Passwords, Access & Your Device
The basics that stop most breaches — don't share passwords, lock your screen, and keep admin rights minimal.
What you'll learn
- Use passwords and MFA the right way
- Lock your computer every time you step away
- Understand least-privilege and temporary admin
Most security incidents don’t start with a master hacker breaking through a firewall. They start with something small and human: a password shared “just this once,” a laptop left unlocked while you grab a coffee, or admin rights that someone was given years ago and never had taken away. The good news is that the same everyday habits that prevent these slip-ups are simple, quick, and entirely within your control. Master a handful of them and you close the door on the majority of problems.
Lock your screen every time you walk away — even "just for a minute."
The habits that matter most
Your password is the front-door key to everything you touch at work, so treat it like one. The single biggest upgrade you can make is to use a password manager. It generates long, random passwords, remembers them for you, and fills them in automatically — which means you no longer need to reuse the same password across sites or keep them on a sticky note under the keyboard. Reuse is the real danger: if one site you use gets breached, attackers will try that same email-and-password combination everywhere else, a trick called credential stuffing. A unique password per site stops that cold.
Next, turn on MFA (multi-factor authentication) wherever it’s offered. MFA adds a second check beyond your password — a code from an app, a tap on your phone, or a hardware key — so that a stolen password on its own isn’t enough to get in. It’s one of the most effective protections available, and it takes seconds to use once it’s set up.
Your password is yours. IT will never need it, and no legitimate colleague should ever ask for it. If someone does, that’s a red flag worth reporting.
Lock your screen, every time
When you step away from your desk — even “just for a minute” — lock your screen. On Windows it’s Win+L; on a Mac it’s Control-Command-Q. An unlocked machine is an open invitation: anyone walking past can read confidential email, send a message as you, or copy files in seconds. Picture a contractor visiting your floor, or a busy open-plan office where strangers come and go. You don’t have to suspect anyone in particular; you just have to make the easy thing the safe thing.
Least privilege and temporary admin
Two terms come up a lot when IT talks about access. Least privilege means you’re given only the access your role actually needs — no more. It sounds restrictive, but it protects you: if your account is ever compromised, the attacker can only reach what you could reach, which limits the damage. Temporary, or just-in-time, admin means elevated rights are granted briefly for a specific task and then removed automatically, instead of everyone walking around as a permanent administrator. Standing admin rights that nobody uses are simply risk sitting idle — if that account is breached, the attacker inherits all of it.
Consider a common scenario: a small team shares one login for a billing system because “it’s easier.” Then someone leaves, an unexpected change appears in the records, and nobody can tell who made it. Shared logins erase accountability and make incidents almost impossible to investigate. The proper fix is individual accounts with the right access for each person — and asking IT to grant access the correct way rather than handing over a password.
Spot it: Password & Access Red Flags
Read each situation and decide for yourself, then tap a card to flip it and check your answer.
Sort the Access Practices
Drag each statement into the bucket it belongs to — or tap an item, then tap a bucket. Hit Check placement when you’re done.
Here's where each one goes:
- Use a password manager to store unique passwords → Secure habits — it's the single biggest upgrade to prevent reuse and credential stuffing.
- Write your password on a sticky note under the keyboard → Risky habits — anyone walking past can see it, and it defeats the whole point of a password.
- Turn on MFA wherever it's available → Secure habits — it's one of the most effective protections because a stolen password alone isn't enough.
- Share your login with teammates for convenience → Risky habits — shared logins erase accountability and make breaches impossible to investigate.
- Lock your screen every time you step away → Secure habits — even a minute away with an unlocked screen is an open invitation.
- Keep standing admin rights all the time → Risky habits — request temporary admin only when needed, so unused elevated rights don't sit idle.
Tip: drag with a mouse, or tap an item then tap a bucket on touch screens. Get one wrong and the answer key appears.
How to use it
Set up a password manager today and let it create unique passwords for your accounts. Switch on MFA everywhere it’s available. Build the reflex of locking your screen every single time you stand up — Win+L until it’s muscle memory. And when you need access to a new system, request it through IT rather than borrowing someone else’s login, so your rights are tied to you and removed when you no longer need them.
Why it matters
These habits are quiet, but they do the heavy lifting. A unique password plus MFA means a single leaked credential won’t unlock your world. A locked screen means a moment’s absence never becomes an open door. Least privilege and temporary admin mean that even on a bad day, the blast radius stays small. None of this requires technical expertise — just consistency. Do the small things well, every time, and you’ve handled the part of security that matters most.
Quick check
1. A colleague asks for your password "to save time." You should…
2. Stepping away from your desk, you should…
3. "Least privilege" means…