NSW Department of Education

What makes a good password?

For teachers
For parents
For students

Key message

Keeping your passwords strong and secure is one way to stay safe online. What makes a good password?

Many people are guilty of having bad password habits. Sometimes a password might be too easy to guess, or it might be shared across multiple accounts or stored in an unsafe place. Having a strong password is a key part of keeping yourself safe online. Here are some tips to make sure you use good passwords for each of your online accounts.

Is your password easy to guess?

Can you guess the top 10 most popular passwords for 2018?

Chart showing the 10 most popular passwords in 2018, including 123456, 123456789, qwerty and password. For the complete list and more details, follow the link in the caption.
Source: https://www.abc.net.au/news/2018-06-11/chart-of-the-day-top-100-passwords/9844886 (warning – includes coarse language)

The top 100 most common passwords include popular words,phrases and memes. Hackers collect long lists of these passwords and use them to make programs that attempt to break into accounts using these password dictionaries, one after another, trying thousands or millions of passwords a second.

Sometimes people think they are being secure by using ‘password1’ or ‘p@ssw0rd’ instead of the basic ‘password’. Adding a single number of a symbol into your password doesn't make your password very secure. It is easy for automated programs to try variations on common words using numbers and symbols.

Is your password too short?

Computers are incredibly powerful and can calculate huge numbers rapidly. To a computer every password is just a long line of numbers and symbols.

Imagine you were going to make a password that was just one character long. The average keyboard offers a total of 95 different options you could choose for a single character, including 26 uppercase, 26 lowercase, 10 digit, and 33 other symbols.

It would be a very simple for a computer to check every one of these 95 possible options, until it finds the right one to crack your account.

Although real passwords are much longer computers are so powerful that it is still easy for passwords to be guessed simply by running through every possible combination of letters, numbers and symbols, one after another. This process is so fast that most common eight-digit passwords can be cracked in as little as a minute. The ‘How secure is my password’ website can illustrate how easy it can be to crack common passwords.  By way of demonstration, create a new password (make sure that this is not one of your own passwords) and test it on the website.  Remember: never type a real password into an unknown text box. Only give your passwords to sites that you know and trust.

Some websites offer protection against these sorts of brute-force attacks by blocking access to your account after three incorrect password attempts. Sadly, too often people use the same password across multiple websites. A hacker only needs to discover your password being used on a less secure site and then they can attempt to reuse that password to access all other accounts on different sites.

Do you use the same password across different sites?

Sometimes your password can be stolen through no fault of your own. An attacker might break into a popular site and make off with username and password combinations. Most popular websites take great precaution to protect against such a data breach, and you will usually be contacted by email if a company suffers a data breach to warn you to change your password for that site.

The website have i been pwned? is an easy way to track the biggest known data breaches. Type in an email address and you will see all known data breaches that match with the email address and potentially any passwords associated with it that might have been exposed.

Top tips

Make ‘pass phrases’ not passwords

An unusual and memorable sentence makes a great password. Many sites allow you to include spaces in your passwords too. You could use something like ‘My dog is 110% HUMAN’ - it’s easy to remember, it includes all the necessary capitals, letters and symbols and it’s twenty characters long!

Avoid using personal information in your passwords

Strangers who find you on social media could have a good chance of guessing your password if it’s the name of your child, your pet or the street that you live on.

Include a mix of symbols, number and both upper and lower case letters

Weak passwords use short, common words. Protect your passwords from both dictionary attacks and brute-force attacks by using a range of letters, numbers and symbols.

Consider using a Password Manager

A Password Manager generates a random complex password for each of your accounts, and stores those passwords so you don’t have to remember them later. DashLane is free Password Manager. Google Chrome offers a free password manager service when you are logged in to the web browser. Apple Macs also offer the ability to auto-generate and store complex passwords when you log into a new site for the first time.

Just make sure that you keep the password for your password manager secure, otherwise anyone who can access your computer might then have automatic access to all of the accounts stored in your password manager.

Use two-factor authentication on all accounts that allow it

An account with two-factor authentication requires two separate pieces of identifying information in order to prove you are who you say you are.

Usually, the first piece of information is your username and password combination. The second could be a one-time code sent to an authorised email or phone number. You are required to enter in both your username/password and the identifying PIN within a short window of time.

An unauthorised intruder would need to know your password and also have access to your phone or email in order to break into an account that is secured with two-factor authentication.

It’s a great idea to investigate whether your important accounts offer two-factor authentication. If you’re not sure, ask the companies that host these accounts for more details on setting up two-factor authentication.

Additional resources

Curriculum and syllabus links


Need help?