Home > Articles > Web security & compliance > Tips on keeping your passwords secure

Tips on keeping your passwords secure


Bad things can happen if your password is discovered by a hacker, so it’s vital to keep your passwords secure. Here we bring you our top tips to help you avoid your email account/website being hacked.

Why is it important?

Having to remember and enter passwords is annoying for everyone, but they are necessary to prevent unauthorised access to your computer, email, website and other accounts.

If your password falls into the wrong hands it could affect more people than just you:

  • Your email password could be used to access your email account and send huge volumes of spam, which can get your entire email server blacklisted so you and others can no longer send legitimate email. They could also email everyone in your address book and it would appear to come from you.
  • Your website password could be used to upload a virus or phishing page to your website, to launch an attack on more people. This could get your website blacklisted and be costly to fix.
  • If you have access to personal data, especially sensitive data, it could be stolen and used for identity theft or blackmail. You could potentially incur penalties under the Data Protection Act if you have not taken appropriate steps to ensure security.

So it is vital that you keep your passwords safe. Please take the time to read the following recommendations to ensure you know how to do that.

Choose hard to guess passwords

To be secure, a password must be hard for an attacker to guess, even if they are able to use a computer program to guess millions of different combinations.

  • use a long password – at least 12 characters long – as it will take a long time to try that many combinations.
  • avoid well-known phrases (e.g. “tobeornottobethatisthequestion”). A secure long password can be made by picking four completely unrelated words. For example, “correctbatteryhorsestaple” is easier to remember yet more secure than “Tr0ub4dor&3” because it is so much longer.
  • add capital letters/numbers/symbols to make it more random. This is especially important if your password is less than 12 characters because a short password with only letters can be guessed relatively quickly.
  • never have a password less than 8 characters, for the same reason.
  • avoid using just 1 or 2 words (including names of people/places/pets) for your password because these are the first that will be guessed. Even adding additional numbers/symbols to make it look more random will not make it much harder to guess.

These are examples of good passwords (but don’t use these examples – make up your own):

  • Correctbatteryhorsestaple4
  • Talwsatgig,asbas2h! (“There’s a lady who’s sure all that glitters is gold, and she’s buying a stairway to heaven!”)
  • jJGQkf4toNRKZjc3hzYL(random)

And these are bad passwords:

  • p@ssw0rd
  • jsmith123
  • bunnyhop!

Use a secure password manager

Remembering lots of different passwords is hard. The solution is to use a password manager such as KeePass. These store all your passwords securely encrypted, so you only have to remember your Windows login and a “master password”. You can look up the rest when you need them.

This will allow you to generate secure random passwords (e.g. 20 characters long) for each account because you won’t need to remember or type them anymore.

Many password managers can also sync your passwords with your smartphone, so you can still access them when you are away from your PC. (LastPass does this as standard, and KeePass can be used with Dropbox.)

Do not reuse passwords

Passwords are hard to remember, so it is tempting to pick one and use it for everything. But if you do and one of them gets hacked, the hacker would be able to get into all of your accounts.

By using different passwords for each account you limit the damage in the event that one is compromised.

Be careful when writing passwords down

In general, you should not write your passwords down (or print them out) unless absolutely necessary, in case someone else gets hold of them.

If you need to write a password down, do not leave it near your computer – even if you think it’s hidden. Instead, put it in your wallet/purse and keep it with you. Do not write down your username or anything that would identify what it is for, in case you should lose it. If you should lose it, get it changed immediately to be safe.

Install anti-virus software

If you get a virus on your computer, it may steal passwords from you without you knowing. So it is important to have a good, up-to-date virus checker installed on your computer.

This includes your home computer, especially if you access work email or files from home. There are free antivirus products available for personal use, such as Avast or AVG, or your company license may cover personal computers.

Beware phishing emails

Phishing (pronounced “fishing”) is where a hacker sends you an email that looks like it comes from a legitimate company (e.g. your bank) or from your own IT support department, but it actually directs you to a fake website under their control. If you were to go there and enter your login details as instructed, you would be sending your username and password straight to the hacker instead.

To avoid this, treat all emails with caution. Some phishing emails are easy to spot due to poor spelling/grammar, but some are more convincing. Be especially cautious if you have not received similar emails from the organisation in the past, or they look different to normal. Do not act on them unless you are sure they are legitimate.

To make sure you’re going to a real website and not a fake one, type the URL yourself (or use a search engine), rather than clicking a link in an email. If you do click a link, double-check that the URL is the right one – sometimes they look real at a glance but on closer inspection are not – for example, http://signin-ebay.com/ would not be a legitimate website.

In a similar way, you should be careful if someone calls you on the phone and asks for any sensitive information, especially passwords and PINs.

Be careful on shared internet connections

When you use a shared Wi-Fi connection, it is possible for other people using the same connection to spy on your internet usage. If you log into an insecure website while on a shared Wi-Fi connection, someone else may be able to find out your password.

The good news is you don’t need to stop using shared Wi-Fi connections – there is a solution that keeps you safe. The solution is to use an encrypted connection, which prevents anyone else from eavesdropping. This technology is known as SSL, TLS or HTTPS.

You can check if the connection to a website is secure by looking at the address bar in your web browser – typically you will see a padlock icon and the prefix “https://”, though it varies by browser.

If you do not see this, you should avoid logging into the website. This is especially important if you have reused the same password for other websites.

This also applies to your email – make sure your phone and computer are using SSL/TLS for checking your email, else your password could be sent unencrypted without you even noticing.

Finally, if you get any warning messages such as “There is a problem with this website’s security certificate”, do not continue as the connection is not secure.

back to top