A key recommendation is to use a strong, non-predictable password. What makes a good password (and what doesn’t) is discussed further below.

It is also important not to use the same password for everything.

Different websites have different levels of security - if you use the same password all the time then a criminal could crack this on a low security site and use to access important information on higher security sites.

On average, users use the same password across four different sites. Ideally, you should have a different password for every site and system you access.

However, it can be difficult to remember that many passwords in practice. As a minimum you should use a different password for the most sensitive sites you visit – such as email, online banking, and any other sites that hold confidential or financial information.

Alternatively, you could set up a system for passwords, for example using a core password which is complex and then adding letters or numbers to this relevant to the website name.

Other recommendations for individuals include:

• Using two factor authentication where possible. This requires two different methods to prove identity before you can use a service – for example a password and a unique code sent to a mobile number. Many online banking services already use this, and HMRC are rolling it out across their online services .
• Be wary of public wi-fi, and do not use it to log onto secure sites.
• Never log onto secure sites through following a link in an email: this is a common phishing scam.
• Only use remember password facilities on personal computers where you trust any other users.
• Look for https:// or a small password symbol at the beginning of a website’s URL - this indicates the site is using a secure link.
• Don’t enter passwords where someone may be able to see you typing.
• Never send passwords by email.
• Never share passwords, or leave them written down next to your computer or in an easily found place.
• Don’t re-use passwords after giving them a break.

The main thing is to avoid using predictable passwords. Passwords should be easy to remember, but hard for somebody else to guess. The National Cyber Security Centre (NCSC) recommends that a good rule is to make sure that somebody who knows you well couldn’t guess your password in 20 attempts.
Passwords that are easily cracked tend to include:

• Your actual or user name.
• Place names
• Family members’ or pets’ names / birthdays.
• Single dictionary words
• Personal information such as your date or place of birth.
• Favourite sports teams or other things relevant to your interests.
• Numerical or keyboard sequences (e.g. qwerty, 12345).

The most common passwords include 123456, password, 12345678, qwerty, 12345 and football.

Strong passwords will:

• Be at least 8 characters long.
• Use a combination of upper and lower case letters, symbols and numbers. Substituting letters for numbers (e.g. 3 for E or 1 for I) is however a well-known practice and should be avoided.

Very long and complex passwords are often viewed as being the strongest, but this is often not the case in practice. Such passwords are hard to remember and this can lead to people using coping mechanisms (such as writing passwords down or using the same password multiple times) which, ironically, make them more vulnerable to cyber criminals.
It is advised that an easy way to create a secure password is to use three random words – for example coffeetrainfish or walltinshirt. The words you pick can be memorable, but shouldn’t be easy to guess (i.e. onetwothree) or too personal (e.g. pet names, childrens’ names).