Passwords and passphrases
Passwords and PINs are used to identify who you are. Sometimes they are the only defence to protect your information against unauthorised access.
On this page
If your password or PIN is captured, guessed or stolen an attacker can potentially:
- send emails from your accounts
- withdraw money from your bank accounts
- change files on your computer, or
- pretend to be you.
Passwords and PINs should be a secret known only to you. Strong passwords are difficult to guess and should be:
- greater than 10 characters long
- a mix of upper and lower case letters, numbers and other symbols.
Do not include:
- recognisable words or names, in any language
- repeated characters
- personal information
- anything you have previously used.
Weak passwords are easy for a criminal to guess. Criminals use automated software that can guess thousands of passwords per minute.
Use password tiers
|Password tier||Account risk||Account types||Action|
|Tier 1||High risk accounts||
||Use unique and complex passwords|
|Tier 2||Low risk accounts||
||Less complex passwords are required.|
You can install a password manager on your PC, smartphone or tablet. It will generate and remember super secure passwords for you and some will sync between your devices. The downside is that if the password manager is breached, all your information is accessible.
Make passwords easy to remember
Think of a pass phrase and then change some of the characters to make it a strong password. For example:
- 'June School Holidays' can be modified to 7un3Schoo1Ho!idays.
- 'I like Australian red wine' can be modified to Ilike0zzieR3dwine.
- 'Be good, be wise' can be modified to B3g00db3wi5e$.
It is always better to create and use a strong password, write it down and keep it safe than use a weak password.
Using strong passwords lowers overall risk of a security breach, but strong passwords do not replace the need for other effective security controls.
- Don't use the same password for multiple services or websites.
- Don't share your passwords with anyone.
- Don't provide your password in response to a phone call or email, regardless of how legitimate it might seem.
- Don't provide your password to a website you have accessed by following a link in an email – it may be a phishing trap.
- Be cautious about using password-protected services on a public computer, or over a public wi-fi hotspot.
- Change your passwords regularly, at least every three to twelve months. If you think your password may have been compromised, change it immediately and check for any unauthorised activity. If the same compromised password has been used on another site, create a new password there as well.
Treat PINs in the same way you would a password
- Don't use obvious patterns like 1234, 4321 or 7777.
- Don't use postcodes, birthdays or other significant dates and numbers.
- PINs should be a random mix of numbers, letters and characters.
|You have forgotten your password and your computer is locked||
|You are looking for more information on securing your desktop or laptop computer||
|Information on recent threats||Sign up to the free Stay Smart Online Alert Service|
A full list of useful contacts can be found on the Contact us page.
Find out more: