It should be strong and different for each of your accounts. Ideally, you should use unique passwords for all your important online accounts (such as banking accounts, shopping/payment accounts and social media accounts), not just your email account.

Short complex passwords are hard to remember and so people reuse them once they have them set up – password reuse is a bad thing!!

The ‘three random words’ principle means that you place together three random words along with some basic complex characters that combines to make a LONG password that is suitably hard to guess but is (hopefully!) easily remembered.

For example, Horse%Bridle*Party2

If you had a master key for everything you owned - your house, car, caravan, briefcase, garage, shed, etc., you would be pretty worried if you lost your key!

It’s the same for passwords. By using different passwords for different types of account, you are reducing the risk of losing everything all at the same time.

It’s all about risk control and limiting the damage in the event of someone getting your password. Everyone will, at some point, have a password stolen - this is an unfortunate fact with the digital world.

If you expect a password to get stolen, then by planning for it, you can minimise the risk and the extent of the compromise.

A strong password is a password that is difficult for anyone else to guess – both humans and computers. Strong passwords tend to have the following features:

• They are long (greater than 12 characters)
• They contain upper- and lower-case letters
• They contain both numbers and symbols

A weak password is something that is easy to guess and can be easily worked out from some basic information about you. Weak passwords tend to have the following features:

• They are less than 8 characters
• They contain personal informatione.g., your birthday fragments (date, month, year, etc.) or spouse/children’s/family/pet names
• They contain only lowercase letters
• They contain no symbols

If you have created a ‘strong password’ and you don’t suspect that it has been compromised, then leave it alone!

Changing STRONG passwords only tends to make us start using easy to remember ones.

Multi-factor authentication means that you need more than one thing to access your account.  There are three ways or factors for authentication:

• Something you know (a password)
• Something you have (a mobile phone)
• Something you are (biometric – fingerprint, face, heartbeat)

MFA requires you to have more than one way to verify who you are. For example,  a password plus fingerprint/facescan, or a password plus a code sent to your phone.

Ideally, no, but we live in the real world and people cannot remember everything!

It is better to save a unique website password for your different websites in a web browser than reusing the same password everywhere.

There are cases of browsers having stored passwords harvested. It is better to use a password manager that has two factor authentication built in.

However, using a web browser password store is better than nothing!

Social media phishing is a crafty way to try and get you to tell people personal information using social media without directly asking you! This information is often used as part of password recovery (e.g., what is your mother’s maiden name?, what is the name of your first school? etc.) You can limit this risk by limiting the personal information you share on social media and by following the guidance for creating strong passwords (I.e. do not use personal information in your passwords!).

A password manager is a device or program that securely stores your login credentials. They usually help you generate strong and random passwords that are then stored for you in a secure ‘vault’.  This means that you do not need to know the password for every website that you visit as you are pulling this information from the password vault, when required.  The obvious question is ‘is the password manager not a big risk now?
It is ... sort of!  Any good password manager will require MFA to unlock the password vault for use. In other words, you will need a strong password PLUS MFA to unlock.  Good password managers also work across your different browsers, mobile devices, PCs, laptops, etc. so that you get consistent and secure access to your passwords from everywhere that you need WITHOUT having to write them all down.