How to create secure passwords

Generating passwords and then remembering them for the many websites that ask you to sign in can be a pain. We can help.

You can use our advice on creating strong passwords and password authentication to make your life easier. Keep reading to find out more.

News, deals and stuff the manuals don't tell you. Sign up for our Tech newsletter, it's free monthly

At a glance: generating strong passwords

We'll go into more detail on creating secure, strong passwords below, but in summary:

• Use unique passwords for every website 
• Don't re-use passwords
• A passphrase is better than a single password
• Don't use any personal information as a password
• Use a password manager
• Use two-factor authentication where you can
• Don't change passwords too regularly

Why you can trust our advice on strong passwords

Our Which? Tech Support team has, collectively, 111 years of experience in tech support. Every day, they help people like you solve their tech problems and get more out of their gadgets.

Which? Tech Support

Get tailored 1-to-1 support from our friendly experts for £49 a year - less than £1 a week

Join Which? Tech Support

Use unique passwords for every account

When we say unique, we mean unique.

We’ve seen suggestions that you use a base password and then tweak it for each site you log in to, but that’s now considered a really bad idea. Once an attacker gets hold of your base password, they could quickly work out your system for other sites and all of them could be hacked.

You should have a different password for each and every site you log in to.

Don't use personal information as passwords

Anything that someone knows about you or could guess about you isn’t a good password. 

So don't use:

• Your child, pet or partner's name
• Your middle name
• Your place of birth or town where you live
• Your mother's maiden name
• Your favourite sport, team or athlete's name
• Your favourite holiday destination.

You get the gist. 

Also, be careful about inadvertently revealing personal details via social media: you'll regularly see quizzes that get you to share this kind of data. Doing them might seem harmless, but you can't guarantee your data will be safe.

A passphrase is better than a password

Even if a website encrypts your password, single words found in the dictionary can be easily cracked. Hackers use lists of the encrypted version of the most commonly used passwords (these lists are called rainbow tables). 

To beat this, use a phrase as your password instead of just one word. However, don’t pick a quote that everyone knows because that’s just as easily guessed, and don’t base a passphrase on personal information that others could easily work out.

So if your partner’s name is John and his birthday is in August, a bad passphrase would be John was born in August. Pick something random that only you know. A good passphrase might be 'Blue dogs walk backwards'. 

It doesn’t even have to be a phrase that makes sense. Three random words such as 'umbrella cable kitten' is a decent passphrase. 

Pick long passwords

Many websites have a minimum character count for passwords, but the longer the password you choose, the harder it is for a hacker to crack. Again, a passphrase is better than a single password. 

Join Which? Tech Support – stay on top of your tech and get unlimited expert 1-2-1 support by phone, email, remote fix and in print.

Already a Tech Support member? For one-to-one technical advice, scan the QR code above on your phone or tablet. Alternatively, click to book a Tech Support appointment.

Use special characters cleverly

Many websites insist that you use special characters – numbers, capital letters and symbols – in your passwords. So it’s tempting to replace letters of the alphabet with numbers and symbols that look similar so that 'password' becomes 'p@$w0rd'. 

But don’t do this. Hackers know that trick too. 

If a website insists that you use special characters, insert them into your passphrase. To use the example we picked before, you could turn 'umbrella cable kitten' into '&umbrella+Cable!kitten*'. 

Don't write down your passwords

It’s tempting to write a list of your passwords and refer to that rather than relying on your memory.

That said, writing down and keeping secure a list of unique, strong passwords is better than using the same easy-to-crack password on all your websites. We’d strongly recommend that you don’t do this, but if you must, then don’t leave that list lying on your desk: lock it in a safe or in a secure drawer.

You might live alone, or think you can trust the people you live with, but you might be burgled. An intruder could not only steal your laptop, they could also get away with your precious passwords, too.

Tech tips you can trust - get our free Tech newsletter for advice, news, deals and stuff the manuals don't tell you

Use a password manager

What's the best way to store a long list of complex passwords, especially if your memory isn’t quite what it should be? The answer is a password manager. 

Password managers are programs that look after your passwords for you. In most cases they will also generate strong, unguessable passwords and then make sure they’re associated with the right websites. 

There are several to choose from, but they all do more or less the same thing – create an encrypted vault that stores all your passwords, generates passwords and in most cases will fill in passwords on websites for you. 

Most of these have a free and a paid-for option. Most will have apps and browser extensions so you can use them on all your devices – your laptop, mobile, tablet or Chromebook. 

Which password manager should I use?

There's a variety of online password managers to choose from. We recommend:

• Bitwarden - opensource, easy to use, free for personal use and can sync across an unlimited number of devices. The premium version is $10 per year and includes additional features such as security reports, end-to-end encryption for texts and files, emergency access for other Bitwarden users, and a Bitwarden Authenticator.
• Dashlane – simple to set up and syncs across devices. Free version only allows you to save up to 25 passwords and only works on one device, whereas premium plan allows unlimited passwords for multiple devices.
• 1Password – also easy to set up and offers features such as password generation, secure notes and 2FA. Offers a free trial for 14 days, then an individual plan is $2.99 per month.
• Google Password – built into your Chrome browser and Android, so you can use your Google account to manage passwords (it's important to use 2FA to further secure it). It will alert you if any passwords have been compromised in a data breach and suggest remedies.
• Apple iCloud Keychain – stores passwords across your Apple devices that are signed in with the same Apple ID.
• LastPass – this password manager was hit by a major data attack in August 2022 but has since implemented additional security measures such as multi-factor authentication for all users. LastPass is still widely used and trusted. But as with any password manager, you need to create a strong and complex master password – and be vigilant for any social engineering or phishing attacks off the back of the data attack.

Tech Support – stay on top of your tech and get unlimited expert 1-2-1 support by phone, email, remote fix and in print

Other password security tips

Want to give your personal data an extra line of defence from hackers? You might consider using some of the methods below.

Two-factor authentication

One of the best steps you can take to protect your accounts from hacking is to use two-factor authentication, also known as 2FA. 

Most websites offer it nowadays, though you might have to dig around in your account settings to find it. 

2FA means that if someone tries to log in from a device or an IP address you haven’t approved, it sends an SMS to your phone with a one-time code you need to type in before it will authenticate you. If it’s you logging in from a new computer, you’ll be able to type in the code and complete your log-in. A hacker won't have your mobile and won’t be able to finish logging in – so they won’t be able to access your account. 

Rather than use your mobile phone, you can get devices such as a Yubico YubiKey  or apps, including Google Authenticator and Okta Verify, that can also be used on devices other than your mobile for 2FA. 

The thinking here is that while getting an SMS on your mobile phone is a good, convenient way of confirming a log-in, if your phone is stolen you would be unable to verify any new sign-ins. And, worse, the thief would be able to receive log-in codes meant for you. 

Keep your devices and data safe. Our tough lab tests reveal the best antivirus including the best free antivirus

Biometric authentication

More and more devices come with biometric capabilities, meaning you can use a fingerprint, a face scan or an iris scan to log in instead of a password or a Pin. 

Biometrics is a quick and easy way to log in to your phone or other device – and it's becoming more common to use your fingerprint or other method to log in to websites and services, too. 

It's worth noting, however, that face recognition is far from a fool-proof method of 2FA. Our investigation last year found that facial recognition on 40% of new phones is easily spoofed with a printed photo.

If a phone we test has facial recognition that can be fooled with a 2D photograph, we check to see if there is a clear and specific warning in place to tell you about this insecurity. Phones with this issue that do not have an adequate warning cannot be Best Buy phones or Great Value phones.

Risk management

No method of authentication is perfect – they all carry risks. Passwords can be guessed, password managers can be hacked, 2FA can be bypassed and biometrics can be spoofed. 

But looking after passwords and our online accounts is about making sure we take the appropriate steps for us. Most authentication methods are good enough for everyday use – for example, it’s better to have 2FA sending an SMS to your phone than not having it at all. 

To help put your mind at ease, you can use a password strength tool, such as the Bitwarden password strength tool, to see how hard your password is to crack.

Changing passwords

People used to be told to change passwords regularly, and many organisations still enforce password changes. 

However, current thinking on this has changed. The National Cyber Security Centre (NCSC) now explicitly recommends that you don’t change passwords – unless you have to because your password has been stolen. 

We’ve learned from research that humans don’t like having to come up with new passwords and tend to recycle previous passwords, which, as we’ve seen, isn’t a good idea.

So don’t change passwords for the sake of it: if you’ve got a strong password you haven’t used anywhere else, it will protect your account for a long time. 

Keep your data secure and protected with help from all our free scams advice

Random password generators

If you want to maximise security and don't want to change your passwords often, using an online random password generator can help.

The benefit of a randomised password is that they are extremely difficult to crack. The strongest passwords have a combination of upper and lower-case letters, symbols and numbers in no logically guessable order - hence, random.

You can obviously come up with your own randomised password and use a strength tool to test how secure it is. Or, some password managers also provide a free online password generation tool, where you can then save the password to your account. These include:

• Bitwarden password generator - generates passwords up to 128 characters or passphrases up to 20 words. You can also customise to include capitalised letters and numbers, plus the tool will tell you how strong your password is and estimates how long it would take to crack (usually centuries).
• LastPass password generator - makes passwords up to 50 characters. Plus, you can toggle to make the password easy to say (omits numbers and symbols) or easy to read (omits ambiguous characters like 1, I, 0 and O).
• 1Password password generator - you can make passwords up to 100 characters long and toggle to include numbers and symbols. You can also choose between a random password, a memorable password (up to 15 words), or a randomised PIN (up to 12 numbers).

Check if your password has been compromised

With so many data breaches, it’s perhaps inevitable that one of your accounts will have been compromised at some point. 

If your account is part of a breach, the organisation should let you know. But to be on the safe side, you can check for yourself. 

Go to https://haveibeenpwned.com – a public service website created and maintained by one of the most respected names in the security industry, Troy Hunt. It’s safe to put your email address into the web form, and it will tell you if an account associated with that email address has been compromised in any of the breaches it has data on. 

Don’t panic if you do find that your account has been breached somewhere. But you do need to make sure you’ve changed the password for that account, and that you’re not using that password anywhere else. 

Make sure your account details are up to date

Make sure that you’re not using an old email address or phone number with an online account. That way, if you do need to reset your password, the link to do that is sent to the right inbox – not an old one you no longer have access to.  

Make sure you know what to do to keep your data secure if your laptop gets stolen or if your phone gets stolen

Join Which? Tech Support

Which? Tech Support can help you keep you on top of your tech. Our experts explain things clearly so that you can resolve issues and feel more confident using your devices.

Get unlimited 1-2-1 expert support:

• By phone Clear guidance in choosing, setting up, using and resolving issues with your home tech devices.
• By email Outline the issue and we’ll email you our answer.
• By remote fix We connect securely from our office to your home computer and resolve issues while you watch.
• In print Which? Tech magazine, six issues a year delivered to your door.

You can join Which? Tech Support for £49 a year.