Passwords and PINs

With a shift towards a more digital world, having strong and secure passwords and PINs has become essential. Learn how to create a strong password and PIN to protect you and your family.

Weak passwords

Weak passwords are susceptible to clever guesswork and various types of password hacking techniques. Although it’s not always easy to make up or remember passwords, creating a strong, unique password is a vital part of protecting your information from unauthorized access. Remember to never share your passwords with your family or friends. Your passwords are secret and must be known only to you.

Below are a few examples of information and practices to avoid when creating passwords.

Common information

Do not include your birth date, phone number, names of family members, or information identified online. 

Common numbers and words 

Avoid simple sequences of numbers or letters (for example, “123456”, “111111” “AABBCC”) and common words (for example, "password" or "login”).

Keyboard combinations

Do not incorporate adjacent keyboard combinations (for example, “qWerty”, “asdzxc”, “qeadzc”).

Old passwords

Do not reuse old passwords on different accounts and logins. Using unique passwords ensures that if one of your online accounts is breached the rest remain safe.

Short passwords

Avoid using passwords less than 8 characters long. Longer passwords make it harder for others to guess – aim for at least 12 characters.

Sharing passwords

Never share your passwords with anyone, friends or family included. Also avoid writing them down or storing them where someone can copy them. 

Default passwords

Change the default passwords on any new accounts and devices immediately. 

How do I create a strong password?

The strongest and most reliable form of password you can create is called a “passphrase". It will ensure your password is sufficiently long and meaningful only to you so that it is easy to memorize.

A passphrase is created when you take a sentence or phrase and convert it to a password. Remember, the longer your password is, the harder it is for hackers to crack!  When a password cracker has more characters to work through to guess your password, it’s less likely to be successful. You don’t need a complex password with lots of special characters if you have a long passphrase.

Let’s look at how you can create a strong passphrase. 

How to create a passphrase

Two-Factor Authentication (2FA) & Multi Factor Authentication (MFA)

2FA and MFA are both ways of confirming your identity when logging in.

Two-factor authentication (2FA) requires you to provide exactly two different ways of identifying yourself before allowing you to login. For example, your password or biometric facial recognition is one factor, and an SMS code sent to your phone is the second factor.

Multi-factor authentication (MFA) is an enhanced method of authentication which uses a minimum of two authentication factors - but can also use more. All 2FA methods are MFA methods, but not all MFA methods are 2FA only.

Common types of MFA include:

  • Something you know: password, PINs, security question responses.
  • Something you have: One-Time Passwords (OTPs) sent via SMS, soft token on a mobile device or a hard token.
  • Something you are: biometrics such as facial recognition, fingerprint, etc.  

Increase the factors used, increase the security. 

One-Time Passwords (OTPs)

OTPs are temporary, time-bound generated passwords. These passwords often expire within minutes of being sent or displayed. The temporary password can be sent to your mobile phone by SMS, your email address, or to an app that is specifically meant to generate OTPs. Once you’ve entered your password, along with the OTP, you can then access or complete transactions on your account. 

Be aware that sometimes a fraudster will call and pretend to be a Scotiabank Customer Service representative, or bank investigator, calling about a suspicious transaction or activity on your account and they will ask you for the OTP that was recently texted or emailed to you.  Remember: When Scotiabank sends you an OTP, only you should know it – it is personal and unique to you specifically.

Scotiabank will never call, text, or email asking you to disclose your OTP or any other login credentials (e.g., password or PIN).


When creating a PIN, remember to select the maximum number of unique digits (numbers, letters, or a combination of both) that you can remember.

Do not select your birth date, telephone number, license plate number, address, postal code, or other easy-to-guess combination.

Remember to shield the keypad when entering your PIN at an ABM or when making Interac debit or credit card purchases.

Report an incident or suspicious activity

Suspect suspicious activity? Report it to us.