What Is a Strong Password?
In short, a strong password minimizes the risk of your account being compromised. While there are other important cybersecurity factors, coming up with stronger passwords is the easiest thing most people can do to make their information safer.
Remember that passwords can be compromised in different ways. For example, even a perfectly secure password could become a vulnerability if it’s used on a website that experiences a data breach. Billions of passwords have already been leaked online.
While there’s no way to eliminate threats, a strong password guards against risks.
What Makes a Strong Password?
- Longer passwords are safer
- Passwords shouldn’t be easy to guess
- Passwords should avoid common combinations
- You should use a different password for each account
- You shouldn’t change passwords frequently
- Passwords should include special characters
- You should periodically ensure your password hasn’t been compromised
A strong password needs to meet several different conditions. You might think that an account is safe as long as the website accepts it, but you need to go above and beyond if you want to create a truly strong password.
Longer Passwords Are More Secure
Naturally, longer passwords are more secure than shorter passwords. When Apple switched iOS PINs from four digits to six digits, the number of possible combinations went from 10,000 for 4 digits and 1,000,000 for 6 digits.
Computer passwords can include lowercase and capital letters as well as some special characters, so random guessing isn’t as practical in this case. Still, adding length to your passwords is always a good thing as long as it can be remembered.
If you use conventional passwords, you should try to make each one at least 12 or 14 characters. However, passphrases like “pillars-breakfast-bonus-flooring” are usually easier to remember, even when they include 30 or more characters. We’ll cover passphrases below.
Passwords Shouldn’t Be Easy to Guess
Length helps with a brute force attack, but it won’t do as much to stop someone who already knows what your password might be. If your phone passcode is in mm/dd/yy format, then everything on your phone is only as secure as your birthday.
Elements like birthdays, names of children and pets, and the word “password” won’t do much to keep you safe. Your password shouldn’t be anything that someone could guess based on other information about you. You should also stay away from seasonal passwords like “summer 2022” or “winter 2022.” These also appear high on the list of passwords that are easily guessed.
If you already have any passwords like this, you should change them to something more secure as soon as possible.
Passwords Should Avoid Common Combinations
Along with personal information, easy keyboard paths are another problem that can make your passwords simpler to guess. Even though they add numbers, sequences like 123 don’t give you as much security as you think.
The NordPass list of the most common passwords starts with obvious combinations: the top 10 are:
- 123456
- 123456789
- 12345
- qwerty
- password
- 12345678
- 111111
- 123123
- 1234567890
- 1234567
Naturally, numerical sequences are some of the first things hackers test when trying to crack a password.
Passwords like those 10 are likely to be even less secure than passwords with personal information. If your password involves something from your personal life, it’s at least secure from someone who doesn’t know anything about you. A password like 123456 could easily be cracked by anyone who cares enough to try.
Use a Different Password for Each Account
More than 70% of Americans use the same password for at least some of their accounts. A single password might be easier to remember, but it’s much more dangerous to lose.
Even if a password is secure, you don’t want it to be the only thing protecting all of your online accounts. If someone wants to get your password, there’s a good chance they’ll keep trying it on other websites where you have a secure profile.
Uniqueness is just as important as strength when it comes to creating passwords. You should never reuse or duplicate passwords, particularly when it comes to bank accounts and social media accounts containing sensitive information.
Keeping track of so many unique passwords can be complicated if you don’t have the right software. Check out our list of the best password managers to keep track of all of your login credentials safely.
The concept behind password managers is you can effectively create super-strong passwords for each of your online accounts. But you only have to remember one password that logs you into your password manager.
As long as you use strong password manager credentials plus additional security measures like MFA and your phone’s biometrics, you have an extremely secure way of managing your passwords.
Change Passwords When Necessary
The longer a password is being used, the more likely it is that it will be cracked or stolen.
You don’t have to worry about constantly changing your passwords, but it’s a good idea to refresh them at least once every 90 days. That’s especially important for bank accounts and other accounts that contain sensitive information.
Even if 90 days haven’t passed, you should still change a password in any of these situations:
- The password is identical or similar to one of your other passwords
- The password is exposed in a data breach
- You shared the password with someone and you don’t want them to use the account anymore
- You used the password on a public Wi-Fi network or a public computer
- You received a notification that someone tried to access your account
If you have 20 different online accounts, and you change the password for each one every three months, you’ll end up using a total of 80 unique passwords every year.
This strategy typically leads to trouble remembering passwords and seamlessly accessing accounts.
Password managers streamline this process by creating strong passwords for you and keeping them synced across all of your devices.
Passwords Should Include Special Characters?
Just as length makes a password more difficult for someone to guess, special characters expand the pool of potential passwords. Unless you decide to go with passphrases instead of passwords, it’s a good idea to include some special characters in each of your passwords.
Most platforms accept common special characters like !, @, #, $, %, ^, &, *, (, ), and ?. Try to mix some into your passwords or use a password generator that adds special characters automatically.
Keep in mind that simply adding numbers or special characters to the same base password won’t do much for your security. You shouldn’t use sets of passwords like “password1, password2, password3” — even though each one is technically unique, it would be much better to use different passwords that don’t share any common elements.
Periodically Ensure That Your Password Hasn’t Been Compromised
There’s nothing that password strength can do if the password itself has already been compromised. It’s critical to avoid using passwords that have been exposed in data breaches and published on the dark web.
Fortunately, there are several different platforms that you can use to see if a password is still safe. Have I Been Pwned, SpyCloud, Avast, and NordPass are good places to start if you want to audit your new and existing passwords.
How Can You Create Strong Passwords?
- Use a password generator
- Use a passphrase instead of a password
- Use a quote instead of a password
Even if you know the requirements to make a strong password, you might not know the best way to start. Let’s look at some password management strategies that make it easy to create and manage strong passwords.
Use a Password Generator
Password generators are a quick and reliable way to create secure passwords. Some generators give you the option to select parameters, such as length, special characters, and whether you want a password or a passphrase.
Depending on the device and operating system you’re using, you may already have access to a built-in password generator. Alternatively, you can get a password generator with most of the top password managers, including some free password managers.
Some people are apprehensive about using a password manager because they prefer to remember each of their passwords. However, as long as you use a service that syncs information in the cloud, you shouldn’t have any trouble accessing your accounts on different devices.
Use a Passphrase Instead of a Password
Some people recommend switching to passphrases instead of passwords. While a password could have any arrangement of characters, a passphrase is made up of a string of several words. You can also include special characters between the words. For example, a secure passphrase could be something like dresser-fusion-quarter-tallest.
Passphrases can be easier to remember than passwords, and their length makes them much more resistant to brute-force attacks. However, they’re still subject to most of the same risks as passwords, so you don’t need to switch to passphrases if you’re more comfortable with conventional passwords.
If you decide to use passphrases, remember to come up with a different passphrase for each website and avoid phrases that could be guessed easily.
Use Phrases or Quotes
If you’re having trouble remembering random passphrases, you can switch to excerpts from books, phrases, or quotes that are more likely to stick in your mind. The advantage of this approach is that quotes are much harder for someone to guess than basic ideas like pet names and birthdays.
Something simple like “quick-brown-fox-jumped-over” should offer a high degree of security without being very difficult to remember. Of course, you need to use a different quote for each unique password, so it still may not be practical to remember your login for every account.
If remembering passphrases or quotes is an issue for you, make sure to use a password manager instead of putting your information at risk. Duplicating a password just to make things easier to remember is never worth the risk to your security.
How Can You Keep Your Passwords Safe?
- Use a password manager
- Use two-factor authentication (2FA)
- Securely share your passwords
- Memorize your passwords
Use a Password Manager
A strong password minimizes the risk that someone guesses that password. However, password strength won’t help you if someone finds out what the password is. You should never write down passwords on a piece of paper or in any digital application that isn’t secure.
The best place to write down passwords is in a reliable password manager. As long as you remember your password for the password manager itself, you always have access to all of your login credentials. Furthermore, password managers are much more secure and convenient than the old strategy of writing down passwords on a piece of paper.
Some password managers allow users to store other pieces of information such as credit card numbers and personal notes along with passwords. You may also be able to access additional features such as file storage and password sharing. Our list of the best password managers has more information.
If you share files and information in your workflow, then that data is only as secure as the weakest link on your team. Password policies are a good way to minimize vulnerability to cybersecurity threats at the organizational level.
A strong password policy could include basic requirements like length, special characters, and uniqueness. For extra security, you could use a reliable organizational virtual private network (VPN) or require employees to use 2FA on their accounts.
Use 2FA
2FA is an easy way to add another layer of protection to your online accounts. After setting up 2FA, you need to verify your login attempts even when you enter the correct password.
This process might seem tedious, but it’s worth taking the extra time to minimize the risk of an account breach. Contemporary authentication apps are secured with biometrics like Touch ID and Face ID. Instead of SMS codes, most platforms now use push notifications or number verifications.
Share Your Passwords Securely
It’s a good idea to keep password sharing to a minimum. If you need to share a password with someone else, make sure to use a secure channel. You should never send someone a password through email or short message service (SMS).
Similarly, you shouldn’t enter your password in your Notes app or somewhere else it could be easily accessed. Password managers support secure, controlled sharing, and they minimize the risk that your information is accessed by anyone other than the intended recipient.
One key benefit of password managers is that you can share an account without actually showing the person the password. Instead, the recipient usually uses a custom link that automatically fills in the password without ever displaying it. You can be sure that the password is never sent to anyone else.
The specifics of password sharing vary from one password manager to another. If your password manager doesn’t support sharing passwords with non-users, you can use a free solution like Privnote to exchange login credentials without making them vulnerable.
Memorize Your Passwords
Remembering passwords might have been more practical in the early days of the internet, but it’s almost impossible today. While you can try to remember your passwords if you have a great memory, it won’t make you any safer than you would be with a secure password manager.
The main problem with remembering passwords is that most people can only do it if they use a similar password for each of their accounts. It’s never a good idea to use a simpler password just because it’s easier to remember.
How Do Passwords Get Hacked?
Here are a few ways in which your password could be threatened:
- The platform your password is used on experiences a data breach
- Someone guesses your password based on personal information
- Someone discovers your password through a brute-force attack
- Someone finds out one of your passwords and uses it to guess the others
- Someone gets you to give them your password directly through phishing
- Someone accesses your password on a public device or Wi-Fi network
Creating strong passwords is challenging because there isn’t just one threat to avoid. Passwords can be compromised in many ways, and a strong password is needed.
What About Phishing?
Strong, unique passwords are the best way to guard against most of the cybersecurity threats we face in 2023. Still, it doesn’t matter how strong your password is if you willingly send it to someone else.
Phishing (aka, social engineering) is the practice of tricking internet users into giving their passwords or other sensitive information to the wrong people. For example, a hacker might send you an email warning you about a breach at your bank and asking you to change your password. Instead of directing you to the bank’s website, they’ll direct you to a lookalike page and ask you to enter your login credentials.
Recent estimates place the number of unique phishing websites at around 600,000. While email spam filters and other systems prevent many phishing attempts, this has also led hackers to develop more sophisticated strategies.
It’s important to be vigilant about phishing to keep your information safe. These strategies help you recognize and avoid phishing attempts:
- Don’t respond to texts, emails, or other messages asking for login credentials.
- Use antivirus software that offers phishing protection.
- Use 2FA where available. Even if someone takes an account password, they still won’t be able to verify their login attempt.
- Report phishing attempts when you see them. Phishing isn’t going away anytime soon, but this will still make a difference. Google offers a built-in report tool for Gmail users.
Conclusion: How To Make Your Passwords Safe
It’s almost impossible to create and remember strong, unique passwords for each of your online accounts. Fortunately, contemporary password managers make this process easier than ever by generating, storing, and sharing passwords across devices.
If you want to keep your information as secure as possible, you should either use unique passwords with ten or more characters, or unique passphrases with four or more words. Either way, you should also take additional steps to protect your digital accounts.
Set up 2FA wherever it’s available so that a password won’t be enough to log in. Use a VPN on public Wi-Fi to keep your traffic private. Avoid writing passwords down or sharing them via email or text. Use a data monitoring service to check for compromised passwords. Together with strong, unique passwords, these precautions ensure that your online presence is kept as safe as possible.