Create and maintain strong passwords

Updated11 November 2021

Table of Contents

...Loading Table of Contents...

    Passwords are important tools for keeping your data and identity secure. Unfortunately, attackers know this, and they have many tricks they can use to figure out your passwords.

    But you can defend against those tricks by applying a few important tools and tactics. The most effective strategy is to make passwords that are LONG, RANDOM, and UNIQUE. To do this reliably, you will will need to use a secure password manager. It is also important to set up multi-factor authentication whenever possible.

    Find out if your passwords have been compromised

    • Search "Have I Been Pwned" to see if your accounts are reported as compromised.
      • Change any of your account passwords you find there immediately, using the instructions for setting up a password manager below.
    • Even if none of your accounts show up here, you should still follow the instructions below, as many account breaches are not reported.
    Learn why we recommend this

    Attackers look for passwords that have already been breached and are available online. They try passwords for your accounts until they find the correct one to get in. Reusing the same password is thus particularly risky. Have a look at Have I Been Pwned to see if your passwords are on any of the lists attackers use.

    Avoid common weak password strategies

    Here are the most common ways attackers learn your passwords:

    1. They can guess your password:
      • Using your personal information such as important dates, names, famous quotes, songs or authors you like
      • Using a dictionary
      • By slightly changing passwords you have used before
      • Using software to try all possible combinations to unlock your passwords
    2. They can look for:
      • Where your passwords are written down (like notes around your desk)
      • What you’re typing when you enter your password
      • Passwords that have already been breached and are available online
    3. They can trick you into:
      • Installing a malware app to record your password
      • Making you type your password into a fake login page through phishing
      • Providing your passwords or other information by pretending to be a support person or someone you know (also known as social engineering)
    • Be aware that the following strategies, on their own, DON'T make your passwords safe:
      • Using words or numbers related to you or people and organisations around you, like:
        • names of people, pets, or organisations
        • dates of birth, important anniversaries or holidays
        • telephone numbers or addresses
        • or anything else a person could learn by researching you and people around you
      • Using common phrases, such as famous quotations, song lyrics and poems.
      • Replacing characters with a similar symbol (e.g. replacing "a" with "@" etc.)
      • Putting exclamation marks, numbers, or other punctuation at the end
      • Starting Each Word With Upper Case Letters
      • Using single words in any dictionary
      • Changing passwords frequently

    Follow these guidelines to protect yourself against those tactics:

    Use a password manager

    • Get KeePassXC (for Linux, Mac or Windows), KeePassDX (for Android), or StrongBox (for iOS).
    • DO NOT re-use passwords.
    • Let the password manager generate and save a long, random, unique password for each of your logins.
    • You may want to set up password managers together with your colleagues. You can help each other in the process.
      • You may want to familiarize yourselves with the process of sharing passwords safely. However, whenever possible, it is more secure to set up separate logins for different accounts.
    • Read our guides to KeePassXC and KeePassDX.
    Learn why we recommend this

    No human brain is powerful enough to develop and remember enough long, random, unique passwords to keep all of their devices and accounts secure. A password manager generates and stores these passwords for you, protecting them with encryption.

    We recommend KeePassXC, KeePassDX, and StrongBox. They are free to use, have been verified as secure by community experts, and continue to be updated. They store passwords in an offline database, which means you have control over where the data is stored and how it is managed.

    Backup your password manager's database

    Learn why we recommend this

    As with any individual password, losing many of your passwords at once could cause anything from a nuisance to a catastrophic loss of communication with your contacts or loss of your finances. Practice backing up your database regularly.

    Remember a few secure passwords

    • Use the diceware method to generate passwords for your password manager and other passwords you must remember (like the password to unlock your password manager or devices):
      • Get a list of numbered words and some dice.
      • Roll dice five times to get a five-digit number (for example, 6,2,5,1,1).
      • Use the word in the list with the corresponding number.
      • Repeat this five times. Use those five words as a "passphrase" for one login.
        • Do not re-use this passphrase anywhere else.
      • Next, create a mental image using the words, in order, which will help you remember the phrase.
    • Practice entering these passwords regularly, daily at first and then at least once a week. Repetition will help you commit these passwords to memory.
    Learn why we recommend this

    There will be a few passwords you must memorise, including the master password to your password manager. There are strategies that can help you create passwords which are easy to remember but extremely difficult to guess, even for a clever attacker with 'password cracking' software.

    If there are passwords or backup codes you need to write down on paper and store securely

    • If you must write passwords down on paper, store them in a locked place like a safe or desk drawer.
      • It is important that your passwords not be visible to those who pass by, or easy to find and copy.
      • Do not keep them in your wallet.
    • Destroy any paper copies of passwords or backup codes thoroughly as soon as you no longer need them.
    Learn why we recommend this

    Long passwords can certainly be hard to remember. For passwords you may not be able to save in your password manager (like the ones to unlock your devices), consider writing them down and protecting them with a physical lock.

    If you decide to use an online password manager

    • Avoid storing highly-sensitive account information (like financial account or recovery account logins) in the online database.
    • Protect access to your online database with 2-factor authentication.
    • We recommend Bitwarden as an online password manager.
    Learn why we recommend this

    Password managers that automatically synchronize between devices online can be easier to use. They store your database of passwords encrypted on servers. However, online password managers present additional risk that an attacker could decrypt your database and access your passwords without you knowing.

    We recommend KeePassXC, KeePassDX, and StrongBox because they do not store your passwords online. If you do decide to use an online password manager, we recommend taking these steps for additional password protection.

    If you need to share passwords

    • Avoid sharing passwords whenever possible:
      • If you must share a password with a friend, family member or colleague, change it to something temporary and share that password. Change it to something secure again when they are done using it.
      • Consider creating separate accounts for each individual who needs access; many services make this possible. You can limit what actions these accounts are allowed to take, and what they can see. See the basic security guides for Android, iOS, Linux, Mac, and Windows for instructions on how to do this.
      • Set up your password manager so you can use it collaboratively. KeePassXC makes this possible.
    Learn why we recommend this

    Every time you share a password, it is almost like you have made an extra copy of your key and given it away, or like you have left doors and windows open to thieves. In fact, it is riskier than that, because many of your "doors" and "windows" can easily be accessed by devices far away without your noticing. Reduce this "attack surface" of open doors by avoiding sharing passwords whenever possible.

    Do not give your password when someone emails, calls, or messages you

    • Go to the app or site for the service that supposedly sent you the message to verify the request.
      • See our guides on basic security and social media to find different services' records of alerts they have sent you.
    • If it appears to be a person or office you know sending the message, contact them through another channel to verify whether they made the request.
      • For example, if the message was an email, call them.
      • Do not click links in the email or send a response.
    • Be aware when a message is trying to frighten you, make you curious, make you feel you will miss an opportunity, or otherwise make you act quickly and without thinking. Pause, remain calm, and find other ways to verify messages like these.
    Learn why we recommend this

    Attackers often pretend to be someone they are not, like a bank or technical support representative, to convince us to give them sensitive information. Attackers also often play on our emotions and human nature to make us give them passwords when we shouldn't.

    If you receive a call, email, or message requesting your password or other sensitive information, or if an email or text link you click asks for this information, it is very likely that someone is trying to trick you.

    When to change your password

    Change your password immediately when:

    • it appears your account, devices, or colleagues and people around you have been victims of a breach.

    • you get a credible warning from the services you use that there was an attempt to log in from an unauthorised device or location.

      • Look for news reports about breaches.
      • If you receive an email or alert, double-check on the service provider's own website that they sent the alert.
    • you entered your password on an untrusted, shared, or public device (it might have malicious code installed).

    • you are concerned that someone watched you type your password.

    • Minimise damage by warning others who may also have been affected.

    • See our guides on social media and the basic security guides for Android, iOS, Linux, Mac, and Windows for instructions on how to change your device passwords.

    Learn why we recommend this

    Research shows that changing your password repeatedly does not necessarily improve security. When people are required to change passwords often, they tend to make only small changes to the password, instead of coming up with an entirely new password. Read more about the research here.

    It is more important to change your passwords when there is a data breach. Because we do not always know when data has been leaked, we do recommend changing passwords every few months to a year, or immediately when there is a reason to believe it may be compromised.

    Mind where you are and who can see

    • If you’re in a public space and type your password, be mindful of whether you can be seen or recorded.
    • Check to see if anyone is watching your keyboard or phone while you type your passwords.
    • Use a privacy protecting screen to make it harder to see what you are typing.
    Learn why we recommend this

    Adversaries can monitor and record you entering a password. One activist's mobile phone was confiscated under a false charge of sedition. Her mobile device was locked with a password which she refused to provide it, but prosecutors managed to unlock her phone and access her data by studying her daily routines. They noticed there is a CCTV in the lift where she lives and were able to obtain video of her typing her passwords.

    Use two-factor authentication (2FA or MFA)

    • Check which services offer 2FA.
    • It is crucial to set up 2FA for:
      • your bank accounts or money apps
      • accounts like your email address, social media, or others you would need in order to recover other accounts
    • Your 2FA options may include:
      • Using an authenticator app or program like Google Authenticator, Okta, or Duo. We recommend the Aegis app on Android or Raivo OTP app on iOS/iPhone.
        • When using this option, it’s important that you protect your mobile phone from malware.
      • Using a hardware device--often called a security token, dongle, or USB "key"--which you can plug into your device or set up to use NFC (near-field communication).
        • Some examples are Yubikey, Nitrokey, Google Titan Key, and Thetis Key
        • Hardware devices may not be usable on mobile devices.
    • You can use one authenticator app or hardware device for multiple services, or set different services up with different forms of 2FA for additional protection.
    • Once you set up your device for 2FA, the above two options do not require an internet connection to generate codes. Using email for 2FA will require an internet connection.
    • Ranking 2FA options in order of safety, an authenticator app or hardware device is safest, then email, then SMS.
      • SMS text messages are not encrypted and attackers have successfully intercepted these one-time codes on their way to a target's phone.
    • Once you have set up 2FA, when you enter your username and password you will also use this additional way to prove you are who you say you are, by inserting your key, entering a code from your authenticator, or entering the code you are sent.
    • Do not disable two-factor authentication once you have set it up. Some services may offer you the option to turn it off for a while for convenience, but consider the impact this might have on your security.
    Learn why we recommend this

    When it comes to logins, it is safer to have multiple layers of protection. If the first layer of protection is breached, you can rely on the second to protect your digital assets. Multifactor or two-factor authentication (MFA or 2FA) using another device or email provides these extra protection layers. Though many people find it convenient, text message (also known as SMS) is the least secure option for 2FA.

    Using 2FA may seem inconvenient, but remember: what's mildly inconvenient for you is much more inconvenient for criminals and other people who might try to access your account. Having your accounts stolen, hijacked, or monitored by malicious people would be a far bigger inconvenience in the long run.

    Keep 2FA backup codes safe and separate

    • If you are given backup codes when you set up 2FA, store these codes in a password manager.
    • Ideally, to keep these codes separate from other information that could be used to access your accounts, create a separate KeePass database and save it on another device.
    Learn why we recommend this

    Most online services will give you a list of backup codes when you first enable two-factor authentication for your account. These codes are your way back into your account if you lose access to the device you are using for 2FA. The codes never expire. It is important to keep the backup codes safe, as anyone who has your password can access your account using any one of the codes.

    Avoid fingerprint or face unlock (biometrics)

    • If your device is set to unlock using your face or fingerprint, change your settings to use password unlock instead.
    • See the basic security guides for Android, iOS, Linux, Mac, and Windows for instructions on how to do this.
    Learn why we recommend this

    Biometrics can make it quicker to access your devices, using your personal features like fingerprints or face. However, they are generally a less secure way of locking your device and account. Unlike a password, you cannot change your fingerprint whenever you like. Many people are required to leave biometric information with airports, goverment offices, etc. This creates a potential risk that someone will be able to access your accounts without your consent. If your adversaries physically restrain or force you, it can be even easier for them to unlock your devices than it would be if you lock your device with a password.

    Set safer recovery questions

    Many web services ask for "security questions" or "recovery questions" when you create an account. To make it less likely someone can guess these:

    • Provide fake, unrelated answers to these questions.
    • You can even use another random, unique code generated by your password manager.
    • Save your responses in your password manager so you don't get locked out.
    Learn why we recommend this

    Recovery questions are important to helping services verify your identity if they suspect someone else is trying to access your account. You use these answers to change your password in case you lose access to your account. Unfortunately, your answers to questions like "What town were you born in?" or "What is your pet's name?" can be easy to find online. By giving fake answers, you can make it harder for an attacker to hijack your account.

    Further reading