Report a cybercrime, cyber security incident or vulnerability.
Report

What are you looking for?

You can search for keywords to find pages that can help you e.g. scam
First published: 28 Apr 2022
Last updated: 12 May 2025

Content written for

Individuals & families
Small & medium business

Passwords protect many parts of our lives – from our money to our work and even the appliances in our homes. It may be tempting to reuse a password, but if compromised it can put all your devices and accounts at risk.

Until modern approaches to authentication, such as passkeys, are available for your online accounts, using strong, unique passwords is essential though it can be challenging to keep track of them all. That’s where password managers can help – they manage your passwords, and some can also manage your passkeys, in the one place.

About password managers

Password managers can help you create, manage and store passwords for each of your accounts.

To access a password manager, you only need a single master password, key, PIN and/or biometrics. This means you only need to remember this master login to access all your stored passwords.

Password managers allow you to:

  • generate strong and unique passwords
  • store passwords and other logins in one place from any device
  • save time and effort by automatically entering your password on a login web page
  • reduce the risk of someone intercepting your passwords.

Password managers are useful tools, but are also attractive targets to cybercriminals. Only use a reputable password manager and practice good security by following our advice.

Case Study

The risk of storing sensitive information in unsecured apps

A woman in Western Australia lost her phone, which was unlocked. She kept all her passwords in the notes app on her phone, giving criminals easy access to her accounts. She also kept photos of her driver licence.

The woman’s phone was returned a few hours later. But, it wasn’t till the next day that she realised criminals had transferred all her money to a cryptocurrency website. She lost almost $4000. Had she used a password manager, it could have kept her account details more resistant to being breached.

Choose a reputable password manager

There are many different types of password managers available, including free ones. Consider what features you need and compare password managers online.

Check if the company and product have a good reputation. Make sure the product has strong security and privacy features, and gets regular updates. Also, check if it supports:

  • encryption (prevents anyone from accessing your stored information without your master password)
  • multi-factor authentication used to unlock the password manager's vault
  • different devices and syncing between devices
  • alerting you if one of your passwords has been exposed in a data breach
  • browser extensions to automatically enter your password on a login web page.

If you are unsure, ask an IT professional or a trusted advisor for help.

Secure your password manager

Password managers are attractive targets to cybercriminals. Protect your accounts by securing your password manager. The best way to do this is to use multi-factor authentication and make your master password as strong as you can.

You should use multi-factor authentication (MFA) on your password manager if available. MFA adds an extra layer of security. It means you need 2 or more steps to verify your identity to access your passwords. For example, using your master password as well as an authentication code.

Learn more about MFA.

It is crucial to use a strong and unique master password to protect your password manager. Using a weak password is like putting your valuables in a safe and leaving the unlock code beside the door. If someone guesses your master password, they may gain access to all your accounts.

Your master password should be the strongest one you can remember. We recommend using a passphrase, which is a more secure version of a password. A passphrase is a string of random words like ‘crystal onion clay pretzel’. It is easy to remember but hard for someone to guess. 

Don’t share your passphrase with anyone or include personal details, such as your street or pet name. If someone can guess your passphrase based on what they know or find out about you, your accounts could be at risk.

Learn more on how to set secure passphrases.

Leaving your password manager and device unlocked can give anyone access to your accounts.

Make sure your password manager always asks for your master password or biometrics when using it. Set your device to automatically lock after a short period of inactivity, such as 5 minutes. The shorter the better.

Some password managers have a ‘remember me’ feature. If you use this feature, it will trust the device you are using and ask for your master password less often. Don’t use the ‘remember me’ feature for your password manager if you are on a public or shared device. If you do, other people that use the device could access your accounts. Only use your password manager vaults on computing devices that you trust, and consider using a separate password manager vault for your high value accounts.

Remember your master password

Forgetting your master password is like losing the key to your safe. It may be impossible to recover, which means you lose access to all your stored passwords.

Never save your master password to your browser if prompted.

Add account passwords to your password manager

Use your password manager to generate and store passwords for all your accounts, starting with your most important ones.

Follow these steps for each of your accounts. If you already have a strong and unique password for an account, you can skip steps 3 and 4.

  1. Log into your chosen password manager.
  2. Add details of the account such as the name, current login details and web address.
  3. Use the built-in feature of your password manager to generate a strong and unique password or passphrase.
  4. Log into the account with your existing password and update the password to the new one you created.
  5. Check if you can also turn on MFA for the account for extra security.
  6. Allow login details to be automatically entered on a login web page for trusted devices and websites if your password manager supports this option.

Change your important passwords often, and immediately change any password exposed in a data breach. Updating your master password on a regular basis will also help to improve security.

Consider what accounts you are putting into your password manager. Some service providers, like banks, may not cover losses if you store your password in a password manager.

For accounts you don’t want to store in your password manager, protect them with MFA. Use a strong and unique passphrase if MFA is not available.

More information

Set secure passphrases

Where multi-factor authentication is not available, a strong passphrase is your best defence. 

Turn on multi-factor authentication

Protect your important accounts with extra login steps.

Protect yourself

Advice and information about how to protect yourself online.
Was this information helpful?

Thanks for your feedback!

Optional

Tell us why this information was helpful and we’ll work on making more pages like it