• Password Security:
    how to effectively protect your accounts

Password security is a crucial aspect of information security that plays a central role in both professional and personal settings. Nowadays, there are more and more services for which you need to remember access credentials, and the temptation to use the same or a very simple password is high.

In an era where cybercrime is becoming increasingly sophisticated, it is essential for bank customers to use secure passwords to protect their sensitive data from unauthorized access.

In the following article we will show you how to create strong passwords, use them correctly, protect them, and avoid common mistakes.

Key points:

A person types their username and password on a laptop login screen

Use a unique, sufficiently strong password for each account.

View of a computer keyboard with a blue key featuring a padlock symbol and the word “Security”

Use a password manager instead of writing down passwords or saving them in the browser.

A person holds a smartphone with an open mobile banking login screen

Enable multi-factor authentication to double secure your accounts - or use passkeys - they allow secure login via fingerprint, facial recognition, or device PIN.

Why is password security so important?

A weak or repeatedly used password can have far-reaching consequence and exposes you to increased risk in your personal and professional life. Cybercriminals can easily find it and steal your identity, withdraw money from your accounts, or access confidential data of companies.

Cybercriminals exploit the fact that people often pay little attention to password security with these tactics:

This icon describes a globe.

Automated guessing (brute-force attacks)

Hackers use programs to try thousands of password combinations in a short time

This icon describes a globe.

Misuse of disclosed data (credential stuffing)

Leaked passwords are systematically tested on other platforms

This icon describes a globe.

Observation of input (shoulder surfing/social hacking)

Strangers watch you enter your access credentials

Even if you follow the recommendations for password security, there is still a risk from phishing attacks:

  • Fake login pages (credential harvesting): you enter your data on a manipulated website
  • Telephone manipulation (voice phishing): fraudsters pose as support or security team members on the phone and specifically ask for passwords or access credentials

StayInformed

 When stolen passwords become a gateway for attackers

In March 2025, several major Australian pension funds — including AustralianSuper, Rest Super, and Hostplus — fell victim to a coordinated credential-stuffing attack. Cybercriminals used previously leaked login credentials to gain unauthorized access to customer accounts. At AustralianSuper alone, four accounts were compromised, resulting in a financial loss of AUD 500,000. Thousands of customer accounts were affected in total. The attackers exploited reused passwords and a lack of security measures such as multi-factor authentication.

How to improve your password security

  • Use strong, unique passwords

    A secure password should be difficult to guess. Whether a password is strong depends on two factors: length and complexity. Follow recognized recommendations, such as those from the Federal Office for Information Security (BSI) in Germany.

    Passwords can be "short and complex" or "long and less complex". If you use a short password (e.g., 8-12 characters), you should use all four types of characters (uppercase and lowercase letters, numbers, special characters). For long passwords (20-25 characters), two types of characters can be sufficient to create a strong password. Combine several random words that have no logical connection.

    Use a unique password for each service to avoid compromising multiple accounts with a hacked password.

  • Use a password manager

    Instead of noting down your passwords or remembering weak combinations, use a password manager. It securely stores your passwords and can help with automatically filling out credentials on your device.

  • Enable multi-factor authentication (MFA) or use passkeys

    Multi-factor authentification offers a second security layer in addition to the password – for example, an app, a code via SMS, or a small security key (token). Even more secure are so-called passkeys, which replace or complement passwords and protect particularly well against fraud (e.g., phishing). This way, your account remains secure even if the password becomes known. 

Practical methods for memorable, secure passwords

Secure passwords don't have to be hard to remember. With the right methods, you can create combinations that are both strong and memorable. Here are three simple approaches to improve your password security:

Two hands typing on a laptop displaying a large padlock icon on the screen

Passphrase method: combine several random words that have no logical connection. This method is particularly suitable for long passwords. Additionally, increase security with numbers or special characters. Example: SunFlowerCableTiger9!

PAO method (Person-Action-Object): imagine a memorable scene with a well-known person, an action, and an object. The derived terms create a unique password. Example: AngelaMerkelFlies!Dragon99

Acronym method: think of a sentence that you can easily remember (e.g., a favourite saying or habit). Take the first letters of each word and replace individual letters with numbers or special characters. Example: "I like to eat pizza on Friday evenings." → Il2ePoF!3

What you should avoid

  • Using the same passwords for multiple accounts: avoid using the same password for multiple accounts – if one is compromised, all others are also at risk.
  • Storing passwords unprotected: do not store passwords in unprotected files, notes, or in the browser, as they can be easily read there.
  • Writing down passwords: storing passwords on post-its, in calendars, or unsecured in the cloud poses a security risk and should be avoided. Password managers can securely support you in managing your passwords.

The golden rules of password security

  • Separate private and professional logins: never use the same password or email address for private and business platform access.
  • Use a unique password for each account: use an individual password for each service – whether email, cloud access, or a customer portal.
  • Never share passwords: not even with colleagues, friends, or family members – access credential should always be private.
  • Act immediately if you suspect something: change your password immediately if you suspect someone knows it or if a service has been compromised.
  • Do not write down passwords: avoid notes, calendars, or unsecured lists. They can easily fall into the wrong hands.
  • Do not store passwords without special encryption: do not store passwords in the browser, in the cloud, or in unprotected files.
  • Create strong passwords: pay attention to a good combination of length and complexity. Short passwords should always use all four types of characters (uppercase and lowercase letters, numbers, special characters), while long passwords can suffice with two types of characters.
  • Use multi-factor authentication: enable MFA wherever possible – especially for sensitive or frequently used access.
  • Use a password manager: use a trusted password manager to securely store and manage your many passwords.

Frequently asked questions about password security

Show content of How long should a secure password be?

At least 12 characters for common services, more than 20 characters for particularly sensitive accounts like online banking or business credentials. Remember to set up multi-factor authentication for these accounts if possible. Alternatively, you can use passkeys – they replace passwords and the use of MFA completely or complement them and offer particularly strong protection against phishing.

Show content of What is a password manager?

A password manager is a tool that helps you securely store and manage complex passwords. It stores passwords in an encrypted file, so you only need to remember one password to access all others. This makes it easier to use strong and different passwords for various services.

Show content of What is credential stuffing?

Attackers systematically test leaked access credentials on other platforms. Therefore, you should never use the same password for multiple services.

Show content of What to do in case of a password leak?

In case of affected email, messenger, or social media accounts, change the password immediately and, if possible, enable MFA. Also inform any affected contacts in your personal and professional environment.