The single biggest thing most people can do to improve their security is use strong, unique passwords for every account. It sounds like a lot, but with the right approach it's very manageable.

What Makes a Password Strong?

Modern guidance (from the US NIST, UK NCSC, and Canadian CRA) has shifted away from complex "P@ssw0rd!" style passwords. What actually matters is:

  • Length: Longer is stronger. Aim for at least 12 characters, ideally 16+.
  • Uniqueness: Every account should have a different password. If one site is breached, all your other accounts stay safe.
  • Unpredictability: Avoid personal information — names, birthdays, favourite teams — that someone could guess.

A Simple Method: Passphrase

Pick four or five random words and join them: correct-horse-battery-staple is the famous example. It's long, memorable, and vastly harder to crack than "P@ssword1". Add a number and a symbol if the site requires it.

Why You Need a Password Manager

Nobody can remember a unique 16-character password for every site they use. A password manager does it for you — it stores all your passwords securely behind one master password, and can generate strong random passwords automatically.

Free options that work well

  • Bitwarden — free, open-source, works on Windows, Mac, iOS, and Android. Highly recommended.
  • KeePass — free and open-source, stores everything locally on your computer.
  • Browser built-in managers — Chrome, Edge, Firefox, and Safari all have built-in password managers that sync across your devices. They're not as feature-rich but are far better than reusing passwords.

Getting Started with Your Browser's Password Manager

  1. In Chrome or Edge, go to the three-dot menu > Passwords (or Settings > Autofill > Password Manager).
  2. Turn on Offer to save passwords.
  3. Next time you log in somewhere, let the browser save it.
  4. For existing accounts with weak passwords, the manager will prompt you to update them.
Never share your passwords — not with a caller claiming to be from Microsoft, your bank, or any tech support service. Real support staff do not need your password to help you.

Once you have a password manager in place, you can start going through your accounts and upgrading the weak ones. Focus first on email, banking, and any account where you can make purchases.