How to create good passwords
Creating long and strong passwords for your online accounts is one of the most effective ways you can protect your personal information, and keep yourself safe from attackers.
Why it matters
The passwords you use online protect so much of your life – from your money to your email to your social media – so it's important to make sure they do their job.
It's easy to think "I don't have anything worth stealing", or "no one's going to go to the effort to hack me". But most online security attacks are random. Attackers don’t target specific people. Instead, they look for easy ways to get hold of people's personal information online. They’re not picky about who it belongs to.
Attackers can gain access to personal information by:
- accessing the email addresses and passwords for accounts that have been leaked online in data breaches
- buying lists of passwords that are sold online
- using software that works through combinations of letters and numbers to 'guess' passwords – a weak password can be cracked in milliseconds.
Think about what might happen if someone got hold of the password for your email account, for example. You might think your email account isn't much use to anyone else, but:
- your email password could also be the password for your social media accounts, giving an attacker access to your contacts and personal information
- work or contract information, or other sensitive information, might be stored in your account
an attacker could send emails that look like they come from you containing links to download malware, such as ransomware
- an attacker could use the 'forgot password' option on your other accounts to reset your passwords and lock you out of your accounts.
Attackers can do a lot of damage with very little effort, and the damage can take years to fix – for example, if an attacker gets into your bank account, it can be very hard to recover the money that they steal.
How to protect yourself
Use a different password for every online account you have
Many of us use the same password for all our accounts, or stick to two or three different ones that we use over and over. The problem with this is that if an attacker gets hold of one of your account passwords, it'll give them access to any other accounts that share the same password. Keep your accounts safe, and use each password only once.
If you choose to use the "login with Google/Facebook" functionality when you're creating a new account, your new account's security relies on the strength of your Google or Facebook account's password. Make sure your original account password is long and strong, and you have 2FA turned on.
Make your password long and strong
Long passwords are strong passwords. An easy way to create a good password is to make a passphrase made up of four or more random words. Passphrases are easier to remember, and they’re stronger than a password that uses a long mix of numbers, letters, and symbols. You can try making a passphrase that’s a sentence or fun phrase unique to you. For example, 'popcornwithbutterisbest' or 'catseatpotatochips'. Or look around you and pick four random items, for example, 'Coffee lemon cup flowers'.
Always use words that are random to you, and don't use family names, birth dates or addresses – this type of information is easy for people to find.
Don’t use personal information
Personal information is easy to find online, especially if you use social media. Details about you, like your date of birth, your address and even your pet’s name are the first thing attackers check when they’re trying to hack into other people’s accounts. So, if you share pictures of your dog online, make sure you don’t use your dog’s name as your password too.
Keep your passwords safe
If you’re worried about remembering your passwords, a password manager can create, save and manage your passwords for you – meaning the password manager will be the only account you need to remember login details for.
Remember, don’t share your passwords with anyone — including your family, friends and colleagues.