Passwords and authentication
Learn to manage passwords and add second layers of security.
Introduction to 'Passwords and authentication'
Passwords are part of our everyday life. We use them when we bank or shop online, and to access other apps and websites. They help to protect us, our money and our data when we use our phones, laptops and other devices.
They’re all part of 'authentication'. This is a term that just means proving you are who you say you are. Companies use this as a safety feature to protect you. It can be things like fingerprint scans and sending codes over text. Together they make sure only you can access your account.
What you'll learn
- How to make a strong password.
- Tools that can help create and store your passwords.
- How to use authentication to help keep you, your money and your data safe.
How long it takes
11 minutes
Manage your passwords
Chapter 1
How long it takes
4 minutes
Creating a password
When you log into an account, you may need to enter your user ID or email address first. Then your password. This acts like a digital lock – making sure only you can get in. Other people may know your email address. But your password should only be known by you. Typically, you will be asked to create a password as part of your online account setup. To keep your details safe, it needs to be strong.
What is a strong password?
When you set up a password, most websites and systems have rules on what to include. These rules help you create a strong password – one that is hard for others to guess.
For example, they may want a password is at least 8 characters long. Often, they’ll ask for a mix of upper and lower case letters, numbers, and special characters like * or !
How to create a strong password
So, how do you create a password that other people can't easily guess? Passwords that use whole words, like your pet's name or your favourite sports team are easy to guess. Especially if they use details that other people could find out. Try to think of something that has no link to you. Avoid common options like ‘password’ or ‘1234’, too. All these tips will help deter other people guessing your password themselves.
Cyber criminals also use ‘password cracking’ software. This can quickly test lots of passwords to find a match. So when you think of a strong password, you need to pick one that will slow or stop this from working, too.
All this to consider, and you'll also need to remember what the password is. So how do you do this? The National Cyber Security Centre (NCSC) recommend you start with three random words. Then join them together and mix in other characters.
The 'three-random word' way to create a strong password:
Step 1
Combine three words
Tree fist blue becomes Treefistblue
Step 2
Swap letters for numbers
Treefist8lu3
Step 3
Add one or more special characters
Treef!st8lu3
Be aware
Common swaps include using the number 0 for the letter ‘o’, and 1 for ‘i’. Hackers know these and will often use them when trying to crack passwords. Words that are linked or easily guessed can make it even easier.
Using three words that are completely unrelated will make it harder to crack.
Changing your passwords
You can change your password at any time. Regularly changing them can help keep your accounts safe. If you think someone has guessed or used one of your passwords, you should change it straight away.
Change a device password
Most devices let you change your login password through Settings.
Look for the cog icon or search 'change password'.
Change a website or app password
Search or use the menu to find the 'profile' or 'account' section.
You should find how to change your password there.
Storing your password
Here are some ideas for you to think about:
- If you need to write your passwords down, keep them in a safe place, away from all your devices.
- Your web browser may ask if you want to store your password with them. If no one else uses that device, this is a safe option. Only use this option if you don't share your device with others.
- Alternatively, you may want to use a password manager.
Remember
Keep passwords safe - think of them like underwear:
- Keep them out of sight.
- Change them regularly.
- Don’t let anyone else use them.
Password Managers
The NCSC also recommends using a password manager. These tools can create your passwords and store them safely. So, you just need to remember one strong password – the one for your password manager.
How a password manager works
Need a strong password? Your password manager can suggest one
It will then offer to store your password safely. So the next time you log into that site, it will automatically fill in your password.
That's it - no need for you to think up and remember all your website and app passwords!
Some password managers are built into your device's systems
Like Google Password Manager and iCloud Keychain. Other free options include Bitwarden and KeePass.
Paid-for tools, like 1Password and Keeper include other security features.
These tools aren't completely risk-free
Most rely on you using (and remembering) a single strong password to access the password manager itself.
So if someone else gets to know that password, they can get access to all the others stored there.
Some password managers reduce the risks by using something called multi-factor authentication (MFA). This makes it easier for you and harder for others to access the tool.
We'll talk more about MFA in the next chapter.
Credential managers
When you use apps like Google’s Password Manager and Apple’s Passwords, you may see that they can store more than just passwords. For instance, they might store the username for the website you have a password for. This means they can auto-fill both username and password for you. You can use them to store Wi-Fi passwords and other login details, too.
We usually call these tools ‘password managers’, but because they can store other authentication information, they’re also known as credential managers.
The National Cyber Security Centre have a handy guide on creating and using passwords.
Authentication
Chapter 2
How long it takes
7 minutes
What is authentication?
In the last chapter, we looked at passwords. This is one way to log into systems or devices. But there are other ways to do this. Maybe you use your fingerprint or your face. You might use a PIN, a pattern or a passcode.
Websites and other software use authentication to check your identity. It's how you prove who you are, to gain access to devices, sites and apps. There are many different types, and sometimes we use more than one to give an extra layer of safety.
Passwords are a common type of authentication.
Let's look at some other types:
-
You receive a code by text on your phone, which you then type into the site or app. These codes are temporary - most expire after 10-30 minutes.
This is sometimes called a 'One-Time Passcode', or OTP. That's because that code only works once. You type in the code, then if you need another one later, they'll send you a new code.
This can be safer than just using passwords. Because while a scammer may be able to get your password, it’s harder if they also need to gain access to your phone and the code on it.
-
This uses things that are unique to you.
For example, your mobile device may scan your face or fingerprint. Then, when you want to unlock your device you can use this instead of a passcode or pattern.
Biometrics are often used in MFA and passkeys, for extra security. We’ll talk about these later in this chapter.
Be aware
When you set up your device to work with your face or fingerprint, it’s likely to ask for another option, too.
This is just in case there are times when it can’t read your fingerprint or doesn’t recognise your face.
-
Free apps like Google Authenticator, Microsoft Authenticator and Authy can add an extra layer of safety. They create one-time codes that you can then enter in the website or app when prompted.
These codes change every 30 or so seconds. There's often a countdown timer so you can see when the code is about to refresh. So if it's down to 3 seconds for instance, you may decide to wait for the next number to be generated.
-
These are a popular alternative to using passwords for some sites and apps. You enter your email address and they'll email you a one-off 'magic link'. Use this link to gain access to the site.
-
Some sites let you log in through your social media account. The site redirects you to your social media platform to check your identity. This can save you time and effort in setting up another account for that site.
You may also see options to log in using your Google or Apple accounts. These work in the same way as the social logins.
Be aware
These options can be a quick way to login without setting up more accounts. Some options also give more security.
But be aware that when you use them, you may be giving the site access to some of your personal information.
-
Some banks still use physical card readers to help give extra safety. You insert your card in the reader and enter your PIN, to get a code from the reader. You then enter the code on the banking site or app.
Some companies also give their employees 'hard token' devices for remote working. These generate long codes, which change every 10-30 seconds. Enter the code on your PC or laptop to access files and systems. Other organisations use ‘soft token’ software, which works in a similar way but doesn’t use an extra device.
Multi-factor authentication (MFA)
Also known as 2-factor authentication or 2-step verification (2SV), this means using more than one security ‘factor’. For instance, you may set up your device to unlock from your face scan. But what if it's dark and your phone camera can't see your face clearly? You may need to use your passcode or pattern as an alternative way to unlock it. That's the second 'factor'.
Let's look at another example. You're shopping online and have reached the checkout page. You choose your payment method and give your card details. Then a screen pops up to say your bank wants to check it's really you. They may send you a text code or ask if you want to use the app to confirm. Either way, this is the second 'factor' – the extra layer of security.
Some of the authentication methods you've seen in this lesson are all about giving you this extra protection. Like text codes from your bank or authenticator apps. Others work on their own, but sometimes with other methods too. It's good to have backup options, especially if it saves you from creating and managing more passwords.
Where do we commonly see MFA?
Built into some devices, apps and sites
Like Apple and Google accounts. So if you forget your password, you can still access your account.
Banks sometimes use it when you shop online
For instance, if you're buying something from a site you haven't bought from before.
You can set up 2SV for other sites and apps
It can give you extra protection, especially if someone does manage to get hold of your password.
There are benefits to using MFA, but it's good to know what to expect when you use it, too.
MFA can give you:
- Greater security.
- Reduced risk of fraud.
- Better user experience.
- Reduced password risk.
What to bear in mind:
- It may take longer to log on or complete a purchase.
- You may need another device. For instance, if you're buying on your laptop, you may get a text to your phone.
Want to find out how to set up MFA on your accounts? See the NCSC's guide.
It shows you how to set up for email, social apps and other sites.
Passkeys
Imagine being able to access any of the websites, apps or systems you use, quickly and securely. Without passwords. That’s where passkeys come in.
Research by the FIDO Alliance (PDF, 1.5Mb) shows that using passkeys is:
3 times faster
Than other ways of signing in.
30% more likely to succeed
Compared to other methods.
What are passkeys?
More and more websites and apps are using passkeys as an alternative to passwords. Instead of using something you remember, it uses your device plus whatever you already use to unlock that device. So that might be your face, fingerprint, a PIN, pattern or passcode.
They’re created and safely stored on your device by the built-in credential manager – like Apple Passwords, Google Password Manager, Samsung Pass or Windows Hello.
Some credential managers also ‘sync’ the passkeys across all the devices you use for that account. That means the passkey is securely copied to all these devices.
How to use a passkey
Not all sites and apps let you use passkeys.
For those that do, here’s how to use them:
Step 1
Sign into the website or app in your usual way
This might be with a password, for instance.
Step 2
Find the passkey option
This might say ‘create a passkey’, ‘add a passkey’ or ‘save a passkey for this account’.
Step 3
Create the passkey
Tap or click the option to create the passkey.
Step 4
Confirm it’s you
Use what you do to unlock your device. For example, face, fingerprint, PIN or pattern.
Once it’s set up, you can use the ‘sign in with passkey’ option whenever you use that website or app. Just confirm it’s you using your unlock method and you’re in.
Be aware
These steps will work if the device you use to access the site or app has the passkey on it.
Using a different device? You’ll need to have your passkey device with you. Look for the ‘passkey from nearby device’ option. This gives you a QR code that you can use your passkey device to scan.
Want to learn more?
Stay safe online
Related learning links
Look after your personal details
Get Safe Online
Advice and tools to help you protect yourself, your data and your devices.
Bank of Scotland Academy is committed to providing information in a way that is accessible and useful for our users. This information, however, is not in any way intended to amount to authority or advice on which reliance should be placed. You should seek professional advice as appropriate and required. Any sites, products or services named in this module are just examples of what's available. Bank of Scotland does not endorse the services they provide. The information in this module was last updated on 27th April 2026.