Language selection


Tips for creating and managing your passwords

Choosing the right passwords can help you control your personal information and prevent it from being stolen. If someone obtains your password, they may be able to get into your accounts, see your activities and even pretend to be you.

On this page

Create strong passwords

Passwords remain a common form of account protection. To ensure their effectiveness, we recommend the following tips:

  • If possible, use a passphrase—these are longer passwords that contain 15 characters or more and can be easier to remember
  • Passphrases should contain at least four unique words strung together—an easy way to select words is to use associations, like four items that you may find in your living room such as “Lamp Computer Toys Curtains.”
  • Or, use a complex password if you cannot use a passphrase or if the password must be shorter than 15 characters. Complex passwords should contain a mix of letters (lowercase and upper case), numbers, and symbols, for example “L@mp*c0mput3r!”.
  • Choose a password that you will remember, but that will not be easy to guess—avoid things like your mother’s maiden name, a family pet or a reference to something you have posted publicly
  • If you have purchased an Internet-connected device such as a webcam, be sure to change the default passwords—see our security advice on smart devices and your privacy

For more information on passwords see best practices for passphrases and passwords from the Canadian Centre for Cyber Security.

Protect your passwords

When you create a new password, never share it with anyone and never reuse it. Reusing passwords, even strong ones, may leave your accounts vulnerable. One compromised password may allow an attacker access to multiple accounts.

This is particularly important for any accounts that contain financial information or a lot of personal or very sensitive information. The repercussions could be worse if these accounts are compromised. There are a number of ways to store your passwords and some of them are more secure than others.

Using a password manager

Using a password manager not only creates strong, unique passwords, but also acts as a password vault by storing credentials for different websites, applications and services.
Important: If you use a password manager, do not use it to save passwords for sensitive accounts, such as banking and email services.

Your email account is particularly attractive to attackers. By accessing your inbox, they can reset passwords to other accounts or forward emails containing more of your personal information to their own account. If an attacker accesses your business email account, they could pose as the legitimate account holder and send out scam emails to defraud others.

While password managers help users cope with many passwords, there are risks. One of the biggest risks is that, if an attacker accesses your password manager, all passwords stored within it will be compromised.

Do your research and find a password manager that you think you can trust. Good password managers support features like:

  • multi-factor authentication
  • flagging weak or reused passwords
  • notifying you about compromised websites

Of course, you should use a strong password to secure your password manager.

Storing passwords in a web browser

You could store online passwords in a web browser using the ‘remember me’ function.

This approach makes password storage easy because you can access your accounts using the saved password from any device where you are signed into the same web browser. Automatic logins can be convenient but are not a good idea if you are sharing a computer. In that case, create your own account and log out after each session.

Important: Never store a password on a public browser (for example, at a library or Internet café), since your credentials could be exposed.

Regardless of whether you share a computer or have your own, always lock your computer when you are not using it.

Writing down a list of passwords

Writing down your passwords is not the most secure option, but it is one way to manage many passwords. If you decide to write down your passwords, keep the list in a secure place, ideally in a locked safe, away from the computers and devices that the passwords protect. Only take the list out when you need to use it, and then put it away.

You can increase security by writing down the accounts that correspond to the passwords in a separate document, which you would store in a different, secure location from the passwords.

Hardware token

You could use a hardware token such as a security key, which is a small device that you can buy and plug into a computer or laptop to authenticate yourself.


Another option is to use one of your biometric traits, such as a fingerprint, retina scan, facial or voice recognition.

Enable multi-factor authentication

Multi-factor authentication means that you need more than one identifying factor to gain access to an account. Other ways to identify yourself in addition to entering a password, passphrase or PIN include:

  • requesting a phone call to a landline
  • using an authenticator app on your smart phone and tablet
  • using a hardware token
  • using a biometric trait

Common options for multi-factor authentication are to receive an SMS text message, verification PIN or phone call on your mobile device.

Using SMS text or a phone call to your mobile device increases your risk if you are the target of a SIM swap attack. In these attacks, a hacker redirects the phone number used to receive the SMS text and accesses the text message without needing the physical phone. See our blog post on SIM card swap scams to learn more, including what you can do to mitigate the risk.

Note: Although there are risks, setting up any type of multi-factor authentication, including SMS text or a phone call on your mobile device, is a highly effective protective measure and better than not having it at all.

Prevent credential stuffing cyber attacks

Multi-factor authentication and not reusing your passwords are the most effective ways to prevent credential stuffing. In a credential stuffing attack, hackers use stolen log-in details (your username or email address and password) from one website and then “stuff” these credentials into the log-in pages of other websites and systems until they find matches. Their hope is that you have used the same password for multiple accounts. Once a hacker has access to an account, they can change your password, steal credit card information, make unauthorized transactions, or conduct other fraudulent activities. See our information on credential stuffing to learn more.

If your account is compromised

If you suspect that your account has been compromised, take the following steps to protect yourself:

  • Change your password immediately
  • If you have used this password for other accounts, change it on those accounts too
  • Check your account information carefully to make sure that there are no unauthorized changes or transactions
  • If applicable, change your security questions and answers
  • Check your credit card and bank accounts for suspicious activity
  • If your credit card is linked to a compromised account, contact your bank
  • Contact the Canadian Anti-Fraud Centre (1-888-495-8501) and your local police if you suspect any fraudulent activity or if you are concerned about identity theft
  • You may also want to notify a credit bureau

Along with these steps, take some time to check and see if the account or app that was compromised has any security controls that you can enable, such as multi-factor authentication, to keep your account from being compromised again in the future.

See the Canadian Centre for Cyber Security page on rethinking your password habits to protect your accounts from hackers for more information.

Date modified: