We use cookies to help us provide you with the best experience, improve and tailor our services, and carry out our marketing activities. For more information, including how to manage your cookie settings, see our privacy notice.


Skip to content. | Skip to navigation

Covid-19 update: Government guidance changed on 19 July 2021 - we're currently updating our information in response to this. In the meantime, visit the government's guidance on lifting restrictions.

Community-made content which you can improve Case study from our community

How to choose a strong password

When we use services online - from email to online banking - we need to prove to the website we are who we say we are. That’s so other people can’t access our private information - or our money.

Most websites protect your identity by asking you to set up a password. Choosing a strong password makes it less likely that an attacker could access your information.

This how-to aims to  help you choose a good password.


What do we mean by a ‘strong’ password?

When we say a password is 'strong', we mean it's hard to guess. Hackers use computer programmes to try millions of possible passwords until one works, so choosing an unguessable password is harder than it sounds.

These tips will help you choose a password that’s harder to crack.


Avoid the really obvious choices

Lots of people really do choose things like ‘12345’, ‘qwerty’ or ‘password’. Or they use the name of the website - ‘Dropboxpassword’, for example. If you value your privacy, don’t do this.


In fact, don’t use an actual word for your password

Password cracking software can simply try every word in the dictionary until it finds your password. So using an actual word as your password isn’t a good idea.


Avoid common patterns

Websites sometimes force you to follow rules when setting up a password, saying you have to use at least one capital letter, number and special character.

So, you might choose the word ‘monkey’, then make the first letter a capital, add a couple of numbers at the end (probably a significant year so you can remember it), and maybe also add a special character. You might even go a step further and use a substitution, like ‘3’ for ‘E’.

So you end up with something like ‘Monk3y85!’.

The problem is, in order to keep their passwords memorable, most people end up using similar patterns. While ‘Monk3y85!’ looks like a less obvious password than plain ‘monkey’, remember that hackers can rapidly try millions of combinations. It’s easy to keep trying words with a couple of different numbers and special characters on the end.


Use a passphrase instead

In order to have a strong password that’s still memorable, try using a phrase instead of a word.

Choose a random sequence of words - like ‘winter route lift balm’. If you can think of a little story or mental picture to link the words, that can help the password stick in your mind.

Don’t use a phrase that will have been published somewhere, like a quote or song lyrics. The point is to make the words random.

If you want some extra strength, or if the website insists, add capitals, numbers and special characters. But avoid obvious patterns, like capitalising the first letter of a word.


Use an online service to test different passwords

Websites like let you try a password and see how strong it is. But don’t type in your real passwords!

You could also try this quiz to test your knowledge of passwords.


Prioritise high-value accounts

Realistically, you’re likely to have dozens of passwords. Remembering strong passwords for every website you use is going to be a challenge.

So, pick good passwords for your most important accounts. Prioritise online banking and email. (You can usually reset passwords by email, so if someone hacks your email, they’re likely to be able to access your other accounts too.)


Don’t re-use passwords

It’s fairly common for websites to be hacked and people’s passwords leaked. This has happened to some well-known organisations, including charities like NCT and companies like DropBox.

 If you re-use a password, it only takes one website to be hacked, and you could potentially lose access to all your accounts. So avoid using the same password for more than one site.


Use a password manager

Web browsers can remember passwords for you. You can also get dedicated password managers that can store passwords.

These services help you use stronger passwords because you don’t need to remember them yourself - although this can make life more difficult if you’re out and about a need to use a different computer.

The downside is that if someone can get hold of your computer they could potentially get access to your passwords. But password managers and browsers let you set up a master password to protect your accounts. And it's more likely that an attack will happen online than from someone with access to your computer.


It might be okay to write passwords down

It’s definitely a bad idea to write passwords down and leave them somewhere easy to find. But for most people, using strong passwords and writing them down - and keeping that bit of paper somewhere safe! - is likely to be better than using weak passwords.

The reasoning goes like this: it’s more likely that an attack will happen online, rather than from someone who has physical access to your wallet or notebook, or wherever you keep important bits of paper.


What else can I do?

Use two-factor authentication if it’s available. You’ve probably come across this - banks tend to use it for online banking.

Two-factor authentication means you need a password and another code to log in. Some banks and employers use little gadgets to generate the code, but it’s more likely now that you’ll get it by text or using a phone app.

Two-factor authentication can be a bit inconvenient - you might not be able to log in to your email on a new computer if you don't have your phone, for example. But it does mean an attacker would need to know your password and have your phone to break into your account.


Beware phishing scams

Once you’ve chosen a good password, be careful where you type it.

A common scam is to send a fake email that looks like it’s from, say, your bank. You click a link, and are taken to a website that looks like your online banking service, but is really set up to steal passwords.

You can read more about avoiding these scams from Citizen’s Advice.


Page last edited Apr 13, 2017 History

Help us to improve this page – give us feedback.