Why this matters more than it used to
Until fairly recently, "online safety for children" mostly meant strangers in chat rooms. The threat now is broader and more mundane: the average UK 10-year-old has logins for school email, Microsoft 365 or Google Classroom, two or three games (Roblox, Minecraft, Fortnite), a streaming service or two, and possibly a social platform that they probably shouldn't have. Each of those accounts is a potential breach point, and children inherit their habits from us — which means many of them are already reusing one weak password across everything.
The good news is that you don't need a computer science degree to teach this well. Three simple rules and one decent tool — a password generator or family password manager — covers nearly all the risk.
The three rules that cover almost everything
If a child only ever remembers three things about passwords, make it these:
1. Never use the same password twice
This is the single most important rule, and it's bigger than length, symbols, complexity, or anything else. The reason: when a website is breached and passwords are leaked (which happens constantly — check Have I Been Pwned for a list), criminals immediately try those leaked passwords on every other major service. If your child reused the password on five sites, all five accounts are now at risk. If they used a unique password, only the breached one is.
This rule is also why password managers exist — because remembering a unique password for every account is impossible without help.
2. Never tell anyone your password
This sounds obvious. It isn't, especially with younger children playing online games. The most common attack on a child's account isn't sophisticated hacking — it's a person in a game or a chat saying "I can give you free [skin / V-Bucks / Robux] if you tell me your password." Phishing messages pretending to be from the game company are a close second.
The script worth teaching: "No real company or game will ever ask for your password. If anyone asks, the answer is no, and tell a grown-up." The "tell a grown-up" part matters — many kids don't report attempts because they think they'll be in trouble for being on a chat in the first place.
3. Important passwords go in a safe place at home
For younger children especially, writing it down isn't a security failure — it's better than reusing a weak password they can remember. The key is where. A note inside a notebook in a drawer at home is fine. A sticky note on the school iPad is not.
For older children, a family password manager is the better answer — they get to learn the tool that adults use.
What to teach, by age
This is rough — children vary enormously — but a useful starting point.
Ages 5–7 First passwords
At this age you're not really teaching password security — you're laying the groundwork. The lessons that matter:
- A password is a secret. Like the secret way into a den. You don't tell anyone the secret, even your best friend.
- An adult helps you with passwords. Not because you can't be trusted — because passwords are tricky and adults' job is to help with tricky things.
- If a game asks you to type a password and you weren't expecting to, find an adult.
Generate the password yourself with a tool like the Kids Generator on Easy mode (one word + a number), and write it down for them. Don't expect them to remember.
Ages 8–10 Their own passwords
This is the age where kids start having their own logins they actually need to use independently — school email, Microsoft 365, learning platforms, Minecraft. Now you can teach the three rules properly:
- Show them how to generate a password (let them click the button — it makes it feel like theirs).
- Explain that different accounts get different passwords, and show them what reuse looks like and why it's a problem.
- Introduce the idea of a password being longer = stronger. The three-words method (
RiverPianoLamp) is much better at this age than trying to memoriseR7!kQ9z. - Decide together where the passwords get stored: a notebook at home, or a family password manager you set up together.
Ages 11–14 The full rules
Secondary school age means they're using their own laptop or phone, often unsupervised, and they have many more accounts (social, gaming, streaming, plus all the school stuff). Now's the time for:
- Setting up a password manager properly — they manage their own vault but you have access if they forget the master password. Bitwarden has a free tier that works fine for this.
- Teaching multi-factor authentication (MFA). Show them how to set it up on their email, their main game accounts, and any social platform. Explain that if someone gets the password, MFA is what stops them getting in.
- Phishing recognition. Show real examples — fake "your account will be suspended" emails, fake game prize messages, fake login pages. Teenagers are surprisingly susceptible if they're rushing.
- What to do if a password is leaked. Walk through the steps once: change the password, check Have I Been Pwned, change the same password anywhere else it was used (and then promise never to reuse a password again).
Ages 15+ Treat them as adults
By this point the technical skills should be mostly there. The remaining gap is usually emotional: pressure to share passwords with partners, accounts that get linked together messily, sextortion scams. The conversations get harder, but the password-specific advice is just: keep using the password manager, keep MFA on everything that matters, and never share your password with anyone — including a partner who "just wants to check something." A genuine partner doesn't need your password.
Password managers for families
A family password manager is the single biggest upgrade you can make to your household's online security. Two solid options used widely in the UK:
- Bitwarden Families — free tier handles unlimited passwords for one user; the Families plan (about £30/year) covers up to 6 family members with shared collections, so you can share things like the Netflix password without anyone needing to actually know it. Open source.
- NordPass Family — paid, polished interface, includes data breach scanning and emergency access. Better suited to less technical families.
Disclosure: links to NordPass elsewhere on this site are affiliate links — we may earn a small commission at no extra cost to you. The recommendation is the same either way; both are reputable.
For teachers and schools
School IT setup tends to involve setting up dozens of pupil accounts at once and then never thinking about the passwords again until something goes wrong. A few practical points:
- Use the bulk mode on the Kids Generator to create a class set in one click and export to CSV. This works for Active Directory bulk import, Microsoft 365 / Entra ID, Google Workspace, or any of the common UK MIS systems (SIMS, Arbor, Bromcom).
- Use Strong mode for staff accounts — these are 12+ characters and align with UK Cyber Essentials v3.3, which most schools holding government data are now expected to maintain.
- Don't print pupil passwords on a sheet that gets photocopied 30 times and lives on the wall. Hand them out individually if you must, and have a clear process for password resets when a pupil forgets (which they will, often).
- Get pupils to change the assigned password to one they choose, ideally generated again rather than typed. This embeds the habit early.
What to avoid (common bad advice)
Some of what's still being taught — including in some primary school computing curricula — is actively unhelpful:
- "Use a complex password with @ for a, 3 for e." Hackers' tools have known about these substitutions for 25 years.
P@ssw0rd!is barely better thanpassword. Three random words is far stronger and far more memorable. - "Change your password every 30 days." The NCSC explicitly advises against this. Forced regular changes lead to weaker passwords (people just append a number) and don't actually improve security. Change passwords when there's a reason — a breach, a suspicion, a device lost.
- "Use a long, random string of characters." Fine if a password manager is generating and storing it. Disastrous if a child has to memorise it — they'll either forget it or write it on the iPad.
- "Use your favourite [pet/team/colour]." Anything findable on a child's social media, a parent's social media, or guessable from family names is a bad password.
Conversations to have
If you don't know how to start the conversation, these openers tend to land well:
"I'm setting up a thing on my computer that remembers all the passwords for me. Want me to set one up for you too? You can have your own — I won't see what's in it."
"Has anyone in [game] ever asked you to send them your password? What would you say if they did? What if they offered you something free?"
"Imagine someone got into your school email. What could they do with it? What about your game account? Which one would be worse?"
These work because they treat the child as someone capable of thinking about it, not someone being lectured at.
Further UK resources
- NCSC Cyber Aware — the UK government's home cyber security guidance.
- NCSC CyberSprinters — interactive games for 7–11 year olds, free.
- Thinkuknow — CEOP's online safety education programme, with age-banded resources.
- Internet Matters — practical parent-focused guidance on a wide range of online safety topics.
- Have I Been Pwned — check whether any of your email addresses have appeared in known breaches.
Ready to start? The Kids Password Generator on this site is designed for exactly this — child-safe wordlists, three difficulty levels, and a bulk mode for teachers.