Support

Account security best practices

adminmanageremployeesecurity Last updated 26 April 2026

Most account compromises happen because of weak passwords, password reuse, or phishing — not because of a flaw in the platform. Here’s what every Your HR Toolkit user should do to keep their account safe.

Use a strong, unique password

A strong password is long (at least 12 characters), unpredictable, and not used anywhere else. Re-using a password across services means a leak on any one of them puts your account at risk on all of them.

The easiest way to manage strong, unique passwords is a password manager (1Password, Bitwarden, the password manager built into your browser). You don’t have to remember the passwords yourself, just one master password for the manager.

The platform requires at least 8 characters when you set yours, but 8 is a floor, not a target. Aim for 12 or more.

Turn on 2FA

Two-factor authentication is the single biggest improvement you can make. Even if someone gets your password, they can’t sign in without the 6-digit code from your authenticator app. See Set up two-factor authentication for the walkthrough.

Save your backup codes somewhere safe (your password manager is ideal). You’ll only need them if you lose access to your authenticator.

Sign out of shared devices

If you sign in from a computer that’s shared (a kiosk, a team computer, a borrowed laptop), sign out when you’re done. Don’t tick “remember me” on shared devices.

If you forget, you can revoke active sessions from your account settings.

Spot phishing emails

Phishing is the most common attack method. The hallmarks of a phishing attempt:

  • The email asks you to click a link to “verify” or “confirm” your account
  • The sender address looks slightly off (e.g. support@yourhrtoolkitt.com with an extra letter)
  • The email creates urgency (“your account will be disabled unless you act now”)
  • The link, when you hover over it, goes to a domain you don’t recognise

Your HR Toolkit will:

  • Send emails from hr@yourhrtoolkit.com.au or support@yourhrtoolkit.com.au
  • Always link you to app.yourhrtoolkit.com for sign in (not a different domain)
  • Never ask you for your password by email

If anything looks off, don’t click the link. Type app.yourhrtoolkit.com directly into your browser, sign in there, and check from inside the platform.

Keep your work email secure too

Your work email account is the recovery path for the platform (password resets land there). If your work email is compromised, your platform account is at risk too. Apply the same controls to your email:

  • Strong, unique password
  • 2FA on your email account
  • Don’t forward platform emails to personal accounts

Don’t share your account

Each platform user should have their own account. Don’t share login credentials with a colleague, even temporarily. The platform’s audit log records who did what under each account, so a shared account breaks the audit trail and makes you responsible for actions someone else took.

If a colleague needs platform access, your HR admin can create them their own account.

What to do if you think your account is compromised

If you suspect your account has been accessed by someone else:

  1. Sign in (if you can) and change your password immediately.
  2. Turn on 2FA if you haven’t already.
  3. Tell your HR admin. They can review your audit log to check for suspicious activity.
  4. Email security@yourhrtoolkit.com.au with as much detail as you have.

If you’ve been locked out, contact your HR admin to trigger a fresh password reset, then change your password the moment you regain access.