You use passwords to access your bank accounts, social media, email and more every day.
Passwords are the keys to our online identity. That’s why protecting them is so important.
Creating a strong password is the first step to protecting yourself online. This helps reduce the risk of unauthorised access by those willing to put in a bit of guesswork.
To help stay safe online, follow these password tips.
1. Make your passwords strong
Short and simple passwords might be easy for you to remember, but unfortunately they're also easier for cyber criminals to crack.
Strong passwords have a minimum of 10 characters and a use mix of:
- uppercase and lowercase letters
- numbers
- special characters like !, &, and *.
Use passphrases
You may like to consider using a passphrase instead of a traditional password.
Passphrases are considered more secure than regular passwords, and easier to remember too.
A passphrase is used in the same way as a password, but is a longer collection of words that is meaningful to you, but not to someone else.
For example, the passphrase ‘CloudHandWashJump7’ is 17 characters long and contains a range of different characters. This is more complex than the average password.
Having complex passwords is important to deter 'brute force' attacks, in which a computer program cycles through every possible combination of characters to guess a password. These automated attempts at guessing passwords are not slowed down by numbers or capital letters, but depend on how long a password is.
Depending on the systems you access, you may be limited to a defined number of characters.
2. Make passwords hard to guess
Could someone who knows you guess your passwords? For this reason, it’s best to avoid using personal information such as your children, partner or pets name, favourite football team or date of birth as your password.
When trying to hack into an online account, cyber criminals start with commonly found words and number combinations.
So it's best to avoid using:
- dictionary words
- a keyboard pattern like qwerty
- repeated characters like zzzz
- personal information like your date of birth or pet’s name.
Security companies publish lists each year of the most common passwords exposed in data breaches. Read the list from 2020, opens in new window. Make sure you’re not using them, because it’s likely criminals will try these passwords first.
3. Create new, unique passwords
If you need to reset a password, don’t just change one part of it.
Instead of changing a number at the beginning or end, create something completely new you’ve never used before.
If your original exposed password had a ‘1’ at the end, an attacker would likely try ‘2’ next. That’s why it’s important to change the whole password.
Get into the practice of changing your password often, ideally every few months.
4. Don’t share passwords, ever.
Never share your password with someone, not even with someone you trust.
What about family and friends?
Regardless of whom you share it with, once you share your passwords you lose control of how it’s stored or how and when it’s used.
What if a business or company I know asks for my password?
Reputable companies won’t ask you to give them your password over the phone or via emails or SMS messages. This might be a warning sign of phishing or a scam; you can read more about phishing on our security alerts page.
NAB will never ask you for your password or PIN, either by email, SMS, over the phone or at a branch. We may ask you to provide a one-time code to verify yourself when you call our contact centre. These messages will clearly state that we will ask you for the code.
You may not be covered for fraud
One of your responsibilities as a NAB account owner and user of internet banking is to protect your password. Sharing your passwords or PINs may affect a claim for any money lost due to fraud.
5. Use different passwords for each of your online accounts
Using different passwords means that if one of your accounts is breached, criminals won’t have access to other accounts that use the same password.
Make each of your passwords for online logins unique. This will help protect you from attacks like ‘credential stuffing’.
Credential stuffing
Credential stuffing is an automated technique used by criminals. They test a user's known username and password combinations across multiple online accounts.
As many people use the same credentials for multiple sites, it can give criminals easy access to multiple accounts.
This gives criminals an opportunity to gather more information about you, which they might use to impersonate you online to access accounts under your name.
For example, it’s not a good idea to use the same password for an online pizza delivery website and your business email. If the pizza delivery site is compromised, you don’t want someone to also have access to your business email account.
To learn more about credential stuffing, watch the video.
View NAB Credential Stuffing video transcript (TXT, 1KB), opens in new window.
6. Store passwords safely
Writing passwords down is never recommended. You could lose them, or someone else could see them and use them.
Password management tools
There are programs and apps known as password managers that will store all your passwords in a secure vault.
A password manager only needs one strong password to access it and has extremely strong protection to make sure that only you can access it.
This means you only need to remember one password to have access to all your passwords.
Password safes can even generate and store new, complex passwords for you when you create new online accounts.
Don’t allow web browsers to store your NAB password
Some web browsers may display a pop-up message, asking whether you want the browser to remember your login details.
For the protection of your personal information, NAB recommends that you select 'Never for this site' if you see this message when using NAB Internet Banking.
For more information, check out the Australian Cyber Security Centre’s guide on creating secure passphrases, opens in new window.
Helpful resources
How we can help
If you’re a NAB customer and you believe your business or personal accounts have been impacted by fraud or a scam, we’re here to help. Explore the immediate steps you can take to protect yourself and discover when you should get in touch with us to make a report.
Learn what to do in the event of fraud or scams
Get updates on the latest fraud alerts
IDCARE
IDCARE is Australia and New Zealand's not-for-profit counselling and support service set up to assist Australians impacted by identity theft and cyber-related crimes.
IDCARE can assist NAB customers to navigate through the process when identity details or credentials have been compromised through fraud or scams. IDCARE is a free service for all Australians.
Learn more about IDCARE, opens in new window
Australian Government | Australian Cyber Security Centre (ACSC)
The Australian Cyber Security Centre (ACSC) brings cyber security capabilities from across the Australian Government together in a single location. It’s the hub for private and public sector collaboration and information sharing to combat cyber security threats. ACSC provides topical, relevant and timely information on how home internet users and small businesses can protect themselves from, and reduce the risk of, cyber security threats such as software vulnerabilities, online scams, malicious activities and risky online behaviours.
Learn more about the Australian Cyber Security Centre, opens in new window
Australian Government | ReportCyber
ReportCyber is a secure reporting and referral service for cybercrime and online incidents which may be in breach of Australian law. The ReportCyber website provides a cybercrime reporting mechanism as well as helpful information about cybercrime.
Learn more about ReportCyber, opens in new window
Australian Competition and Consumer Commission | Scamwatch
Scamwatch provides information to consumers and small businesses about how to recognise, avoid and report scams using publications, videos and other online resources.
Learn more about Scamwatch, opens in new window
Australian Government | Office of the eSafety Commissioner
The Office of the eSafety Commissioner provides online safety education for Australian children and young people, a complaints service for young Australians who experience serious cyberbullying, and address illegal online content.
Learn more about the Office of the eSafety Commissioner, opens in new window
Australian Government | Attorney-General’s Department
The Attorney-General’s Department website provides helpful information and resources about your rights and protections in regards to identity security, freedom of information and cyber security. The Department has developed a range of resources to assist people protect their identity and recover from the effects of identity crime.
Learn more about the Attorney-General’s Department, opens in new window
Related articles
How to keep your identity safe online
Your identity is your most valuable asset. Protect it. Your freedom depends on it.
How to use social media securely
Social media can provide others with access to your personal world. Make sure you're only sharing what you want to share.
Keep your mobile devices and apps secure
Your mobile device is the portal to almost every detail about you. So it's important to keep it secure.
Important information
Apologies but the Important Information section you are trying to view is not displaying properly at the moment. Please refresh the page or try again later.