Choosing good passwords

Your password is the key to your information. Set yourself up with good password habits to protect your accounts.

On this page

Password overview

Cyber criminals are coming up with better ways to find out people's passwords. If you can create strong passwords and keep them secure, you'll be a step ahead in protecting your accounts.

Remembering all your passwords isn't easy. We can easily fall into bad password habits to help us remember them all. For example, how many of us have written all our passwords in a Word document and saved this as a file called Passwords?

Your passwords might be:

  • too easy to guess, like your date of birth
  • similar across many accounts, or
  • stored in an unsafe place, like written in your diary, or in a post-it on your desk.

Common password problems

Passwords that get compromised are usually at least one of the following:

Easy to guess

The top 100 most common passwords include popular words, phrases and memes. Hackers collect long lists of these words. They use them to make software that can test passwords on people's accounts.

They can test thousands or millions of passwords a second until they get the right one and break in.

Adding a single number or symbol into your password doesn't make it very secure. It's easy for automated programs to try variations using numbers and symbols.

Too short

As computers become more powerful, your passwords need to get longer. Passwords of 8 characters used to be long enough. Today, some software can crack 8-digit passwords in seconds, even if they include numbers and symbols.

Now experts recommend your passwords are at least 12 characters long.

To test your passwords' strength before you use them, try ID Support NSW's password strength tester. Never type a password you already use into an unknown text box in case it can be intercepted by hackers.

Shared across accounts

Too often, people use a similar password across many websites. If a less secure site allows access to a criminal, they can then try your password on a more secure site, like your banking account.

Stolen in a data breach

Sometimes cyber criminals steal passwords from companies in data breaches. There isn't much you can do about this one, beyond choosing companies that care about your privacy.

Most popular websites take great care in protecting your data. But if hackers steal your details, the company will usually email you to let you know. You will need to change your password for that site.

You can check if your passwords have been hacked or exposed in a data breach at ID Support NSW's password strength tester. You can check if your email account has been in a data breach at have i been pwned?.

How to protect your passwords

Using the latest methods to keep your passwords a secret is smart digital citizenship. Here's how.

Get a password manager

A good password manager generates a random complex password for each of your accounts. It encrypts and stores all your passwords so you don’t have to remember them or write them down.

But it's important to remember no storage place is foolproof. Anyone who can access your device might have automatic access to all the accounts stored in your password manager. For this reason, it's important no-one else ever knows the password/PIN for your device or password manager. The master password to your password manager must be both very strong and easy for you to remember.

Even if you take these precautions, password managers have been in data breaches. But they're still the best option we have.

Here are some free options:

  • Google Chrome offers a free password manager service when you're logged in to the web browser
  • Apple Mac allows you to auto-generate and store passwords when you log into a website for the first time.

Some reputed password managers are Bitwarden, Keeper and 1Password.

Use two-factor authentication where available

An account with two-factor authentication (also known as multi-factor authentication, or MFA) needs 2 pieces of proof that you are who you say you are. Usually, the first piece of information is your username and password.

Plus it might need:

  • your fingerprint or face ID, or
  • a one-time code sent to your authorised email or phone number.

You must enter both your username/password and the code within a short space of time. Find out whether the companies you use offer two-factor authentication.

Choose passphrases

If you're still trying to remember all your passwords, consider coming up with:

  • random 4-word combinations, or
  • unusual and memorable sentences.

Something like: Mydogis110%HUMAN is good because it's:

  • 20 characters long
  • easy to remember
  • nonsense, so hard to guess
  • not personal information like your dog's name
  • a mix of letters, numbers and symbols.

Watch the video to learn more about strong passwords

2:18

Passwords and Passphrases - Phriendly Phishing

 

Related information

Download as PDF Print this page
Top of page