What a strong passphrase looks like
- At least 14 characters.
- Four or more random words — not a phrase tied to family, pets or birthdays.
- Mix of upper and lower case, numbers and symbols.
- Easy for you to remember, hard for anyone else to guess.
How attackers break passwords
- Phishing and social engineering — tricking you into revealing it.
- Brute force — software trying billions of combinations per second.
- Dictionary attacks — trying common words and predictable variations (password1, password123).
- Credential stuffing — taking leaked usernames and passwords from one site and trying them everywhere.
Password managers
A password manager generates and remembers a unique strong passphrase for every site, encrypted behind one master passphrase. You only need to remember the master. Choose a standalone (offline-capable) manager if possible, and protect the master passphrase with MFA. If you lose the master, you typically cannot recover the vault — back up the master safely.
Five rules for strong passphrases
- Never share your passphrases with anyone.
- Use a different passphrase for every account.
- If you cannot remember them all, use a password manager — protect the master with MFA.
- Change a passphrase immediately if you suspect it has leaked.
- Aim for 14+ characters mixing cases, numbers and symbols.
Tools
- ID Support NSW — Password strength tester
Anonymous — does not store or send your password.
- CHOICE — Password manager review
- Have I Been Pwned — Check if your email was in a breach