• We often default to using predictable patterns, such as a zero in place of an ‘o’, or adding an exclamation mark to meet complexity criteria.
• Attackers also know that we’re prone to using information they can find on social media to create passwords, such as your pet’s name. They use these patterns and information to optimise their attacks.
• Reusing passwords across multiple accounts. This is particularly dangerous as it means that if a criminal manages to get one of your passwords, they could gain access to multiple accounts.

Using three random words is an ideal way to create strong passwords that are unique and easy to remember. The National Cyber Security Centre (NCSC) lists these as principal reasons for using this approach:

1. Length – passwords made from multiple words will be longer and meet minimum length requirements.
2. Novelty – the unpredictability of this method makes it very difficult for hackers to guess.
3. Usability – it’s easier to remember three random words than one that contains a complex range of characters.

For more about the NCSC’s password suggestions, and other top security tips, visit the NCSC website.

Password managers are a great way to help keep your accounts secure. They allow you to have strong, different passwords for each account, while only needing to remember one password yourself.

A password manager is an application on your device that securely stores your passwords, so you don’t need to remember them all.

• You can access any of the stored passwords with a ‘master password’ that you set.
• They can be stand-alone applications or built into a browser.
• Password managers are designed to make using, generating, and storing passwords easier and more secure.
• Many password managers automatically enter the appropriate password into websites and apps on your behalf, so you don’t have to type them in every time you log in.

Some password managers can generate passwords for you, making it much easier to have a different one for each of your accounts, and avoiding the common pitfall of reusing passwords.

The passwords these managers generate are even stronger than passwords we create ourselves, as they contain random strings of characters that we wouldn’t be able to easily remember on our own.

As your manager will contain all your passwords, it’s important to make sure it’s secure. You’ll also need to ensure that you’re always able to get into your password manager yourself, so you don’t risk losing access to your passwords.

Protecting your password manager is easier than you might think. Here are some steps you can take:

1. Set up two-factor authentication. This adds an additional layer of security; for example, a biometric scan or a one-time response code. If you have the option, set up more than one method so you have a backup for getting into your manager.
2. Make sure that you install updates for your password manager when prompted to. If you’re using a manager that’s built into your browser, make sure you’re using the most up-to-date version of the browser.
3. Choose a strong master password for your password manager using the three random words approach. You can’t store your master password in the manager itself, so it’s important that it’s both secure and memorable. Don’t store your master password on any devices.
4. If you’re using a password manager built into Safari or Google Chrome, it will already be protected by your existing AppleID or Google Account. Your existing password for these accounts will act as your master password for the in-built manager, so it’s important to make sure you set this password in line with the guidance above.

Two-factor authentication requires you to enter additional information beyond just your password to verify that it’s really you. This means even if a criminal manages to access your password, they may still be unable to access your account.

Examples of two-factor authentication include biometric scans (like facial recognition when unlocking phones), and one-time passcodes, normally sent via text message or generated by an authenticator app.

When you log in to an account with two-factor authentication active, you’ll be prompted to enter your account password and then complete the second authentication. You can turn two-factor authentication on from within the settings of your password manager.

We hope you found this useful. Please do share this information, as the more people use stronger, more effective password management, the safer they’ll be. Collectively, we can beat the fraudsters!

You can visit our security centre or join a free webinar to find out about common threats and scams. You can also explore the advice and resources of our security partner, the National Cyber Security Centre.