How to Create a Strong Password

How to create a strong password

To protect yourself and your company, consider the following password-creation best practices. 

1. Be unique, and avoid recycling passwords.

It’s easy and convenient to use the same password for several accounts. However, according to Dodi Glenn, CEO of cybersecurity consulting company Power to Excel, the convenience of reusing passwords can result in exponentially more damage if an account is compromised, leaving you vulnerable to fraud. “Never reuse the same password for multiple accounts,” Glenn warned. “It’s a bad habit to get into.”

Using one password across various accounts gives cybercriminals the keys to your personally identifiable information. “For example, if malware records only Gmail account information but the same password is used across a variety of sensitive sites, such as an online banking or retail site, cybercriminals can easily hack into all accounts and obtain personally identifiable information for nefarious purposes,” Glenn explained.

To keep track of passwords, users should store them in a secure place, like in password managers such as PasswordBox, LastPass and RoboForm, said Eduard Goodman, international privacy lead counsel for TransUnion. 

2. Be creative, and use unusual, nonsensical combinations in passwords.

While using the names of loved ones, pets, favorite sports teams and other personal details may help you remember passwords, this practice makes it easier for hackers to access your accounts.

“We may think we are clever, but with the billions of password users on the planet, the likelihood is, someone has come up with the combination before,” said Tom Smith, former vice president of market strategy for data protection products at digital security provider Gemalto (now Thales). 

Due to the frequency of security breaches, millions of passwords are available in databases for criminals to leverage in cyberattacks, Smith warned.

“This type of attack is referred to as a ‘dictionary attack,’ or an attack where a password is searched systematically against all other passwords in a ‘dictionary’ or a specified list of existing passwords,” Smith said. Because these passwords are derived from past breaches, using them increases the likelihood of a seemingly “unique” password being compromised once again.

Goodman advised users to “shake things up a bit.” For example, here are a couple of tips for developing more creative passwords:

• Combine uppercase and lowercase letters, numbers and symbols. For instance, users could turn the simple password “happy777” into a stronger one, such as “H@pea!931.” 
• Take a song lyric, line or saying and shorten it into an acronym. For example, turn “‘Twas the night before Christmas and all through the house” into “TtnbCaatth.”

3. Create longer passwords for additional security. 

Most services require a password of at least eight characters. In reality, users will need more characters for a truly secure password.

“The longer the password, the harder it is and longer it takes cybercriminals to crack the password,” Smith said. 

The eight-character password standard is now a thing of the past. “As with all things in the realm of technology, password-cracking programs have become faster, and some boast the ability to make 350 billion guesses per second, which means they can crack an eight-character password in seconds,” Smith said. “For users to protect themselves, experts now recommend passwords containing at least 13 to 20 characters.”

4. Use two-factor authentication in addition to strong passwords.

If a website offers two-factor authentication, take advantage of this added layer of protection against cyberattacks and payment fraud. Multifactor authentication makes it much more challenging for cybercriminals to access an account. 

“Many sites are now offering two-factor authentication or a login that requires both a password and another form of identification, such as a code from a mobile device,” Glenn said. 

These are some other types of secondary identification:

• Dedicated authenticator apps, like Google Authenticator
• Security questions (to which only the user knows the answers) 
• A unique personal identification number (PIN)
• Biometrics 
• A physical token attached to a device

“With two-factor authentication, even if an attacker steals users’ login passwords, they won’t be able to access their accounts without the second form of identification,” Glenn said. “Take advantage of this security feature when available.”

5. Be unpredictable, and change your passwords regularly.

Many websites and accounts recommend that users change their passwords regularly. Both Glenn and Goodman recommended changing passwords at least every few months or quarterly, respectively. 

However, experts no longer universally advise frequent password changes unless you’ve been breached. To find out if your information is out there, check out Have I Been Pwned?, where you can search your email address, username or password to see if your information has turned up in any reported breaches. 

Classic password mistakes to avoid 

While it’s crucial to create strong passwords, it’s also essential to understand classic password mistakes to avoid. Any of the following mistakes may help an attacker compromise your account. 

1. Never use personal information in a password.

Birthdays, names of spouses or children, and favorite movies or sports teams are easy to remember, but they’re also easy for a dedicated attacker to guess or learn. Using personal information in passwords is even more of a concern for avid social media posters, as much of their personal information is readily available online. 

While it may seem like a lot of effort on the part of a cybercriminal, attackers can quickly create a list of possible passwords and then let software run through the combinations. 

2. Don’t take password complexity to an extreme.

While a password should be unique and impossible for an attacker to guess, users should not take password complexity to an extreme. Unmemorable passwords lead to a different set of security risks, such as the following: 

• Users must write down the complex password, allowing others to see or steal it. 
• Overly complex passwords could create so much frustration that a user changes it to something too easy. 

However, if you use a password manager, your password can be as complex as you want. These programs securely store passwords behind one strong master password, so the stored passwords can be as complex and nonsensical as the user wants. 

3. Never use a default password.

Some products come with a default password, including many internet of things (IoT) devices and equipment such as routers and modems. Default passwords should always be considered compromised and temporary. Because these passwords are default, they are common knowledge and anyone can learn the password with a quick online search. 

4. Avoid the most common passwords.

Password management solution provider NordPass ranked the top 200 most common passwords in 2022 and found that the most frequently used password in the United States is “guest.” NordPass says this password would take attackers only 10 seconds to crack. Additionally, thousands of people still use similarly simple passwords — such as “123456,” “123456789” or “password” — which can be cracked even more quickly.

But remember that even if you’re not using one of the most common passwords, you should still follow password best practices to make your passwords as strong as possible. 

Commit to using strong passwords

Creating, using, remembering and routinely updating passwords while ensuring they’re unique can feel overwhelming. But as data breaches and cyberattacks continue to rise, it’s more imperative than ever to use strong passwords. These password-creation tips can help you create uncrackable passwords that protect your private and business accounts. 

And if it ends up being too much of a hassle to remember and create strong passwords, password managers can alleviate some of the strain.  

Sara Angeles contributed to the reporting and writing in this article. Some source interviews were conducted for a previous version of this article.