We utilise a service that checks passwords against a list of passwords that have been leaked as part of data breaches. This does not mean that your password was leaked because of this website, it means that an account using that password has had its credentials shared on the internet because of a breach of a different website, which means that it can no longer be considered secure. When large companies like Facebook and Google have had data breaches, this puts any other accounts using the same credentials at risk.

If you saw a message saying that you couldn’t use a password because it had previously been breached, and this is a password you have used elsewhere, we highly recommend changing that password on other websites.

We recommend following NCSC guidelines with passwords, such as the use of passphrases, where three or four words are combined together. Some common examples (and therefore ones you shouldn’t copy) are CorrectHorseBatteryStaple or applenemobiro. Its length gives it enough entropy to be secure, but it’s a lot easier to remember than a random mix of characters. Click here to read an NCSC article about this.

We also recommend using password managers, which let you use complex, secure passwords, without having to remember each of them. Some common password managers are 1Password and Dashlane.

Things to avoid:

• Simple passwords – such as Password123 or 123456
• Passwords based on things which are easy to guess, like your date of birth
• Relying on simple substitutions for security – Hackers will try common substitutions like 3 for e or 5 for S.
• Using passwords that you’ve used elsewhere – reusing passwords puts you at risk.

Your passwords are encrypted before being saved, which means that they’re as secure as possible. Only the encrypted hash of the password is saved, not the password itself, which further protects your account and credentials.