At home

Top tips for a secure password

Share on Facebook Share on Twitter Share on LinkedIn Share on Xing Share by email

Do you have a specific strong password for e-banking, every online shop and every email account that you can easily remember? Great,  you're on the safe side. But if, like most of us, you spend more time resetting forgotten passwords than creating strong ones, read our blog.

  • Teaser Image
    Katrin Sprenger

    Katrin Sprenger, CEO of the start-up Silenccio and an expert in security issues for online applications, tells you how to create a strong password, avoid common errors and what useful tools there are for saving passwords.

What is more important for a secure password: complexity or length?

A secure password should be a successful combination of lowercase and uppercase letters, numbers and special characters - and in sufficient number. A strong password comprises at least twelve characters, lowercase and uppercase letters, numbers and special characters.

In simple terms, long passwords are more secure than short ones, but of course there's little point in having a password such as "AAAAAAAAAAAAAAAAAAAAA". Sequences of numbers such as "123456" or keyboard lines such as "qwerty" are anything but secure. Passwords that are too simple are a windfall for amateur hackers. And no: "passw0rd" or "123451" are no better. 

How safe is it to combine simple words with special characters and numbers?

You should generally avoid words in the traditional sense, i.e. any combination of lower and upper case letters, special characters and numbers that can be found in the dictionary.

Here's an example: from a formal perspective, "G7 summit" meets the requirements of a secure password, but as it's a real word, it is already less secure. Why is that? Hackers use small programs (scripts) to easily check any word in the dictionary. In this instance, the password would be quickly hacked.

Is it therefore advisable to use as many special characters as possible?

Ultimately, the mixture of length and combination of differing character formats determines how secure a password is, regardless of whether you only use special characters or a particularly large number of them.

Why isn't personal information such as favorite club, pet or car brand suitable as a password?

Rather than working with automated scripts, there's a possibility that hackers can first see the details of a potential victim in publicly accessible profiles. This is because it is precisely this information that people often like using for their passwords. This doesn't come as a surprise, as these passwords are very memorable. For example, if a user states in his public profile that his rabbit is called Maxi, his favorite club is FC Barcelona and he's over the moon with his new Audi, hackers have already found three potential passwords. Passwords should therefore not contain any reference to the user.

According to a study conducted by password manager Nordpass, "123456" was the most popular password in 2020, relegating the 2019 number one "12345" into eighth place. Others in the top ten include password, qwerty or login.

There are often standards applicable to passwords. Don't they make things easier for hackers to hack into a password?

No, because the standards simply define the framework conditions and are basically there to make passwords more secure. Even if these standards initially seem tiresome, they are there to increase security.

Obviously I need a good password for e-banking, but is it really necessary to have a separate password for every online shop?

If the same user name is used, e.g. email address, it's advisable to use different passwords.  The reason: if, in this instance, hackers have access to an online shop, they have access to all online shops used with this combination. The risk of consequential losses therefore increases substantially.

It's impossible for me to remember that many passwords. What tools are available?

Password managers are available to solve this problem. These are programs installed on devices. After installation, they manage access details and save them securely. Imagine a type of list containing access details. This "list" is also secured and saved with a special password - the master password. Only the person who knows the master password can access the list.

  • Teaser Image
    Protection against cybercrime?

    Hacking, phishing, malware: How can you as a user identify online threats and risks and protect yourself against cybercrime?

    To the blog article

Will a password generator help me generate strong passwords?

Absolutely. Because it takes so much time and effort to create separately complex passwords. When doing so, everyone lapses into specific patterns, becoming more and more easy to predict.

The benefit of a password generator is that it works on a random basis with the guidelines for secure passwords. The generator doesn't lapse into the aforementioned patterns and unlike people, doesn't have a problem with complicated and long passwords. 

Are these password managers secure?

Yes, these password managers are secure, as they save the access details on an encrypted basis. Either locally on the device or on the cloud if several devices are being used, such as cellphone and laptop.

Does the password for the manager (master password) have to be even more secure?

The master password should follow the usual rules for secure passwords, and the user should be able to remember it. If the user can't remember this master password, the saved access details will no longer be available in the worst case scenario. This means that access to the accounts managed through the password manager will have to be manually reset and reconfigured. To increase security even more, two-factor authentication can be installed with many password managers.

How often should I change my password?

It makes sense to change your password after three to six months. If you notice any discrepancies in your account, you should change your password immediately.

Even when using publicly accessible and therefore insecure Wi-Fi, the risk increases that your data on the end device you used has been read. Data leaks on major platforms such as or LinkedIn are also increasing. For users of these platforms, this means that they should change their password. 

More than 80 percent of the security breaches caused by hackers can be traced back to weak or stolen passwords.

What exactly is two-factor authentication and how secure is it?

As the name suggests, two-factor authentication means that another step is added to the standard login comprising user name and password. This factor is transmitted via an app to the platform or SMS to the user. Only after successful input can login be achieved.

The security of the login is substantially increased by two-factor authentication. This is because login is no longer linked to a pure data set, but additionally to a physical end device, which in most instances is a mobile phone.

It is highly unlikely that both factors - data set and end device - will be stolen. 

What do cyber criminals do when they hack passwords?

A password is hacked if attempts are made through trial and error to guess the password. If, for example, a password only comprises a few numbers between 0 and 9, few attempts are required before the password is hacked.

As the complexity of the password increases - through the combination of uppercase and lowercase letters, numbers and special characters - the number of attempts needed to guess the right combination through trial and error also rises.

Secure passwords: the most important tips

Your password should:

  • be long – at least 12 characters 
  • have a certain level of complexity 
  • not have any references to you personally (pet, wedding anniversary, name etc.)
  • not be a common word found in the dictionary
  • ideally  be saved in a suitable password manager 

Associated articles

AXA & You

Contact Report a claim Broker Job vacancies myAXA Login Customer reviews Garage portal myAXA FAQ

AXA worldwide

AXA worldwide

Stay in touch

DE FR IT EN Terms of use Data protection / Cookie Policy © {YEAR} AXA Insurance Ltd