
- Using strong passwords is a key way to protect online accounts. Most sites and services will request that any password used should be at least 8 characters long. Some services will also request that passwords contain at least one uppercase letter, number or special character (characters such as ‘?’, ‘%’ and ‘@’). The longer a password, the stronger it is.
- However, the strongest passwords are actually passphrases – a password made up of three or four random words. For example, ‘purplecakedinosaurmoon’ is a very tricky password for others to guess but can be more easily remembered by a user by visualising a picture that contains all these words – such as a dinosaur on the moon eating a purple cake. This makes the password both long and memorable.
- While children understand the importance of not revealing their passwords to strangers, they may be more inclined to share their passwords with people they trust such as their friends. There are many reasons why they may do this – it may be to allow a friend to use their account in an online game to help them progress further or to exchange items. For some social networks that reward or track contact over a number of consecutive days (often known as ‘streaks), a child might share their account password with a friend in order to maintain that contact in situations where a child might not be able to – such as if they were going away on holiday and wouldn’t have internet access. For some children, sharing their password with a friend is a sign of true trust.
- Two factor authentication (2FA), also known as ‘two step authentication/verification’ is an effective way of keeping an account secure. When enabled on an online account, it requires a user to input their password and then a unique code in order to gain access. This code is sent to a user by SMS or email, or generated through a special authenticator app that the user may have installed.
- A 2FA code will usually be sent to a user when they log into an online account for the first time from a new device or a new geographical location. This feature is also very useful because it can inform a user when someone else might be trying to access their account. Without the code, another person cannot gain access, but it would alert the user that someone else knows their password.

Advice:
- Educate your students on what makes a strong password and the importance of creating a different password for each account. You could challenge them to come up with creative ways to generate random (yet memorable) passphrases.
- Keeping track of many unique strong passwords for all your accounts can be very daunting, especially for younger children. Encourage your students to work with a parent/carer to set up a password manager product to help store usernames and passwords. Free and paid options are available, and some devices have inbuilt password management features. Remind your students to ensure they protect access to the password manager with a very strong password!
- Discuss the importance of keeping passwords private. Remind your students they shouldn’t share these with other people, even best friends that they trust. In some cases a parent/carer might need to know their passwords (e.g. to store them in a password manager) but in most instances they should use a password reset feature if they forget a password..
- Explain two factor authentication and encourage your students to activate it on their accounts whenever possible. It is likely that they will need support from a parent/carer as the authentication code will usually be sent via email or SMS.
- Remind your students that if they ever receive an authentication code that they haven’t requested (e.g. you haven’t just attempted to log in to that account) then it could mean that someone else knows the password and is attempting to access that account. Advise them that they should log into that account as soon as possible and change the password. If that password has also been used on other accounts, then these should also be changed.
- Ensure you are familiar with the policies and procedures around passwords and account security in your school, particularly for accounts that allow access to sensitive data (such as personal data of students and staff).