7 Tips on Password Security: How to Create Strong Passwords

By Samuel Chapman

Last update: April 10, 2023

Password security is both simpler and more complicated than you might think. You’d be amazed at how much of an impact something so fundamental could have on digital security…and how hard it is to get large groups of humans to do something extremely simple, like setting a strong password.

Quick: what’s an online security nerd’s favorite movie? You’d think it would be Hackers, Wargames or maybe The Matrix, but you’d be wrong: It’s Spaceballs. Why? Because of the immortal quote: “12345? That’s the kind of combination some idiot would have on his luggage!”

Most hacking doesn’t involve quantum decryption or timed man-in-the-middle attacks. It targets weak, easily guessed passwords. Criminals prefer a sure thing. Why break into a building through the heavily guarded, booby-trapped basement when the front door is unlocked?

In this article, I’ll teach you how to lock and bar your digital front door. We’ll use straightforward tips to create strong passwords that you can remember as easily as song lyrics get stuck in your head.

• Why is password security important?

  The majority of hacks and security breaches come from poorly secured online accounts. If your passwords are weak, hackers can steal your data without a single line of code.   

• What are the safest types of passwords?

  Longer passwords are safer. The safest passwords are over 12 characters long, with a few special characters mixed in to resist dictionary attacks.

• How do I secure my password?

  Remove obvious substitutions like E=3 and A=4. Remove pop culture references and anything that can be connected to you. Finally, make sure it’s at least 12 characters long.

Password Security Basics

According to a 2021 report by Verizon, 61% of data breaches can be traced back to stolen passwords. That makes password security far and away the most important issue in personal cybersecurity, especially as VPNs and anti-malware technology make other attack vectors less feasible.

Hackers do have other interests — for example, creating zombie computers for DDoS attacks or finding unprotected backdoors into systems. But the vast majority of cybercriminals are in one business alone: finding out your usernames and passwords and using them to do evil stuff.

How Hackers Crack Passwords

The easiest way to guess someone’s password is to not guess it at all. Instead, the hacker has you tell them.

They’ve got a few ways to do this:

• Social engineering: The hacker pretends to be someone with a legitimate need for your password, like an IT helpdesk agent or a security inspector.
• Phishing: The hacker sends an email or text message that either convinces you to give up your passwords or gets you to download malware that steals them.
• Fake websites: The hacker sets up a legit-looking website, perhaps even with a fake security certificate, which steals your credentials or sneaks keystroke-logging malware onto your system.

The above methods can’t be foiled with a strong password. They must be defeated with common sense and computer literacy. But the criminal has a few other tricks up their sleeve.

Hackers can use several methods to guess your password with zero starting information:

• Try the most-used passwords: The first step is to see if you’re using any of the most widely chosen words or phrases. See “The Most Common Passwords” below for a list of extremely popular passwords you should never, ever use.
• Try a dictionary attack: Most weak passwords are either single words or strings of numbers that are easy to narrow down. This attack runs through all the phrases or strings the password might be. For example, there are less than 40,000 reasonable birthdays to guess — hackers can use programs to run through that many options in a snap.
• Try a brute force attack: If all else fails, the hacker can just try every password as fast as possible. Some programs can try up to 7,100 passwords per second, guessing a six-character password in under four days. If the password unlocks a database full of other passwords, it only takes one.

But there’s an even easier method that every hacker goes for if they’ve got the chance. This approach might let them get your password right on the first try without ever interacting with you. I’m speaking, of course, about password reuse.

The Dangers of Reusing Passwords

A Google survey from 2019 found that 65% of people use the same password for at least two accounts, and 13% use the exact same password for every account.

“Big deal,” they might say. “As long as the password is secure, what does it matter if I only use one?”

It matters because you’re not the only person responsible for keeping your passwords safe. Every time you use a username-password combo to create an account, the app or website stores your credentials in a central database so you can log in again. That database is protected by its own password, which could be “admin123.”

If that database gets hacked, everyone’s usernames and passwords could go up for sale on the dark web. And if you use the same password for your Venmo account and your model ship enthusiasts forum, all your money could be doomed.

That’s what makes it so critical that you don’t just create one strong password but also create different passwords for every account you open. In particular, if any account contains sensitive information (personal data, financial access, health information), be extra careful to use entirely unique passwords each time.

The Most Common Passwords

NordPass, the password manager from NordVPN, puts out a list of the most popular passwords every year. Its 2021 list is an eye-opener; 12345, the password Mel Brooks was making jokes about 35 years ago, is still “protecting” 33 million accounts. And it’s not even in first place.

According to NordPass, the top 20 most-used passwords in 2021 were:

1. 123456
2. 123456789
3. 12345
4. qwerty
5. password
6. 12345678
7. 111111
8. 123123
9. 1234567890
10. 1234567
11. qwerty123
12. 000000
13. 1q2w3e
14. aa12345678
15. abc123
16. password1
17. 1234
18. qwertyuiop
19. 123321
20. password123

The phrase “password123” was chosen to protect 4.68 million accounts, while the leader, 123456, was used on over 103 million. It’s enough to make me want to get out of this job and into hacking.

I can’t stress this enough: Read the whole list of 200 and do not use any of them or anything that looks like them. Even the “strongest” passwords on the list (“myspace1,” “1g2w3e4r,” “gwerty123” and “michelle”) can all be cracked in under three hours.

8 Password Security Tips

We’ve talked a lot about mistakes, so let’s get on the right path. Here are the top tips for creating passwords and maintaining password security.

1. Aim For a Password Length of 12 Characters

If a hacker hasn’t gotten your password another way, such as through phishing, they’ll try to guess it with a brute-force or dictionary attack.

As XCKD famously explained, longer words are harder to guess. Wordle was a hit with five characters, but I can’t see it catching on with 12.

But aren’t passwords with 12 or more letters harder to remember? Not necessarily. A lot of the stuff we used to think was true about password security isn’t that important at all. Replacing letters with numbers, adding punctuation, mixing capitals and lowercase — it all helps, but it’s not sufficient if your password isn’t long enough.

Computer programs don’t guess words the same way humans do. Humans guess based on context clues and instinctive behavioral knowledge. Computers don’t have those things, but they can use trial and error faster than a human. The way to foil them isn’t through tricky substitutions. It’s by giving them more to guess.

The upshot is that the best passwords are sequences of four random words. Generate the words, think up a mnemonic to remember them, and ta-da: You’ve got a password a computer would take centuries to crack. Here, I’ll go first:

• Soldier
• Award
• Straight
• Midnight

That’s perfect! “Straight Midnight” sounds like a Jack Reacher novel. The mnemonic writes itself.

Even better, soldierawardstraightmidnight has 28 characters. At the maximum of 7,100 guesses per second, it’ll take about 10 hectillion years to try them all.

2. Add Special Characters

There’s one problem with the “four random words” approach: It only protects you against a brute force attack. A dictionary attack, guessing only English words, can guess that sort of password a lot sooner.

To prevent that, introduce points of randomness. Add numbers, punctuation marks and uppercase letters in places you can remember. A computer might guess that the word “midnight” is in my password. But if I change it to “midni7ght,” a dictionary list of words won’t prepare it to guess that “7.”

Caution: Do NOT add the special characters in the ways everybody knows by now. Avoid swapping “e” for “3,” “a” for “4,” starting with capitals, ending with exclamation points, etc. Password guessing programs can automatically convert to this kind of leetspeak.

Instead, place the special characters throughout the words in unusual ways. Make choices that are memorable to you but unpredictable to computers.

3. Avoid Common Phrases

I’m willing to bet money that after Game of Thrones got big, at least one hacker cleaned up by getting a list of email addresses and trying them on PayPal with the password “winteriscoming.”

Avoid using well-known expressions, pop culture phrases, popular memes or anything else that will make your passwords easier to narrow down. These are extra dangerous if they’re associated with you in any way. If I’m a hacker and my mark owns a Mandalorian helmet, you better believe I’m trying “thisistheway” on all their bank accounts.

4. Choose Different Passwords for Every Account

I covered the risks of reusing passwords above, but it’s worth reiterating here. If you use identical passwords for multiple accounts, compromising one compromises them all. All those accounts are now only as secure as the weakest among them. If you’re worried about memorizing all those passwords, see the next tip.

5. Use a Password Manager

You may be uncertain whether you’ll be able to remember all the sufficiently tough passwords you need, even with the help of mnemonics. Fortunately, there are apps for that.

Password managers, or password vaults, are programs that generate passwords and remember them for you. Most managers include browser extensions that fill in the passwords for you wherever you need them. Examples include 1Password, LastPass, Keeper, Zoho and Dashlane.

There’s a small catch: The password vault can’t be responsible for the master password you use to open it. That password needs to be extremely strong and either memorized or stored somewhere other than the manager. The good news is that it’s now the only one you need to remember.

If you use a password manager (and I recommend it), make sure to log out when you’re done online. Otherwise, it might autofill your passwords for interlopers, from curious children to laptop thieves.

6. Don’t Use Single Sign-On

These days, it feels like you have to create an account just to turn on your blender. With all the usernames and passwords people demand, those “sign in with Google/Facebook/Apple ID” options can look like water in the desert.

But it’s a mirage. By using single sign-on, you’re consolidating your logins in a way you have much less control over. It’s like you’re using a password vault, but the vault is Google. Better to consolidate in a password manager that’s much less likely to suffer a data breach.

7. Don’t Share Your Passwords

Once you’ve got your passwords where you want them, keep them safe. No matter how much you may trust somebody, only tell them your passwords when it’s necessary. If your new boyfriend complains about it, chances are good that he’s three stacked-up cybercriminals wearing a trench coat.

Even then, only give them up to loved ones. If an email, phone call or text message asks you for any of your passwords, do not reply.

8. Change Your Passwords Regularly

The Fat Lady from the Harry Potter books is a mixed bag when it comes to cybersecurity. Sure, her passwords are often single, easily guessed words, but she updates them at least once a month.

You don’t have to change all your passwords that often (though a password vault makes it easier), but I recommend updating your most sensitive financial and health accounts every 30 to 60 days. The others can stay the same unless that account has been compromised in a data breach.

How to Create a Secure Password

Here’s a quick cheat sheet on how to create strong passwords:

1. Generate four random words. Use a random word generator (this one works) and make sure the results are at least12 characters combined. As long as you can remember it, feel free to go as high as the box allows.
2. Add special characters. Add numbers, capital letters and punctuation marks in a few places (some sites still require this). Put them in the middle of the words. Avoid using familiar substitutions like I=1, E=3, A=4, etc.
3. Come up with a mnemonic (or save it in your password vault). Think of an easy way to relate the four words together. The first idea you have is the best one. If you don’t want to think up different devices for each password, you can save all but one via password manager software.
4. Never use it anywhere else. Each password opens one account — that’s it. Any more than that is a risk.
5. Change any password that becomes compromised. Follow the news to learn about any data breaches. Haveibeenpwned.com is a great resource, but you can also get breach alerts as a feature on some password managers. If a breach occurs at a website where you have an account, assume that password is no longer safe and pick a new one.

Conclusion

Password security isn’t sexy. Bruce Willis is never going to make a movie where he defeats the cyberterrorists by updating all his login credentials. And unlike VPNs, there aren’t many opportunities for cute animal mascots.

But creating secure passwords is the single highest-leverage thing we can all do to create a more secure internet. So many high-profile hacks of the past decade trace back to weak passwords. Put just a little more thought into yours, and your online security is assured.

Thanks for reading! Stick around for the comments. I’d love to hear your tips for creating complex passwords or times you saved your business by noticing that the password on the corporate bank account was “qwerty.”