What is the safest way to create a password?

The NCSC recommends using three random words combined into a single passphrase — for example 'CoffeeLampRiver'. This creates a password that is long (high entropy), easy to remember, and very difficult to crack. Avoid using words that relate to you personally, such as pet names, birthdays, or favourite sports teams.

How long should a password be?

At least 12 characters. Longer passwords are exponentially harder to crack. A 16-character passphrase made of three random words is far stronger than a short 8-character password with symbols. Length matters more than complexity.

Is it safe to use a password manager?

Yes — the NCSC and all major security organisations actively recommend password managers. The risk of using weak or reused passwords far outweighs the small risk of a password manager being compromised. Leading managers like Bitwarden and 1Password use zero-knowledge encryption, meaning even the company cannot see your passwords.

Should I use the same password for multiple accounts?

Never. If one site is breached and your password is exposed, attackers will immediately try it on other services (called credential stuffing). Use a unique password for every account — a password manager makes this practical.

How often should I change my password?

The NCSC advises against changing passwords regularly unless you have reason to believe they have been compromised. Frequent forced changes lead to weaker passwords. Instead, use strong unique passwords and check our Breach Checker to see if your email has appeared in a data breach.

What is two-factor authentication and should I use it?

Two-factor authentication (2FA) requires a second form of verification in addition to your password — usually a code from an app like Authy or Google Authenticator. Even if your password is stolen, 2FA prevents an attacker from accessing your account. Enable it on every account that supports it, especially email, banking, and social media.

Password Best Practices 2025 — NCSC Guide to Strong Passwords

The Three Random Words Method

The UK's National Cyber Security Centre recommends a surprisingly simple approach to creating strong, memorable passwords: combine three random words. A password like CoffeeBridgeRocket is both long enough to be secure and easy enough to remember.

The key insight is that length beats complexity. A 20-character password made of three common words is far harder to crack than an 8-character password full of symbols — because the sheer number of possible combinations is astronomically larger.

Coffee

Bridge

Rocket

Why this works

Three random words creates a password of ~18+ characters. At 10 billion guesses per second, it would take millions of years to crack by brute force. Make it even stronger by adding a number or symbol: CoffeeBridgeRocket7!

Important: make the words truly random

Don't pick words that relate to you (your pet's name, your city). Use a random word generator or open a dictionary to a random page. The randomness is what makes it strong.

Why You Need a Password Manager

The average person has over 100 online accounts. Remembering a unique, strong password for each one is impossible — which is why most people reuse passwords. This is one of the most dangerous habits in cybersecurity: if one site is breached, attackers try your password on every other site you use.

A password manager solves this completely. It generates and stores a unique, random password for every site. You only need to remember one master password. The NCSC explicitly recommends using a password manager as a core security practice.

Recommended Password Managers

1Password

Best Overall

Best overall — excellent family and business plans

Visit site

Bitwarden

Best Free

Best free option — open source and fully audited

Visit site

Dashlane

Beginner Friendly

Great for beginners — built-in VPN on premium plans

Visit site

NordPass

Strong Encryption

From the makers of NordVPN — strong encryption

Visit site

* Affiliate links. We may earn a commission. All recommendations are based on independent evaluation.

Two-Factor Authentication (2FA)

Even a perfect password can be stolen through phishing or data breaches. Two-factor authentication (2FA) adds a second layer of security: even if someone has your password, they still can't log in without your second factor.

SMS 2FA (Avoid if possible)

Text message codes are better than nothing, but are vulnerable to SIM-swapping attacks where criminals convince your mobile carrier to transfer your number to their device.

Authenticator Apps (Recommended)

Apps like Google Authenticator, Authy, or Microsoft Authenticator generate time-based codes that are not vulnerable to SIM-swapping. Always prefer these over SMS.

Passkeys — The Future of Login

Passkeys are the next generation of authentication. Instead of a password, they use your device's biometrics (Face ID, fingerprint) to prove your identity. They are phishing-proof by design. Major platforms including Apple, Google, and Microsoft now support passkeys.

The 5 Most Dangerous Password Mistakes

Reusing passwords across sites

If one site is breached, attackers will try your credentials everywhere. Use a unique password for every account.

Using personal information

Birthdays, names of pets, children, or partners are the first things attackers try. Never use information that could be found on your social media.

Using common passwords

Passwords like 'Password1!' meet complexity requirements but appear in every hacker's dictionary. Length and randomness matter more than symbols.

Storing passwords in a browser without a master password

Browser-saved passwords are convenient but can be extracted by malware. A dedicated password manager with a strong master password is far safer.

Never changing compromised passwords

Check haveibeenpwned.com regularly. If your email appears in a breach, change the affected password immediately.

Ready to Test Your Password?

Use our free password strength checker to see exactly how secure your passwords are.

Check My Password

Frequently Asked Questions

Sources: This guide is based on official guidance from the UK National Cyber Security Centre (NCSC) and the NCSC Password Manager guidance .