Strong Passwords

In short, passwords need to be unpredictable and unique per-website. That means they should not be based on a single dictionary word, even if you add a suffix: Welcome123, Password1, Winter2021 or anything similar are all bad choices. Yes, even P@55w0rd and L3tM3In! are bad choices. Common suffixes such as an exclamation mark, 123, or the current year, offer little additional security.

The best options are either a passphrase made up of multiple words or a long and completely random password – depending on whether you're able to use a password manager or not. Additionally, wherever possible passwords alone should not be relied upon, instead multifactor authentication should be used.

The most secure option for multifactor authentication is to use a physical security key or a mobile-app based one-time passcode – such as those provided by authentication apps like Google Authenticator or Authy. These minimise the likelihood of your account being compromised even if your password is compromised – for example if someone sees you type it.

To allow a more secure approach to account authentication our systems require a long password; the minimum length is set to 14 characters to enforce the use of passphrases or long randomly generated passwords. We also have multifactor authentication enabled by default. We use a one-time passcode via email by default and have the option for mobile app based one-time passcodes.