User Tools

Site Tools



Key points:

Use a unique email address, and a unique password, for every site and service

Whenever you sign up with a new site or service, use a unique email address, and a unique password.

The reason you do this is that, if a site's database is compromised, and someone obtains your username and password, and tries to log into other sites with them (something known as “credential stuffing”), they will not get access to your accounts on those other sites.

Unique email address

Email catch-all

If you run or rent your own email server, you should be able to enable something called “catchall” on your domain. This means that any email sent to any account name on your domain get delivered to you.

The benefit is that you can give a site any email address you like, and you will receive email sent to it without needing to do anything.

The downside is that you are likely to get more spam, as any email sent to any account name are delivered to you.


You can use a “plus” sign after your username, and then any text you want, to create a unique email address.

For example, if your email address if, you could use to create a unique email address to give to Facebook.

You will still receive any email sent to that address at your normal account.


You can use a “plus” sign after your username, and then any text you want, to create a unique email address.

For example, if your email address if, you could use to create a unique email address to give to Facebook.

You will still receive any email sent to that address at your normal account.


Unique password

Use a password manager to generate a unique password for your new account.

Password managers usually let you set the format of your password. For example, you might set it to follow the NCSC's guidance to use three random words as a password. However, some sites still have outdated or just strange password requirements, requiring you to add special characters, a mix of upper and lowercase characters, and numbers. For those sites, you'll probably need to amend your automatically-generated password to fit the site's requirements.

Paste the password you have generated from your password manager into a text document, then make the changes to meet the site's password requirements, and paste the resulting password into the site. That way, if you need to make further changes (perhaps the site's requirements are vague), you can do so easily. Once your password is accepted, paste it into your password manager.

(Yes, you will find sites which, in the mistaken belief it adds to security, have disabled the ability to paste passwords. Consider if you really need to do business with a site which is actively working against you securing yourself.)

Use a strong password

Every password you use needs to be hard to guess. Some guidance suggests taking a word and mixing in letters and symbols, but the National Cyber Security Centre's guidance is to use three random words.

For example:


If you use a password manager, you do not need to remember the password, and you can probably cut-and-paste it into the site or service, meaning it does not matter how long it is, or if it contains a complicated spelling.

For mobile devices with a PIN, use a non-obvious PIN

If you have a mobile device with a PIN rathe than a password, do not use an obvious PIN.


  • your birthday
  • your child's birthday
  • your wedding day
  • number patterns (e.g 000000, 123456, 134679)

Use a password manager

A password manager is a piece of software which you use to store your passwords, and unique logins, so that you do not have to worry about remembering them. You store all your passwords in it, and secure it with one master password.

When you need to log into a website or service, you unlock your password manager with your master password, and then either cut-and-paste your login from it, or else use a browser plugin so that your details are pasted in automatically.

It may seem counterintuitive to write down all your passwords in one piece of software, but the National Cyber Security Centre's guidance is that the benefits outweigh the risks.

There are a number of different options to choose from, depending on what features you want:

If your password manager is cloud-based, assess their security model

If you are going to store all your passwords in the cloud, make sure that the security the provider is offering matches the risk.

If you lose your master password, you will be locked out

Be aware that, if you lose your master password, you are likely to be locked out of all your passwords. If you are concerned about that, you could store a copy of your master password somewhere secure, but you'd need to be very confident about the security of that storage location: if someone gets your master password, and access to your password manager, they could get all your passwords.

Do not change your passwords without reason

Advice used to be to that you should change your passwords frequently.

This is no longer considered good practice. For example, the Information Commissioner's Office's guidance says:

“You should only set password expirations if they are absolutely necessary for your particular circumstances. Regular expiry often causes people to change a single strong password for a series of weak passwords. As a general rule, get your users to create a strong initial password and only change them if there are pressing reasons, such as a personal data breach.”

Change your password if you think it is compromised

If you think your password to an online account has been compromised, change it promptly.

Sites should tell you if they have been compromised, but not everyone is honest and transparent.

The website HaveIBeenPwned contains usernames and passwords from many known site breaches, and you can check there to see if your particular email address has been compromised.

This is trickier to do if you use an unique address for every account but, if you've done that and also used a unique password, the fact that one has been compromised does not expose you to much risk.

Consider if biometric security is right for you

Fingerprint / face recognition / biometric unlock

Fingerprint or facial recognition unlocking can be convenient, fast, and not something which can be detected by just looking over your shoulder as you enter it into the phone.

Before using facial recognition, assess whether it can be fooled by the use of a photograph or video or mask.

In some jurisdictions, it appears that one cannot be forced to disclose a password, but can be asked to place a finger on a device to unlock it. If in doubt, you might consider disabling fingerprint unlock for the duration of a trip into such a country.

Depending on the outcome of your threat modelling, you may decide that the convenience is an acceptable compromise.

You cannot change your face or fingerprints

You should use a different username and password for every account or service you use.

Clearly, you cannot do this for biometrics (well, not beyond 10, in the case of most people, when it comes to finger/thumb prints).

Moreover, you cannot realistically change your face, if an insecure storage of biometric credentials is compromised.

Disable them in higher-risk situations

You might also decide to use these unlock mechanisms most of the time, but disable them for certain activities (e.g. for travelling across borders).

If you have an iPhone with biometric unlock enabled, if you press your device's power button repeatedly in quick succession, it will temporarily disable biometric unlock and require you to enter your passcode.

Swipe patterns

Even with the Android swipe pattern unlock mechanism, it is pretty easy to watch someone do a basic pattern once and replicate it — so you need to go for something pretty complicated, coupled with shielding your phone when you enter your passcode.

Swiping may also leave a greasy mark on your screen, which someone could use to determine the pattern you are using.

In addition, a swipe pattern could be readily compromised if you are observed by nearby security cameras.

Wherever possible, set up two-factor authentication

Limit the locations from which you can log in

If you can feasibly do so, restrict logins so that you can only log in from certain networks or IP address ranges.

If, for example, you always connect via a VPN, you could restrict logins to the IP address ranges used by your VPN.

Someone who is not connected via the same network should not be able to log in, even if they know your username and password. If, however, the attacker is someone within your organisation, and has access to the same networks / IP address ranges, this control is likely to be ineffective.

If you do this, you need to accept that risk that, if you cannot connect to your VPN, or if your VPN endpoint's IP address ranges change, you will not be able to log in.

passwords.txt · Last modified: 2021/07/06 09:26 by