Creating and remembering secure passwords is an issue faced by most, if not all, of us. We are constantly told about the need to have a strong and unique password for every single website, service, and app we use, and doing this is easier said than done.
With hundreds of millions of individual user accounts falling victim to hackers and hijackers each year, though—partly because of the widespread use of simple, insecure, or recycled passwords—having a secure password has never been more important.
Additionally, companies are increasingly falling victim to data breaches which can expose the passwords of millions of users.
This might not a big issue if you’re someone who uses a different password for each account. However, if you use the same password everywhere, a data breach can be a massive problem because all your accounts that use the same password as the breached account become vulnerable.
Unfortunately, you don’t always know if your information has been leaked until it’s too late. That means the best time to fix this password problem is now.
Best Practices for a Strong Password
Fortunately, the “traditional” best practices for making a secure password have remained the same for several years and likely will remain so forever… unless of course passwords are replaced by something else!
According to cybersecurity professionals, a strong password should follow these best practices—
- Do not use a single word or combinations of words. If a word can be found in a dictionary, it is best you leave it there. These are far easier to guess, especially if somebody who knows you or has analyzed your public data online is trying to do it!
- Instead, opt for using a password that is a nonsensical string of letters (both capital and lower-case), numbers, and symbols if the website or service allows them. This makes the password much harder to crack.
- Try to make your password a decent length, i.e. around 12-16 characters. Again, these will be harder to crack, even by a machine, if it consists of random letters, numbers, and symbols.
Sound too complicated?
Don’t worry, it’s now easier than ever to create and store unique passwords that are strong and complex. You don’t even need to remember them.
But first, let’s find out why these kinds of passwords are considered strong.
How to Tell if a Password is Strong
The key to any strong password is its entropy. In tech terms, this refers to how unpredictable it is.
It is measured by how long it would take a potential hacker to break it by guessing each character in turn. This is why longer passwords are by their very nature more secure–the hacker would need to guess more characters.
Of course, just because a password is long doesn’t mean it’s safe. We’ll demonstrate why that is.
Let’s begin with the password redorangeapple. It’s 14 characters long—great! But it uses three dictionary words. Also, the words are related to one another. They’re all types of fruit!
We can make the password a bit more complex by swapping out some of the letters for numbers—
This is a little bit better, but it’s still not great. Let’s add in some capital letters—
Then some symbols—
This increases the number of characters to 16. There’s still a problem, though—the words still represent dictionary words. With a little rearranging, we can fix that—
Although it is a lot easier to just come up with a random string of characters, we as humans aren’t particularly good at being random, especially when we are trying to be random. There are plenty of research papers that have explored and proven this assertion, so we’ll leave it to you to look it up if you’re interested!
The major benefit of creating a password like the one above compared to just mashing your keyboard and hoping for the best is that the former is much easier to remember. When you’ve spent time making your own password from words, phrases, or information that relates to you and have made sure to make it secure, it becomes much easier to remember.
You can also try the method of turning a sentence into a password. For example:
“My name is Adam and I am a lawyer” could become “Mn14a!4ma7^wY3r“.
Now you have a password that’s highly unpredictable, but still easier for you to remember than something more random.
Creative Tips for Making a Strong Password
Still stuck? Here are a few tips you can draw inspiration from to create an effective and secure password.
1. Move your fingers’ typing position
- Start with your fingers inside of Q, A, and Z on the left and P, L, and M on the right.
- Type out a word, phrase, or combination of them and then replace each letter of this with the key to the left or right.
e.g. adamhopkins would become sfs,jp[lomd (using only keys to the right of the original letters)
- Remember these words, the phrase, or the combination and you’ll remember the password.
- For extra security, reverse the letters in the password, replace some letters with numbers and add in a symbol or two.
e.g. sfs,jp[lomd could become $f$,jp[l0md
2. Use a passphrase
The passphrase was popularized by Bitcoin wallets. In order to regain access to the wallet, you needed to type in your 12-word mnemonic code.
These 12 words can be:
- A long phrase you make up, such as “Samuel loves the golden brown bird because she made him rich.“
- A string of 12 random words, like Door Screen Keyboard Sky White Panel Light Duck Tissue Mirror Desk Carpet.
With this method, it’s OK to use common words and terms. Why not pick 12 different words from different pages of a book? So long as the phrase somewhat makes sense, this method will work.
This is strong enough alone, but throw in symbols and numbers and you make it even stronger.
One thing you don’t want to do is use a commonly known phrase such as a quote from the Bible, song lyrics, or other sentences people can guess.
3. Put your job lingo to good use
If you work within a professional industry, there is probably a lot of irritating corporate lingo that’s thrown around the office, in meetings, and in emails. As irritating as it may be, this is perfect password material, especially if you work within a niche industry.
Industry-specific language and lingo are a lot harder for people and computer programs to guess because it is unexpected:
e.g. “The plaintiff’s case failed because of caveat emptor” could be used to create the password “T%Cfb0c4vE4t“.
While it’s only 12 characters long, it is a lot harder to guess than a long string of words.
4. Use a keyboard pattern
Have you ever used one of those smartphone login patterns where you drag a line around a grid of dots?
You can apply this to your keyboard. Draw some form of pattern that you can recognize and replicate, and then use the letters, numbers, and symbols that form part of that pattern to create a password.
This pattern could be used to create the password “6^54$RfvBngT“.
5. Use important dates
If there are a few dates that are personally important to you that are not your birthday, you can use these in part to create a secure password. You need a date that is only really known by you and a small number of people, as this makes it a lot more secure. For extra points, use a date that only you know.
When was your first day of school? When was your first trip to the hospital? What date did you get your first job?
Take two or three dates that you can easily remember, put them in MMDDYY (or DDMMYY) format and then mix things up a bit by replacing certain numbers with letters, adding in symbols, and end with a special character.
“110398310711280217” could become “!1O398_E107l1_2&0217=“.
Passwords don’t get much more secure than that.
How to Manage Your Passwords Effectively
You have a lot of options here—
- You could sit for hours and memorize each one until it’s stuck in your brain,
- You could write them all down in a notebook,
- You could use the same one for every website (NOT recommended), or
- You could use a password manager.
Until you start using a good password manager, chances are that despite your best intentions, you will slip back into bad password habits.
A good password manager creates a strong password for each service and securely stores it. All your passwords are protected by encryption and there is no way for a hacker to compromise it.
By using one, you eliminate the need to remember passwords and avoid bad habits such as using the same password on multiple sites, creating memorable passwords, and making something that you will forget.
There are many password managers out there and by using one, all you need to remember is a single master password. Here are a few of your options—
Available on Windows, Mac, iOS, Android, Linux, and Chrome, LastPass is free for a basic account. You can upgrade to a full suite of premium features if you want them, but this is not necessary.
When you have set up your master account and password, LastPass lets you import your saved login details from a range of browsers. You can manually add them, too.
A competitor of LastPass, 1Password is available on Windows, Mac, iOS, and Android.
1Password has a strong password generator that lets you create secure passwords for any site, service, or app. They also send notifications out when there’s an ongoing data breach on services you use.
It’s not just limited to passwords, either—1Password lets you securely save anything from credit card details to sensitive notes.
3. Google Chrome
If you have a Google account and you use Chrome, you can take advantage of their Suggested Password feature. It automatically suggests a strong password when you are registering on a website for the first time and saves it for you.
Note: We recommend not using this unless you have a strong password for your Google Account already and are using two-factor authentication.
Take Your Security to the Next Level
Even with the world’s strongest password, there is always the risk of being compromised. Attacks on website’s servers, malware that logs your keystrokes, and other emerging dangers compromise millions of passwords per year.
A password should not be the only layer of protection you have on your accounts, especially one that is vitally important to you. Once somebody has your password, it can be game over.
Two-Factor Authentication (2FA)
We recommend always using two-factor authentication wherever you can.
Most sites now offer it to some degree.
Two-factor authentication works by asking you to verify your identity when you sign in using your password. There are lots of ways it can do this, such as—
- Calling or texting your pre-set phone number with a one-time code
- Asking you to authenticate with challenge codes
- Using an app such as Google Authenticator
It is a valuable extra layer of security that cannot be bypassed by a hacker—they would need your phone or authentication device to get through.
In addition to having a strong password alongside 2FA, you can go one step further by using a VPN, particularly if you regularly use insecure or public networks.
This adds on an extra layer of privacy and anonymity when you are using the internet across these networks. Not only does this prevent hackers and man-in-the-middle attacks from compromising your information and accounts, but it also stops people snooping on your internet usage.
We recommend learning more about VPNs by reading this guide on the best VPNs of 2019 to make an informed decision.