Family Password Safety: A Practical Checklist

Strong passwords are still the most underrated layer of child online safety. A breached or shared password lets bullies, scammers, and stalkers into a child's accounts in seconds, sometimes without the child ever knowing. This checklist gives UK families a practical, age-by-age way to build good password habits together, drawing on guidance from the National Cyber Security Centre and Get Safe Online. Start with the household. Audit which accounts are essential — email, banking, school portals, streaming, gaming, social media, smart-home apps. Identify any accounts that share the same password across family members; these are your highest priority to fix. Use the NCSC's recommended approach of three random words for memorability, or — better — switch to a password manager and let it generate long random passwords for you. Set up a family password manager. Choose one with a strong track record (look for independent audits). Use a long master password that you do not use anywhere else, ideally combined with biometric unlock on each device. Most major providers offer family plans with separate vaults per member and shared vaults for things like the household streaming account. Introduce a password manager at the same time as a child's first phone or first social account. Turn on two-factor authentication everywhere it is offered. The priority accounts are email (because email controls everything else), banking and payments, app stores, school accounts, and any social media or gaming accounts the child uses. Authenticator apps are stronger than SMS codes, but SMS is much better than nothing. Make sure each account also has up-to-date recovery information — a backup email and phone number you actually control. Age-by-age rules. For under-8s, parents own all passwords and the child does not log in or out independently. From 8 to 10, introduce the idea of secret passwords, supervise account creation, and keep all passwords in the family vault. From 11 to 13, children can have their own vault within the family password manager, but you keep a recovery route documented for emergencies. From 14 to 16, privacy increases, but you should still agree how access works in safeguarding emergencies — write this down in your family agreement. From 17 onwards, treat them as adults learning to manage their own credentials. Rules everyone follows. Never share a password by message, email, or voice — even with friends, partners, or family. Never write passwords on a sticker on the laptop. Use unique passwords for every account; if you must remember a few yourself, make those the most important (email, password manager master, banking). If a service is breached (you can check at haveibeenpwned.com), change that password immediately, and change any other accounts that shared it. Watch for scams. Most successful account takeovers in the UK do not involve cracking a password — they involve tricking the owner into giving it away. Children and teenagers should be told that legitimate companies, schools, and friends will never ask for their password, ever. Phishing emails, Discord and Roblox messages offering free items, and 'support' messages on social media are common routes. If your child clicks something and enters a password, treat it as a breach and change passwords from a clean device. Review annually. Put a date in the family calendar — for many people, the start of the new school year works — to review accounts, remove ones you no longer use, and check that recovery details are still correct. Strong password hygiene is not a one-off project; it is a quiet habit that prevents most household cyber incidents.