses upper case letters, the 1 means it includes numbers and the # means it includes special characters.
  • B1# could be B4nkOfM0ntr£al$
  • B2# could be G0dS4v3Th3Qu££n


  • A1 would be ObiW4nKen0bi (password A1, with capitals and numbers but no special characters)
  • A would be ObiWanKenobi
  • a would be obiwankenobi
  • a# would be ob!wankenob!
  • b1 would be b4nkofm0ntreal
  • B# would be BankOfMontr£al$
  • B2 would be G0dS4v3Th3Queen
  • etc

As a starter this scheme allows for 26 letters and 9 (or 10 if you use zero) numbers, so a total of 234 base passphrases, each with 8 possible variations, so a total of nearly 1900 possible passwords.

If more than 1900 passwords are required, then simply expand the base passphrase list by making it two letters, ie AA, AB, AC, BA, BB, BC etc and that should take you up to nearly 70,000 passwords!