6 Techniques for Creating Strong Passwords

Best-practice password techniques keep your accounts safe

The chief computer-system vulnerability doesn't source to some nefarious elite hacker group in the Moscow Underground or an evil-genius teenager in a suburban New Jersey basement. Rather, the biggest problem is you — and your unforgivably weak passwords that a third-grader could guess.

Check out the 2018 list of the 25 most common passwords, as shared by Esquire. The most common? 123456. The second-most common? Password.

Use a Password Manager

LastPass screen

The best passwords are very long strings of random characters that include letters, numerals and punctuation marks. However, most people cannot remember those passwords, and if they can, they tend to re-use them. Instead of relying on your memory, download a password manager.

Password managers like LastPass, Dashlane, OnePass, and KeyPass work with your browser to record all your passwords and to generate new passwords you don't even need to remember. They sync across devices, so all your passwords are always at the ready. You only need one password — to the password manager itself — and the software handles the rest.

Choose a Long Password

password meter

Some computer systems allow an infinite number of access attempts, which make for a great target for automated password-cracking tools. These tools take a known username and brute-force attempt various potential passwords until it finds "the one." The tools use a combination of most-common-password lists, dictionaries, and algorithms to guess passwords until it happens to guess correctly.

The longer and more complex your password, the longer it'll take to crack.

Consider this example. If selected the password cookie19 because you got a puppy named Cookie in 2019, it'll take, on average, about one minute to crack that password. However, cookie19! may take, on average, 16 hours to brute-force crack. And cookie!2019 may take five years to crack. Every additional character adds significant processing time to these cracking algorithms.

Avoid Using Dictionary Terms

One of the most common cracking strategies uses a dictionary file.

For instance, imagine you have created a password pandemonium. It is reasonably long so it is better than fred and 12345. However, a hacker uses a dictionary file with millions of words in them and he will run a program against the system he's trying to hack trying every single password in the dictionary.

In other words: If your password is merely a single word, it'll be easily guessed regardless of its length.

Use Special Characters

Use special characters including #,%,!, and |.

Formerly, security experts advised that a good password consisted of a word between eight and 15 characters that used symbols and numbers to appear to replace letters within that word — e.g., p@55w0rd.

However, modern dictionary files include these variants. It's better to use special symbols at the beginning or end of a password or to separate terms inside of it, rather than as a fancy approach to character substitution.

Use Sentences as Passwords

An entire sentence, or a phrase, works well for a password, too. Even though the words of the phrase, individually, appear in a dictionary file, the phrase itself will not appear in a given configuration. For example, a password that uses the names of your four cats, separated by hyphens, can be very long yet still be relatively immune to dictionary cracking. Try: spot-whiskers-fifi-tiger. As far as an algorithm is concerned, you've developed a 24-character password.

Use Different Passwords for Each Application

Sometimes, companies get caught with exposed password files. If you tend to use the same username-and-password combination across many different sites, a leak by one company automatically compromises your other credentials.

Never use the same password twice. Use a password manager to keep passwords unique, or memorize a strong base password then use a prefix or suffix to identify the site. For example, a strong base password of 5djs&lz6!0 needs to be memorized only once. Then, use a suffix to identify the site. Your bank might be 5djs&lz6!0_bank and your insurance company 5djs&lz6!0_insurance. Or, use a prefix that's the first three or four characters of the website name, e.g., Ban_5djs&lz6!0.