Password Creation Bible: How to Make One That’s Unbreakable

how to make a good password

Creating and remembering secure passwords is an issue faced by most, if not all, of us. We are constantly told about the need to have a strong and unique password for every single website, service, and app we use, and doing this is easier said than done.

With hundreds of millions of individual user accounts falling victim to hackers and hijackers each year, though—partly because of the widespread use of simple, insecure, or recycled passwords—having a secure password has never been more important.

Additionally, companies are increasingly falling victim to data breaches which can expose the passwords of millions of users.

This might not be a big issue if you’re someone who uses a secure password along with a password manager. However, if you use the same (weak) password everywhere, one data breach can be a massive problem because all your accounts that use the same password will become vulnerable.

Unfortunately, you don’t always know if your information has been leaked until it’s too late. That means the best time to fix this password problem is now.

Best Practices for a Strong Password

Fortunately, the “traditional” best practices for making a secure password have remained the same for several years and likely will remain so forever… unless of course passwords are replaced by something else!

According to cybersecurity professionals, a strong password should follow these best practices—

  • Do not use a single word or combinations of words. If a word can be found in a dictionary, it is best you leave it there. These are far easier to guess, especially if somebody who knows you or has analyzed your public data online is trying to do it!
  • Instead, opt for using a password that is a nonsensical string of letters (both capital and lower-case), numbers, and symbols if the website or service allows them. This makes the password difficult to guess.
  • Try to make your password a decent length, i.e. around 12-16 characters. These will be harder to crack, even by a machine.

Sound too complicated?

Don’t worry, it’s now easier than ever to create and store unique passwords that are strong and complex. You don’t even need to remember them.

But first, let’s find out why these kinds of passwords are considered strong.

How to Tell if a Password is Strong

The key to any strong password is its entropy. In tech terms, this refers to how unpredictable it is.

It is measured by how long it would take a potential hacker to break it by guessing each character in turn. This is why longer passwords are by their very nature more secure–the hacker would need to guess more characters.

Of course, just because a password is long doesn’t mean it’s safe. We’ll demonstrate why that is.

Let’s begin with the password redorangeapple. It’s 14 characters long—great start!

We can make the password a bit more “complex” by swapping out some of the letters for numbers—

  • r3d0r4ngeapp1e

Let’s add in some capital letters—

  • R3d0ranGeapp1e

Then some symbols—

  • R3d0r&nG%app1e

All that work to make your password look complicated… but does it pay off?

Image courtesy of XKCD

The character count remains at 14, meaning, if a hacker were to run a brute force tool, it would take just as long to crack either way.

Editor’s Note: As one reader mentioned to us, “No password attack tool uses semantic algorithms to generate sequences of related words. These are automated tools, not people typing in best guesses. And if someone who knows you can guess your password because it’s three fruits, you have bigger problems.”

While adding special characters doesn’t make the password any more secure from brute force attacks, there still are major benefits of creating a password like the one above.

For example, if someone were to watch you type your password in, it’d be nearly impossible for them to track your finger movements and memorize the password. Adding special characters help secure your password in public areas.

When you’ve spent time making your own password from words, phrases, or information that relates to you and have made sure to make it secure, it becomes much easier to remember.

You can also try the method of using a really long sentence like:

MynameisAdamandIamagreatlawyer

Now you have a password that’s highly unpredictable, but incredibly easy for you to remember than something more random.

Creative Tips for Making a Strong Password

Still stuck? Here are a few tips you can draw inspiration from to create an effective and secure password.

1. Move your fingers’ typing position

  1. Start with your fingers inside of Q, A, and Z on the left and P, L, and M on the right.
  2. Type out a word, phrase, or combination of them and then replace each letter of this with the key to the left or right.
    e.g. adamhopkins would become sfs,jp/lomd (using only keys to the right of the original letters)
  3. Remember these words, the phrase, or the combination and you’ll remember the password.
  4. For extra security, reverse the letters in the password, replace some letters with numbers and add in a symbol or two.
    e.g. sfs,jp/lomd could become $f$,jp/l0md

2. Use a passphrase

The passphrase was popularized by Bitcoin wallets. In order to regain access to the wallet, you needed to type in your 12-word mnemonic code.

These 12 words can be:

  • A long phrase you make up, such as “Samuel loves the golden brown bird because she made him rich.”
  • A string of 12 random words, like Door Screen Keyboard Sky White Panel Light Duck Tissue Mirror Desk Carpet.

With this method, it’s OK to use common words and terms. Why not pick 12 different words from different pages of a book? So long as the phrase somewhat makes sense, this method will work.

This is strong enough alone, but throw in symbols and numbers and you make it even stronger.

One thing you don’t want to do is use a commonly known phrase such as a quote from the Bible, song lyrics, or other sentences people can guess.

3. Put your job lingo to good use

If you work within a professional industry, there is probably a lot of irritating corporate lingo that’s thrown around the office, in meetings, and in emails. As irritating as it may be, this is perfect password material, especially if you work within a niche industry.

Industry-specific language and lingo are a lot harder for people and computer programs to guess because it is unexpected:

e.g. “The plaintiff’s case failed because of caveat emptor“.

What? Exactly.

4. Use a keyboard pattern

Have you ever used one of those smartphone login patterns where you drag a line around a grid of dots?

You can apply this to your keyboard. Draw some form of pattern that you can recognize and replicate, and then use the letters, numbers, and symbols that form part of that pattern to create a password.

For example—

This pattern could be used to create the password “6^54$RfvBngT“.

5. Use important dates

If there are a few dates that are personally important to you that are not your birthday, you can use these in part to create a secure password. You need a date that is only really known by you and a small number of people, as this makes it a lot more secure. For extra points, use a date that only you know.

When was your first day of school? When was your first trip to the hospital? What date did you get your first job?

Take two or three dates that you can easily remember, put them in MMDDYY (or DDMMYY) format and then mix things up a bit with words.

For example—

Perhaps you received an autograph from your favorite musician on October 27th, 2010. This turns into “10272010”.

Let’s use this in combination with our very first example and we have “redorangeapple10272010” which comes out to 22 characters in total. This would take over a millennium to crack through traditional brute force methods.

How to Manage Your Passwords Effectively

You have a lot of options here—

  • You could sit for hours and memorize each one until it’s stuck in your brain,
  • You could write them all down in a notebook (NOT recommended),
  • You could use the same one for every website (NOT recommended),
  • You could store them in plaintext (NOT recommended),
  • You could use a password manager.

Seriously, you should never ever keep your passwords written down in plaintext in unencrypted formats. Or be prepared to get made fun of:

Until you start using a good password manager, chances are that despite your best intentions, you will slip back into bad password habits.

A good password manager creates a strong password for each service and securely stores it. All your passwords are protected by encryption and there is no way for a hacker to compromise it, provided you have a secure “master password”.

By using one, you eliminate the need to remember passwords and avoid bad habits such as using the same password on multiple sites, creating memorable passwords, and making something that you will forget.

There are many password managers out there and by using one, all you need to remember is a single master password. Here are a few of your options—

1. LastPass

Available on Windows, Mac, iOS, Android, Linux, and Chrome, LastPass is free for a basic account. You can upgrade to a full suite of premium features if you want them, but this is not necessary.

When you have set up your master account and password, LastPass lets you import your saved login details from a range of browsers. You can manually add them, too.

2. 1Password

A competitor of LastPass, 1Password is available on Windows, Mac, iOS, and Android.

1Password has a strong password generator that lets you create secure passwords for any site, service, or app. They also send notifications out when there’s an ongoing data breach on services you use.

It’s not just limited to passwords, either—1Password lets you securely save anything from credit card details to sensitive notes.

3. Google Chrome

If you have a Google account and you use Chrome, you can take advantage of their Suggested Password feature. It automatically suggests a strong password when you are registering on a website for the first time and saves it for you.

Note: We recommend not using this unless you have a strong password for your Google Account already and are using two-factor authentication.

Take Your Security to the Next Level

Even with the world’s strongest password, there is always the risk of being compromised. Attacks on website’s servers, malware that logs your keystrokes, and other emerging dangers compromise millions of passwords per year.

A password should not be the only layer of protection you have on your accounts, especially one that is vitally important to you. Once somebody has your password, it can be game over.

Two-Factor Authentication (2FA)

We recommend always using two-factor authentication wherever you can.

Most sites now offer it to some degree.

Two-factor authentication works by asking you to verify your identity when you sign in using your password. There are lots of ways it can do this, such as—

  • Calling or texting your pre-set phone number with a one-time code
  • Asking you to authenticate with challenge codes
  • Using an app such as Google Authenticator

It is a valuable extra layer of security that cannot be bypassed by a hacker—they would need your phone or authentication device to get through.

Virtual Private Network (VPN)

In addition to having a strong password alongside 2FA, you can go one step further by using a VPN, particularly if you regularly use insecure or public networks.

This adds on an extra layer of privacy and anonymity when you are using the internet across these networks. Not only does this prevent hackers and man-in-the-middle attacks from compromising your information and accounts, but it also stops governments and ISPs from snooping on your internet usage.

We recommend learning more about VPNs by reading this guide on the best VPNs of 2022 to make an informed decision.

Published by

Jamie Cambell

Ethical Hacker. Ph.D., M.S. in Computer Science at University of California, Berkeley. Technology enthusiast and also a part-time gamer. My goal is liberating the Internet.

Leave a Reply

Your email address will not be published. Required fields are marked *

Exit mobile version