How to pick a good password
Teach First Password Policy
Minimum length: 14 characters
Password complexity (uppercase, lowercase, numbers, special characters) is no longer required.
Passwords no longer expire.
Creating Strong Passwords (Passphrases)
A strong password doesn't have to be complicated, it should be long and easy to remember. Using a passphrase is the simplest and most secure approach. A passphrase is a sequence of words or a short sentence that is memorable for you but difficult for others to guess.
However, avoid overly obvious or related words, try selecting random words that don’t directly relate to each other. Additionally, avoid using any example passphrases provided here.
Examples of Strong Passphrases:
"PurpleButterflySingsOpera"
"ReadingBooksUnderOakTrees"
"CoffeeMugCatNapSunshine"
Common Password Patterns to Avoid
Research shows that predictable password habits greatly weaken security:
77% of passwords containing a digit place it at the end, with "1" being the most common digit.
35% of passwords that require a capital letter capitalise the first letter.
89% of 7-character passwords using alphabetic strings either capitalise the first letter or the entire word.
Around 10% of users base their passwords directly on their usernames.
Avoiding these patterns significantly increases your account security.
Additional Recommendations for Secure Passwords
-
Aim for length over complexity: Longer passwords or passphrases increase security exponentially.
-
Don't use common substitutions like "@" for "a", "$" for "s", or "!" for "i", as attackers anticipate these substitutions.
Never use keyboard sequences or patterns like "qwerty" or "1q2w3e4r".
Create unique passphrases for different accounts to prevent breaches from affecting multiple accounts.
Use a password generator: Websites like mdigi.tools or 1Password Password Generator can help create robust and memorable passwords.
Strengthening Security with Multi-Factor Authentication (MFA)
Multi-Factor Authentication significantly enhances your account security by requiring additional verification beyond just your password. Passkeys are the most secure method of MFA because:
They eliminate the risk associated with password reuse and phishing.
Passkeys use cryptographic methods tied directly to your device, ensuring only you can authenticate access.
We strongly recommend setting up passkeys as your primary MFA method.
You can see how to set up a passkey here: https://support.teachfirst.org.uk/support/solutions/articles/1000061669
Why We've Updated the Password Policy
We've changed our policy because research shows that traditional password rules often inadvertently reduce security:
By focusing on password length and removing complex requirements, we enable more secure and memorable passwords.