Skip to main content

Reading is great. Tracking makes it stick. Sign up for a free Dashboard to tick off tasks and see your Security Score.

Get my free Dashboard →
User AccessHigh priority

Change any weak or reused passwords

Identify and replace passwords that are short, simple, or used on more than one account.

Why this matters

If one service you use is breached, attackers will try your leaked password on hundreds of other sites. Unique passwords stop this attack cold.

How to do it

  1. Check haveibeenpwned.com to see if your email appears in any data breaches
  2. Prioritise changing passwords for email, banking, and social media first
  3. A strong password is at least 12 characters — use your password manager's generator
  4. Never reuse a password across more than one account

Need a more detailed walkthrough?

Our step-by-step guide explains each action in full detail, with confirmation steps and related tasks.

View full step-by-step guide →

Cyber Essentials framework

This task falls under the User Accesscontrol, one of five areas assessed in the UK's Cyber Essentials scheme. Completing it counts toward your Cyber Essentials alignment. Create a free account to track your progress across all five areas.

Frequently asked questions

How do I know if my password is weak?

A password is weak if it is fewer than 12 characters, uses a word found in a dictionary, contains personal information (your name, birthday, or pet), or is reused on more than one account. Your password manager or browser will often flag these for you automatically.

Has my password been in a data breach?

You can check for free at haveibeenpwned.com: enter your email address to see if it has appeared in any known data breaches. If it has, change your password for that service and for any other account where you used the same password.

What counts as a strong password?

A strong password is at least 12 characters long and a random mix of letters, numbers, and symbols. The easiest way to create one is to use the built-in generator in your password manager; you never need to remember it yourself.

My bank only allows an 8-character password. What can I do?

If your bank limits password length, use the maximum they allow and make it as random as possible. Adding two-factor authentication to your bank account is more important for most modern banking apps than password length alone.

Track your security score for free

Create a free Cyber Nova AI account to tick off tasks like this one, see your Security Score, and stay on top of what you've done and what's still to do.

Start your free security check