How to Create a Strong Password

Use unique passwords and passphrases to protect your privacy online

Strong passwords are essential to protecting your privacy online. Here's how to create a strong password or passphrase that you'll remember and no one else can guess.

What Is a Strong Password?

A strong password for your online accounts should be:

  • Truly random
  • No shorter than 17 characters
  • Different for each online account
  • Changed every 90 days

There are some password practices that you should avoid:

  • Don't use the common "word + number" format.
  • Don't include publicly available personal information, such as your birthday.
  • Don't use common shorthand and substitutions (such as using "@" for the letter "a").
Credit cards and a thumb drive sitting on a laptop with a password written on paper.
@MIRAHNEVA via Twenty20 

What Is a Passphrase?

While most passwords are combinations of numbers, letters, and symbols, a passphrase is made up of randomly combined words. For example:

StingrayCobaltLyingStimulusLiquid

Passphrases are both easier to remember and harder to guess than standard passwords. Just try to memorize the first letter of each word, or turn it into a song in your head. To defend against dictionary attacks, you should use at least five words, and they should be truly random. You don't want the phrase to sound like a sentence.

Passphrase and Password Generators

To make sure the words you pick are truly random, use a free passphrase generator like Diceware or Secure Passphrase Generator. For an assortment of random letters and numbers, use Norton Password Generator or Avast's Random Password Generator. Many online accounts have specific password requirements, so you may need to add numbers, special characters, or a mix of uppercase and lowercase letters.

How to Memorize Passwords

Using easy-to-remember information like your birthday or the year you graduated from high school is highly discouraged. If you have trouble remembering passphrases, another strategy is to create an acronym out of a sentence. For example, "A gallon of milk used to cost 32 cents back in 1950" can translate into:

Agomutc$.32bi1950

It's generally not a good idea to write down your passwords; however, you can write down the phrase as a reminder, and no one will know what it means if they find it. If you have multiple online accounts, you should use a password manager to keep track of your login credentials.

Use a Password Manager

As tempting as it may be, you shouldn't use the same username and password combination for all of your online accounts. Each account should have its own unique, complex password. Fortunately, you don't have to remember them all individually.

KeePass open source password manager

Instead, you can use a password manager. That way, you can log in to any account by entering the primary password for a password manager. Some of the best password managers programs also come with built-in password generators.

If you want to know how strong your password is, use a password checker like Password Meter.

Multi-factor Authentication

Regardless of your password strength, it's always a good idea to protect your online accounts with two-factor authentication (2FA) when possible. When you turn on 2FA for Gmail and other services, you'll receive a verification code via text message or email each time you log in. Most banking services and social media websites support some form of 2FA.

In addition to your online accounts, you also need strong passwords for all of your devices, especially if you carry them with you in public. In addition to passwords, most operating systems support some form of biometric verification. For example, Windows Hello uses facial-recognition technology and Apple Touch ID uses a finger print scanner to identify who is trying to access your account.

Why Are Strong Passwords Important?

Passwords safeguard your online accounts from other people who use the same computer. More importantly, they protect you against hackers who want to steal your personal information. If someone knows your email password, for example, they can find out a lot about you including where you bank, where you work, and where you live. Stolen password are often sold on the black market for nefarious purposes.

Hackers use several methods to steal passwords including:

  • Brute force attacks: A brute force attack uses automated software to guess passwords using randomized combinations of characters.
  • Dictionary attacks: Similar to brute force attacks, random word combinations are used to guess passwords.
  • Phishing: Hackers directly solicit private information using phishing emails, robocalls, or misleading links to obtain passwords from users.
  • Credential recycling: If a hacker has your username and password for one account, they will likely try using the same credentials on your other accounts.

What to Do If Someone Else Gets Your Passwords

If you suspect one of your passwords has been compromised:

  • Create a new, stronger password.
  • Change the passwords of any associated accounts.
  • Update your account recovery information.
  • Keep an eye on your bank account for unauthorized purchases.

How Do I Find out if My Password Was Compromised?

Your usernames and passwords could be compromised through no fault of your own. Several high-profile companies, like Facebook and Sony, have been victims of data breaches that exposed the login credentials of users. You can visit the Avast Hack Check website and enter your email address to see if your privacy has been compromised. If so, you should change the passwords for all accounts associated with that email.

Set up security questions and account recovery information when possible to further protect your accounts.