Password and PIN security

Having a secure, unique password for each of your online accounts is critically important. If a scammer gets just one password, they can begin to access your other accounts. That’s why it’s important to have a strong, unique password for your PayPal login.

Use unique passwords

Weak passwords are a problem. But using the same password across multiple websites is an even bigger security issue. Statistics show that the majority of people use three or fewer passwords across twenty or more Internet accounts. This means that a password is only as secure as the weakest Internet site that uses it.

At PayPal, we use the best industry-standard techniques to make sure passwords are secure, and we train our personnel in best security practices. But if another website has weaker security, even a strong password could be easily compromised.

Strong passwords

Strong passwords have the following characteristics:

  • More than 8 characters long.
  • Use lower case, upper case, a number, and a special character [like ~!@#$%^&*()_+=?><.,/].
  • Not a word or date associated with you (like a pet’s name, family names, or birth dates).
  • A combination of words with unusual capitalization, numbers, and special characters interspersed. Misspelled words are stronger because they are not in the dictionary used by attackers.
  • Something you can remember.

We use a password strength checker to help make sure new passwords are strong.

Managing multiple passwords

The more passwords you have to remember, the greater the risk you'll forget some of them. However, using the same password for multiple sites puts you at risk. So how can you avoid forgetting passwords?

One good way of keeping multiple passwords is writing them down. You can use complex passwords that are different from each other, and you don't face the risk of forgetting them. Of course, you don't want to write them down in their entirety, or you risk somebody stealing or viewing your list of passwords.

To avoid compromising your security if somebody gets a hold of your password list, don't write the passwords in their entirety. Memorize one part and write down the other. You can use the memorized part of your passwords for several accounts to help make it easier to remember; only the written parts would be different. This method will help you create specific passwords for different websites without the trouble of having to memorize every one of them.

Of course, it's not enough for either part of your passwords to be just a few characters long. That would make it too easy to guess or to test all possibilities. So make each part at least 6 characters in length. And don't forget to keep a copy of the list somewhere safe – just in case.

Don’t keep the password list in your wallet. If a thief were to steal your wallet, they'd get your personal information as well as access to your important accounts. If you need to carry the list with you, consider a password keeper app for your smartphone. Of course, you should use a strong, unique, memorable password for the app.

PIN security

PayPal Mobile applications, PayPal Point of Sale, and some web pages use a PIN.

Just like passwords, it's important that the PIN not be re-used across multiple sites; the PIN would only be as secure as the weakest site that uses it. So use a unique PIN for PayPal.

We require a 4- to 8-digit numeric PIN. Longer PINs are stronger than shorter ones: a 4-digit PIN has a 1:10,000 chance of being guessed, but an 8-digit PIN is 1:100,000,000. The more digits your PIN uses, the more secure it will be.

Don’t select a trivial PIN like 1234 or 1111; these are the most common and most easily guessed. The same goes for using your birth month and day (like 0317); people that know you might easily guess this. Don’t use a current or old phone number because these can easily be looked up. Don’t use the same PIN to unlock your phone and to access PayPal.

Here’s a trick we recommend: think of a memorable image and spell the words with the numeric pad. For example, if you imagine a blue cow, you would enter 2583269, which is B-L-U-E-C-O-W on the numeric pad. This is both easy to remember and secure.

Changing your password or PIN

Normally, there should be no reason to change your password or PIN. But there are a few cases where it's a good precaution. For example:

  • You notice something suspicious on your PayPal account
  • You suspect that someone you don’t trust has your password
  • You notice something suspicious in your email account or other online accounts
  • You have recently removed malware from your system
  • PayPal asks you to change your password

If one of these occurs, change your Password, PIN, and security questions immediately. You can change these under personal settings.

If you receive an email asking you to change your password, it could be a case of phishing. Instead of clicking on a suspect link in an email, just log into your PayPal account by manually typing the URL. Click the Settings tab, and then Personal Info. You will find the password, security questions, and PIN (if you've set one up) on this page.

PayPal Security Key

Your password is your first authentication factor when you log into PayPal. If you want additional security, you can add PayPal Security Key to your account as a second factor. This provides much stronger account protection than just a password.

See Security Key for more information.