Six simple ways to protect your passwords

You use passwords to access your bank accounts, social media, email and more every day.

Passwords are the keys to our online identity. That’s why protecting them is so important.

Creating a strong password is the first step to protecting yourself online. This helps reduce the risk of unauthorised access by those willing to put in a bit of guesswork.

To help stay safe online, follow these password tips.

1. Make your passwords strong

Short and simple passwords might be easy for you to remember, but unfortunately they're also easier for cyber criminals to crack.

Strong passwords have a minimum of 10 characters and a use mix of:

• uppercase and lowercase letters
• numbers
• special characters like !, &, and *.

Use passphrases

You may like to consider using a passphrase instead of a traditional password.

Passphrases are considered more secure than regular passwords, and easier to remember too.

A passphrase is used in the same way as a password, but is a longer collection of words that is meaningful to you, but not to someone else.

For example, the passphrase ‘CloudHandWashJump7’ is 17 characters long and contains a range of different characters. This is more complex than the average password.

Having complex passwords is important to deter 'brute force' attacks, in which a computer program cycles through every possible combination of characters to guess a password. These automated attempts at guessing passwords are not slowed down by numbers or capital letters, but depend on how long a password is.

Depending on the systems you access, you may be limited to a defined number of characters.

2. Make passwords hard to guess

Could someone who knows you guess your passwords? For this reason, it’s best to avoid using personal information such as your children, partner or pets name, favourite football team or date of birth as your password.

When trying to hack into an online account, cyber criminals start with commonly found words and number combinations.

So it's best to avoid using:

• dictionary words
• a keyboard pattern like qwerty
• repeated characters like zzzz
• personal information like your date of birth or pet’s name.

Security companies publish lists each year of the most common passwords exposed in data breaches. Read the list from 2020, opens in new window. Make sure you’re not using them, because it’s likely criminals will try these passwords first.

3. Create new, unique passwords

If you need to reset a password, don’t just change one part of it.

Instead of changing a number at the beginning or end, create something completely new you’ve never used before.

If your original exposed password had a ‘1’ at the end, an attacker would likely try ‘2’ next. That’s why it’s important to change the whole password.

Get into the practice of changing your password often, ideally every few months.

4. Don’t share passwords, ever.

Never share your password with someone, not even with someone you trust.

What about family and friends?

Regardless of whom you share it with, once you share your passwords you lose control of how it’s stored or how and when it’s used.

What if a business or company I know asks for my password?

Reputable companies won’t ask you to give them your password over the phone or via emails or SMS messages. This might be a warning sign of phishing or a scam; you can read more about phishing on our security alerts page.

NAB will never ask you for your password or PIN, either by email, SMS, over the phone or at a branch. We may ask you to provide a one-time code to verify yourself when you call our contact centre. These messages will clearly state that we will ask you for the code.

You may not be covered for fraud

One of your responsibilities as a NAB account owner and user of internet banking is to protect your password. Sharing your passwords or PINs may affect a claim for any money lost due to fraud.

5. Use different passwords for each of your online accounts

Using different passwords means that if one of your accounts is breached, criminals won’t have access to other accounts that use the same password.

Make each of your passwords for online logins unique. This will help protect you from attacks like ‘credential stuffing’. 

Credential stuffing 

Credential stuffing is an automated technique used by criminals. They test a user's known username and password combinations across multiple online accounts.

As many people use the same credentials for multiple sites, it can give criminals easy access to multiple accounts.  

This gives criminals an opportunity to gather more information about you, which they might use to impersonate you online to access accounts under your name.

For example, it’s not a good idea to use the same password for an online pizza delivery website and your business email. If the pizza delivery site is compromised, you don’t want someone to also have access to your business email account.

6. Store passwords safely

Writing passwords down is never recommended. You could lose them, or someone else could see them and use them.

Password management tools

There are programs and apps known as password managers that will store all your passwords in a secure vault.

A password manager only needs one strong password to access it and has extremely strong protection to make sure that only you can access it.

This means you only need to remember one password to have access to all your passwords.

Password safes can even generate and store new, complex passwords for you when you create new online accounts.

Don’t allow web browsers to store your NAB password

Some web browsers may display a pop-up message, asking whether you want the browser to remember your login details.

For the protection of your personal information, NAB recommends that you select 'Never for this site' if you see this message when using NAB Internet Banking.

For more information, check out the Australian Cyber Security Centre’s guide on creating secure passphrases, opens in new window.