What are the best practices regarding setting up and maintaining the security of passwords?

Create Better Passwords

Create long passwords or passphrases

Make your passphrases at least 14 characters long, ideally as four or more random words whenever you can.

Create complex passphrases

To make a passphrase more difficult to guess, use a combination of different character sets: capital letters, lowercase letters, numbers and special characters.

Create unpredictable passphrases

A passphrase can be in the form of a lyric, quote or sentence, but that's predictable. Using a random mix of unrelated words is far more unpredictable and will produce a stronger passphrase.

Create unique passphrases

Use a unique passphrase for every valuable account. Reusing a passphrase makes each account that uses it more vulnerable. Inconveniencing adversaries trying to steal from you is worth having unique passphrases for every valuable account. One way that you can reduce the burden of having unique passphrases for every valuable account is to use modifiers for each one based on the service that it relates to. For example, ‘crystal onion clay @Pretzel faceb00k’ or ‘#insta crystal onion clay @Pretzel’.

Protect your passphrases

Secure your passphrases

Password managers enable good cyber security habits. Having a unique passphrase for every valuable account may sound overwhelming; however, using a password manager to save your passphrases will free you of the burden of remembering which passphrase goes where. You may choose to keep track of your passphrases in a notebook rather than a password manager. No matter how you keep track of your passphrases, ensure you have a secure storage method.

Protect what protects you

Do not share your passphrases with anyone, and be aware of your surroundings when using them in public. Use trusted Wi-Fi, trusted telecommunication networks or a Virtual Private Network (VPN) when accessing valuable accounts. Free public Wi-Fi, without the use of a VPN, can potentially expose your browsing activity. Log off and sign out of accounts when you finish using them. Keep all electronic devices' passwords secure and protected. Lock computers when leaving the desk, or, in the case of phones or tablets, must be configured with a password or pin code to access the device.

Think critically when answering phone calls, messages and emails. Are the senders really who they say they are? Be wary of requests for personal details, passphrases or financial details, particularly if the message sounds urgent. If you doubt the communicator's identity, delay immediate action. Re-establish communication later with the organisation using contact details you have found independently, using trusted sources.

If a passphrase has been compromised, change it immediately and never use it again.

Ref: ACSC - Creating Strong Passphrases

← Back to FAQs