Applies ToSecurity Windows 10 Windows 8.1 Windows 7 Microsoft account dashboard

One of the most important ways to ensure that your online accounts are safe and secure is to protect your passwords. Follow this advice to help keep your accounts out of the wrong hands.

Create strong passwords

Password security starts with creating a strong password. A strong password is:

  • At least 12 characters long but 14 or more is better.

  • A combination of uppercase letters, lowercase letters, numbers, and symbols.

  • Not a word that can be found in a dictionary or the name of a person, character, product, or organization.

  • Significantly different from your previous passwords.

  • Easy for you to remember but difficult for others to guess. Consider using a memorable phrase like "6MonkeysRLooking^".

Tip: Don't want to think up your own strong passwords? Microsoft Edge can create and remember strong, unique, passwords for you. See Use Password Generator to create secure passwords.

Secure your passwords

Once you’ve created a strong password, follow these guidelines to keep it secure:

  • Don’t share a password with anyone. Not even a friend or family member.

  • Never send a password by email, instant message, or any other means of communication that is not reliably secure.

  • Use a unique password for each website. If crooks steal your account information from one site, they'll try to use those credentials on hundreds of other well-known websites, such as banking, social media, or online shopping, hoping you've reused the password elsewhere. That's called a "Credential stuffing attack" and it's extremely common.

  • If you don’t want to memorize multiple passwords, consider using a password manager. The best password managers will automatically update stored passwords, keep them encrypted, and require multi-factor authentication for access. Microsoft Edge can remember your passwords for you and automatically fill them in for you when needed. See Save or forget passwords in Microsoft Edge.

  • It's ok to write your passwords down, as long as you keep them secure. Don't write them on sticky notes or cards that you keep near the thing the password protects, even if you think they're well-hidden.

    Or just a hint...

    Rather than writing down your password, consider writing down a hint that reminds you of what the password is. So if your password is "Paris4$pringVacation" you could write down "Your favorite trip."

  • Change passwords immediately on accounts you suspect may have been compromised.

    Tip: Microsoft Edge has a password monitor feature that can let you know if we spot that any of your passwords have been compromised in a data breach. For more information see Protect your online accounts using Password Monitor.

  • Enable multifactor authentication (MFA) whenever available. MFA requires more than one kind of credential to sign into an account — such as requiring both a password and a one-time code generated by an app. This adds another layer of security in case someone guesses or steals your password. For more information see What is: Multifactor authentication.

Tip: If you’re asked to create answers to security questions, provide an unrelated answer. For example, if the question is "Where were you born?" you might answer "Green." Answers like these can’t be found by trolling Twitter or Facebook. (Just be sure they make sense to you, so you'll remember them.)

Don’t be tricked into revealing your passwords

Criminals can try to break your password, but sometimes it’s easier to exploit human nature and trick you into revealing it. 

If you receive an email message that appears to be from an online store (like eBay or Amazon) or a phone call from your “bank” that tries to convince you of the “legitimate” need for your password or other sensitive information, it could be a phishing scam. (You may have heard these con games referred to as "social engineering".)

Here are some guidelines to follow to protect your passwords and other sensitive information:

  • Be wary of anyone who is requesting sensitive info from you, even if it appears to be someone you know or a company you trust. For example, a crook may have hijacked a friend’s account and sent email to everyone in the friend’s address book. Treat all unexpected requests for sensitive info with caution.

  • Never share your password in response to an email or phone call — for example, to verify your identity — even if it appears to be from a trusted company or person.

  • Always access websites using trusted links. Scammers can copy the look of a company’s communications to fool you into clicking a phony link or attachment, so use caution with links that appear in unsolicited emails, social media, or SMS messages. If in doubt, go directly to the official website of the bank or other service you’re trying to access using your own bookmark or by typing the legitimate address of the service yourself.

See also

The keys to the kingdom - securing your devices and accounts

Microsoft security help and learning

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Find solutions to common problems or get help from a support agent.