Password safety tips

We have some sad news – even in 2020, one of the most-used passwords worldwide is still “123456”. Yep, right up there with “password” and “qwerty” (the top row of keys on your keyboard), using any variation of these popular passwords is just asking for trouble.

When it comes to passwords, the more unique it is, the better. A strong password can often be the only thing protecting your personal information from malicious third parties, so it’s important that they’re hard for other people (or machine algorithms) to guess.

To help you stay safe, we’ve put together some handy info and tips to beef up your password security. Have a read through to see if there’s any room for improvement in your current password practice.


Our password policy

If you’re with iiNet, you may have noticed that “123456” isn’t accepted as a safe password. We’ve deliberately written our Password Policy to help keep your account strong and secure – and it’s a formula you’re welcome to use for other sites, too.

We require all passwords to be:

  • Be at least 9 characters long
  • Have at least one uppercase and one lowercase letter
  • Have at least one number (i.e. 0 to 9)
  • Not be based on your account details (e.g. your username, name or birthday)
  • Not contain any spaces or tabs
  • May only contain letters, numbers or other standard characters

Trust us, taking a few moments to type in a trickier password is far, far better than having your password cracked. Provided you’re using a secure trusted device, such as your personal computer at home, or a smartphone with a locking mechanism (e.g. PIN, fingerprint or facial recognition) then it’s typically safe to get your web browser to remember your login details so you don’t have to type them each and every time you log in. Just be sure to NEVER tick “Remember this password” on public computers such as those at airports and libraries!

While our Password Policy prevents you using a weak password, other online services may not have similar policies. As a rule of thumb, we recommend following our policy when creating any password because the results will typically be more secure – and that’s always a good thing!


More password tips and tricks

  • Most passwords support all ASCII characters, not just letters and numbers. That means you can jazz up your password with any of the following characters: ` ~ ! @ # $ % ^ & * ( ) _ + – = { [ } ] \ | ; , . / : < > ?
  • Sure, password policies have a minimum character limit, but what about a maximum? If a limit exists, it’s usually pretty lengthy – a maximum password length of 138 characters is common. Instead of a random mish-mash of letters and numbers, why not make your password a whole sentence (sans spaces)? Longer passwords are more secure, and a coherent sentence can also be easier to remember. Song lyrics, a movie or book quote… the sky’s the limit!
  • Find it difficult to remember passwords? Help is on hand! A Password Manager can make life easier by remembering all your different passwords for you, so you only have to remember a single “master” password. There’s a comprehensive review of both free and paid password manager options over on Tom’s Guide.
  • If you’re averse to technological solutions for your password memorisation woes, we still stand by the old fashioned, analogue method: write it down, and lock it up.


Factor in some extra protection

Now that your passwords are secure, it’s time to take it up a notch with Two Factor Authentication, also known as 2FA. You may already have 2FA in use with your banking institution. To log in successfully, you’ll not only need a password – you’ll also need to confirm a second authentication factor, such as a unique code sent via SMS to a mobile listed on your account.

You should aim to use 2FA wherever it is available, particularly for bank accounts, cloud services, and social media profiles. The Australian Cyber Security Centre has a range of how-to guides for turning on 2FA here.

For more information about passwords, PINs and passphrases, visit the Australian Cyber Security Centre’s website.


Do you have a digital security tip to share with us? Tell us in the comments.


  1. Justin Doyle says:

    Useful. I currently follow most of your recommended practices.

  2. Philippe Wathelet says:

    You can leave fragments of your passwords in full view (although it is an extra layer of security to protect the file where they are stored) provided you don’t explain how to use them to build the corresponding password. It’s like leaving two nut wrenches in full view on a table without an explanation of how to use them to break open a lock (

    For this, you leave a word in full view but do not disclose to anyone (this is an example only for illustration purposes):
    1. a short sentence in which you always insert the word, and
    2. the fact that you systematically append “#$#$” at the very end.
    3. the fact that you always use the word starting with a capital letter
    4. the fact that you always use the number “0” as the second character (like in “G0”)

    – you store (possibly in full view) “careIBM” and “forceColes”, and
    – when needed, use them to (mentally) build the two passwords:

    1 – For the (IBM) site: “G0ttauseCareforIBM#$#$”, and
    2 – For the (Coles) site: “G0ttauseForceforColes#$#$”

    … with (in this particuler example) the key phrase “Gotta use … for … #$#$”.

    This way you use a different password for each site as well as letters, a number, upper and lower case, and other characters.

    Of course, any of the above can be made stronger or easier, just don’t forget your key phrase and method (which can be written too, but at a secret location… like in the middle of a long piece of text stored in another file).

  3. Gordon says:

    I routinely use a password manager, and the one I use generates one for me when I need a new one. It remembers it too , so I don’t care to know it. It’s worked for many years.

  4. John Hammond says:

    2FA SMS works fine when domestic. Once offshore and using a local sim, it’s no longer a great working option. Organisations need to offer 2FA to either a phone number and/or an email address?

  5. Keith says:

    Can I access passwords saved in a password manager when I am using different devices. My iPad, Samsung phone, desktop and public computers?

  6. Nanda Menon says:

    The biggest bugbare is trying to remember one’s password so much so an acquaintance of mine has practically given up and is quite happy to tap “forgotten password” and make one on the spot only to have to go through the whole process next time round. She is quite happy, hasn’t had any disasters…yet!

  7. Craig Johnson says:

    @Keith – It depends on the password manager.
    I use 2 (one for work and one for personal), both will work across multiple devices. They have apps I install on my phone, and can be accessed via internet (with 2FA).

    But I would NEVER access them on a public computer. Same as I’d never use an insecure public wifi as it’s too easy to have a man-in-the-middle attack.

  8. Beth Evans says:

    No mention of key loggers. Key loggers record every key pressed on your keyboard thus revealing your clever password to the hacker who is monitoring your keystrokes.
    Always use the on-screen keyboard which is actuated by your mouse.. Just in case.
    Whenever my emails are compromised by hackers, I delete the email identity concerned and create a new email identity.
    Has anybody else had problems deleting their email identities. On at least five separate occasions my correct password required for deleting my email identity has been continually rejected by Iinet. Yet this rejected password is still capable of installing the email identity associated with it, on other computers and sites.
    I am still having this problem now.

  9. Beth Evans says:

    Keyboard loggers still lurk about.
    Your recorded keystrokes will reveal your passwords to the hacker monitoring your keystrokes.
    Use an on-screen keyboard actuated by your mouse where ever possible.
    Password hint. Use the streets and buildings on a walk.
    eg a walk to the park WentworthAngleLowerBodsworthExeterMangolsPark
    eg a walk to the pub
    eg a walk to may mate Bill’s house etc etc

Leave a Reply

Your email address will not be published.