How do I know if my passwords are safe?
Your passwords are safe if they're complex (use a combination of letters, numbers, and special characters), long (at least 16 characters), and stored somewhere safe (like a password manager).
If any of your passwords don't fit the criteria above, they are likely unsafe.
One of the quickest ways to check if your password is safe is by using a strength checker, which assesses the characteristics of your password and notifies you if it's weak or strong.
How long should my passwords be?
We recommend at least 16 characters long.
Why? Because complex 16-character passwords would typically take centuries to crack. In comparison, a simple 8-character password could be cracked in less than 24 hours.
However, it’s still important to check if your passwords are strong enough — even simple 16-character passwords (e.g. "thisismypassword”) are easier to crack than complex alternatives (e.g. "TH15i$mYP4s5W0rD”).
What is the safest password possible?
There is no one password that is considered the safest. However, you can ensure your password is safe by checking its strength and updating it if it’s weak.
Safe passwords usually have a combination of factors that make them hard for hackers to crack:
- Good length — We recommend at least 16 characters or longer.
- Random — Passwords with a randomized combination of characters are safer than simple, commonly-used words or phrases.
- Variety of characters — A combination of uppercase and lowercase letters, numbers, and special characters are harder to crack.
However, password safety also involves a variety of measures, including regularly changing passwords (we recommend you change your most important credentials monthly), regularly checking if your login details have been involved in a data breach, and using two-factor authentication to further protect your accounts.
How do hackers steal passwords?
One of the most common password-stealing techniques is phishing, where hackers set up fake websites and deceive users into entering their login details. For example, hackers could create a fake banking webpage and convince unsuspecting users to enter their private banking details.
Hackers typically send phishing links via email, posing as representatives of legitimate companies. But phishing sites can also be found on social networking sites and even in search engine results.
There are many other ways your password can be stolen, including when company servers are breached or malware (like spyware) covertly monitors your keyboard strokes.
Hackers can also break into accounts using brute-force attack software, which attempts to guess account passwords at a rate of hundreds per second.
What is password entropy?
Password entropy is a form of measurement used to determine how difficult it is for a hacker to crack a password — the higher the entropy score, the harder it is to crack. Password strength checkers use this to help you determine how safe your password is (and if you need to strengthen it).
Entropy is measured in "bits”. It’s calculated by measuring password length and the variety of characters used e.g. uppercase and lowercase letters, digits, and special characters.
A simple phrase like "hello" has a lower entropy as it’s short and doesn’t use a variety of characters. But a complex password like "Gp6-7!$f0O^M>14£@-+_%k" has a higher entropy as it’s long and uses a wide variety of characters, which makes it harder to crack.
What are the most commonly used passwords?
According to the UK’s National Cyber Security Centre, the most commonly used passwords are "123456”, "123456789”, "qwerty”, "password”, and "1111111”, all of which are easy to remember, hence why so many people use them.
All of the above are very easy for hackers to guess, so it's always best to use unique, complex passwords, and change them every few months. You can use a strength checker to easily assess whether your passwords are weak or strong.
What is two-factor authentication (2FA) and should I use it?
Two-factor authentication (2FA) is a security method that requires users to provide an extra form of verification along with their username and password when accessing their accounts.
For example, when logging into your Facebook account, you’ll need to enter a one-time code generated by an authenticator app (like Google Authenticator) or sent to you via SMS.
There are many forms of 2FA, including one-time codes, hardware keys, and biometric authentication (fingerprint scanning or facial recognition).
Even if you have 2FA set up on your account, it's still important to make sure that you're using strong passwords and not reusing them across multiple sites or services. You should also keep an eye on any suspicious activity on your accounts—like new accounts being created or sudden changes in spending habits—and report it immediately if something seems off.
Is it worth using a password manager?
In short, yes. Password managers offer many benefits, including:
- Security. All your details are stored in an encrypted digital vault, so they're safe from hackers.
- Convenience. With one click, you can automatically fill in your login credentials, so you don’t have to repeatedly type them manually.
- Password auditing. This feature notifies you if your passwords are weak, old, reused, or compromised, which allows you to update your password quickly.
Browser password managers (like the one built into Google Chrome) are easy-to-use and convenient, but standalone password manager apps tend to offer more features and better security overall.
What is a master password?
A master password is required to unlock your password manager. As password managers use encryption to secure stored data, the master password is linked to your vault’s decryption key, which is needed to access the data stored in your vault.
To keep bad actors from accessing your vault, you should set up a strong master password that is not easy to guess or crack. You should also change it periodically (such as once per quarter) to avoid being hacked.
Pro tip: Set up two-factor authentication (2FA) to further protect your vault. This is an extra verification step that protects your data even if hackers managed to crack your password.
We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.