Passphrase Guidance
Follow the simple steps below to choose a strong passphrase for your digital accounts.
- Use three random words
- Add a one digit after one of the words
- Ensure its at least 14 characters overall
- Each of your accounts should use a unique passphrase
- Choose a passphrase using the generator below!
- You can generate and store passphrases using passwords managers like BitWarden (Free!), 1Password, Dashlane and LastPass
- You can find more guidance about passphrases and using password managers on the NCSC website
Passphrase Generator
Generate a passphrase until you find one you like!
direct
trait
expunge
8
Words provided by 1Password, the full list is available to download here
Guidance on Using Your Own Device
If you are accessing any work-related services on a device you or someone else owns, you should make sure to follow these steps:
For all devices:
- Check the device, operating system, web browser and all apps/software are supported and receive updates
- Enable automatic updates wherever possible
- Remove apps and software that you don’t use
- Set the device to lock automatically when idle
- Unlock the device with a passphrase, a 6-digit PIN or fingerprint/facial recognition
- Ensure repeated failed attempts to unlock are blocked or limited
For smartphones and tablets running mobile operating systems - e.g iOS, iPadOS, Android, Fire OS etc:
- Run legitimate versions of the operating system. Do not use a 'rooted' or ‘jailbroken’ device
- Only install reputable apps, from official apps stores - e.g Apple App Store, Google Play Store, Amazon AppStore etc
For desktops and laptops, running full desktop operating systems - e.g Windows, macOS, Chrome OS etc:
- Enable the Firewall feature for your operating system
- Change the default password for any required accounts (e.g 'Administrator'')
- Remove or disable unused user accounts (e.g 'Guest')
- Disable ‘auto-run’ or ‘auto-play’ features when storage devices are plugged in
- Install or enable virus protection that updates and scans daily, and can scan web pages
- If you need a desktop environment, use your work-provided device whenever possible!
Devices used only to facilitate multi-/two-factor authentication via text message, code or app (e.g Microsoft Authenticator, Google Authenticator) are exempt from these guidelines
Check for Leaks!
Check if an email address or password you use has been leaked on to the internet. Email addresses and passwords entered below are not monitored or stored.
That Email Address Hasn't Been Leaked!
It wasn't found in any publicly leaked lists.
That Email Address Has Been Leaked!
It was found in publicly leaked lists.
What Should I Do Now?
- You should change the password on your account for the sites or services listed below. You can use the tools and guidance at the top of this page to help.
- If you have used the same password on other sites or services, consider changing the password on those accounts too.
- If the email address was leaked recently, you might see an increase in the number of unexpected messages in your Inbox. Be cautious about following links from senders you don't recognise or those asking for any sensitive details from you such as passwords or payment information. You can find some more guidance on spotting malicious emails on the NCSC website.
- You can signup to be automatically alerted if your email address is ever leaked in the future, by using the service Have I Been Pwned. The service is free and you only need to provide your email address to use it. Follow the 'Notify Me' link in the main menu.
Who Leaked It?
This tool uses the service Have I Been Pwned. Email addresses may be transmitted outside of the EU.
That Password Has Been Leaked!
It is associated with leaked accounts.
This doesn't necessarily mean one of your online accounts has been compromised, other people may be using the same password. However, any account that uses this password is at risk.
What Should I Do Now?
- Immediately change the password on any accounts where it's used. You can use the tools and guidance at the top of this page to help.
- If you have used a very similar password on any accounts, it should be changed there too.
- Check any important sites or services where you were using the password, for activity that you don't recognise. Contact the site or service if there are any signs your account was accessed by someone else.
- Consider using multi- or two-factor authentication (MFA or 2FA) on all online accounts to provide additional protection is your password is leaked. You can find some more guidance on setting up this layer of protection on the NCSC website.
- On many popular services you can enable 'sign in alerts' that will notify you whenever your account is accessed.
That Password Hasn't Been Leaked!
It isn't associated with any leaked accounts.
This tool uses the service Have I Been Pwned. All passwords are obscured before transmission and cannot be accessed by the service.