How to Create Strong Passwords

Passwords are the main way we protect everything on the internet. So it is no surprise that an entire (illegal) industry has grown up around trying to hack passwords. Today we’ll take a brief look at the situation, then dive right into how to create strong passwords.

We want this guide to be short and actionable, so let’s get right into it.

The password situation in 2020

Once upon a time, a simple password was enough to protect your accounts on the internet. But that was long ago.

Today, an entire industry has grown up around defeating your passwords. Crooks aim to buy, steal, or hack your passwords to get access to your bank accounts, social media accounts, corporate databases, and anything that might have value to someone else.

While buying and stealing passwords is a giant problem, today we are looking at the passwords themselves. Specifically, how to create strong passwords.

Hackers now have several approaches to hacking your passwords, and the computing power to make them realistic. Consider that in 2012 there were already hacking systems that could try every possible 8-character Windows password in 6 hours. These creeps have some serious hardware to throw at your password. You know which password we’re talking about, that same 8-character password you’ve been using for everything since 2012.

It is time to strengthen your defenses.

Note: Yes, fixing this will hurt. Going through every account and replacing “abcd1234” with a strong password won’t be much fun. But waking up one morning to find your identity was stolen, or $20k of cryptocurrencies missing from your online wallet would be even less fun.

If you made it here we have to assume you decided to suck it up and fix your passwords. It’s a smart decision, so let’s get on with it.

Okay, just one more thing…

It turns out that there is not a lot of consensus on the best way to generate strong passwords. As you’ll see, there is more to this problem than simply creating the most difficult-to-hack passwords possible.

A strong password is only part of the story

We know how to create a strong password: create a random string of characters; upper case, lower case, numerals, and punctuation.

We know how to create a stronger password: add more characters to a strong password.

Encryption algorithms like AES-256 use 256-bit encryption keys. That’s roughly equivalent to a random password 32 characters long. In theory, a random string of 32 characters would make a great password. But there is one big difference between encryption keys and passwords: humans “touch” passwords.

Encryption algorithms live in the bowels of your device and are only manipulated by the device.

Passwords are meant to be typed into little boxes on the screen by busy, nearsighted, tired humans like us. Passwords have to be entities that humans can manipulate. Not only do we need to be able to type the little monsters, we need to be able to remember them. A lot of them. To truly protect your accounts, you need to use a different password for. every. single. account. Which means you need to memorize a whole bunch of long random strings of characters.

And it gets worse. There is little consistency in how websites handle passwords. Most sites limit the length of passwords they will accept. Many have very fussy requirements for the form that a password may take: include at least one of these characters, none of this type, the first character can’t be punctuation, etc., so on. Sometimes even generating a password that a particular site will accept is a major headache; much less memorizing it afterward.

Still, we have to get this done somehow, so let’s start with the basics, then handle all this other stuff later.

What makes a strong password

Many authoritative-sounding people give lots of (sometimes conflicting) advice on what makes a password strong. After reviewing more password-creation systems than seems healthy, we concluded that there is no real consensus on what it takes to makes a strong password. Some sources insist on long strings of random characters. Others suggest long passphrases. Still others suggest passphrases comprised of random words selected by rolling dice and selecting words from published lists.

What we didn’t find anywhere was scientific research that showed one approach to be superior to another. Based on our own research and recent guidelines from the National Institute of Standards and Technology (NIST), here are our criteria for making a strong password:

Long – The longer your password the better. Every additional character you add to your password multiplies the difficulty of some entity (a hacker or a password hacking system) guessing it. The NIST guidelines suggest minimum password lengths of 8 characters, and using long passphrases that are easy to memorize, rather than complex passwords.

For example, online password test sites like kaspersky password checker and my1login rank both of these as strong passwords:

• 7dEgkzBk8QxwVfLoaUwV
• the sheep is a fluffy creep

While both are strong, the phrase would be much easier to remember and to type in when necessary. Happily for anyone who needs to memorize or type passwords themselves, NIST no longer recommends those annoying requirements to have at least one upper case character, one lower case character, one number, and one punctuation mark.

Note: You can up the complexity of a passphrase another notch by avoiding sentences, and using random, bizarre, or uncommon words.

Uncommon – Don’t use a commonly-known phrase as your passphrase. A phrase like, “all men are created equal” will be easy to guess because it is so well known.

Unrelated – Avoid passwords or passphrases that contain personal information. If the hacker knows that information about you, they will make guesses using that information, which makes your password far less secure.

How to create strong passphrases you can remember

There are a lot of systems to create strong passphrases you can remember, but unless you are into rolling dice and such, we’re going to advise you to cheat. We think memorizing a bunch of passphrases is a waste of time and energy. Instead, you should let your tech do the work for you.

Creating and using strong passwords

Unless you have the time, energy, memory capacity, and desire, we see no reason for you to memorize dozens of passwords or passphrases. Instead, we recommend you invest a few bucks in a password manager. Then the only passphrase you will need to memorize will be the one you need to log into your password manager. And you can even get the password manager to generate that passphrase for you.

We’ll use our favorite password manager, Bitwarden, to show you what we mean. You can download and install your web browser’s free Bitwarden Add-on in moments, and create an account while you are at it. Why not do that right now so you can follow along with us? Just create a simple password since we are going to replace it immediately.

Getting ready for strong password creation

Before you can go ahead you need to create a strong passphrase to log into Bitwarden from now on.

1. Open the Bitwarden add-on. At the bottom of the add-on window, click the Generator icon. The Password Generator page appears.
2. Under Options, select Passphrase. Bitwarden instantly generates a passphrase with the default settings.
   
3. You can change the way Bitwarden generates these passphrases, but the only place you are going to use the passphrase is on your own device, typed in by your own hands. Unless you lie or work with a hacker, the default settings should be good enough.
4. Keep hitting Regenerate Password until you see one you like. Take a moment to memorize your new passphrase, then hit Copy Password. You shouldn’t need it, but at the very beginning it is good to have the passphrase in reserve in case you forget it as you go through the next few steps.
5. With your new passphrase firmly in mind, click the Settings icon on the bottom right of the Bitwarden window.
6. Scroll down until you find the Change Master Password and click it.
7. Bitwarden displays a box directing you to go to the bitwarden.com web vault. Click Yes. Your browser will open to the Change your master password page at bitwarden.com.
   
8. Follow the instructions on this page to make the change.
9. Log back in to Bitwarden using the new password.

How to create strong passwords

Now that all the preliminaries are out of the way, it is time to create some strong passwords:

1. Navigate to a website where you have a weak password.
2. Log in to the site as you do normally, using your old password.
3. Navigate to the change password page of the site.
4. Check the page carefully to see if there are any special requirements for the password of this site.
5. Using the same process you used to create a new passphrase for logging into Bitwarden, create a new password or passphrase for the current website. If necessary, make adjustments to the way Bitwarden generates the password or passphrase to match special requirements of the website. Within the limits imposed by the website whose password you are changing, we suggest you create a password with a length of 20 characters. That is overkill for current circumstances, but provides some protection against further advances in hacker technology.
6. Select Copy Password, and paste it in where necessary to replace the site’s old password with the one you just created, and continue with that site’s password change process. When you log into the site for the first time with your new password. Bitwarden will ask you if you want to save the login credentials for the site, which of course you do.
7. Once you complete the process for this site, move on to the next website with a weak password.

This process may be time-consuming if you have weak passwords for numerous sites, but once you update a site and its information is stored in Bitwarden, logging in becomes fast and easy.

Using your strong passwords

Using your new strong passwords is super simple. Make sure to login to Bitwarden before you go on.

1. Navigate to the login page of a site for which you have generated a new password.
2. Look at the Bitwarden icon in the top right of the browser window. You should see the Bitwarden shield with a numeral 1 in a box. That indicates that Bitwarden has a password entry that applies to this page.
3. Click the Bitwarden icon. The add-on opens and displays the entry for this website.
4. Click the name of the website in the Bitwarden entry. Bitwarden enters the login credentials into the appropriate fields on the login page.

That’s it.

Note: There are other good password managers to consider. Other popular options include Dashlane and 1Password, but Bitwarden is still our favorite.

How to create strong passwords – FAQ

In this section of the post, we’ve gathered together some of the most frequently asked questions on the subject of creating strong passwords. But before you dive in, we would like to remind you that when we talk about passwords here, we are really referring to passwords and passphrases. With that said, let’s look at those questions:

How strong is your password?

You can test to see how strong your password is at sites like  my1login and kaspersky password checker. These will give you rough scores on the difficulty of cracking your password.

Note: While it is easy to get carried away trying to make a password that can’t be hacked in a trillion years, don’t do it. Once you have a password that is rated as very strong at my1login, or 10000+ centuries at Kaspersky, you should be plenty safe.

How does a password get hacked?

You might be wondering how it is that someone could have your password in the first place. It turns out that there are several ways to do so:

• Buy your password on the dark web
• Figure it out with a brute force attack
• Figure it out using a dictionary attack
• Acquire your password through social engineering (phishing)

Buy your password on the dark web

Did you ever wonder what happens to the billions of user names and passwords (login credentials) that get stolen every year when hackers breach the security of some big corporation? One thing that happens to them is they go on sale on the dark web. This part of the internet, invisible to the search engines, is a place where many things can be found that would not appear on the part of the internet normal people use.

Huge lists of login credentials can be purchased from hidden sites on the dark web. Hackers can use these credentials to log into the service they originally came from. They can also use the credentials to probe other accounts owned by the same person. Because many people use the same credentials on all their accounts, there is a good chance that Hacker B will be able to hack your account using credentials he purchased from Hacker A on the dark web.

Figure out your password with a brute force attack

As the name implies, a brute force attack aims to hack your password by simply trying every conceivable combination of characters until one works. That might sound like a ridiculous approach, but the speed and power of modern computers make it a realistic weapon. Way back in 2012, someone demonstrated a brute force attack system that could reportedly try over 350 million passwords a second! That was supposedly enough to crack any 8-character password in under 6 hours.

Considering that system existed 8 years ago (in 2012), it is likely that professional hackers now use systems vastly more powerful than this. The longer your password the better the chance your password has to survive a brute force attack.

Figure out your password with a dictionary attack

One way to create a memorable password is to use a real word as the password. A dictionary attack uses a list of real words to speed up password guessing.

There are two ways that we know of to defeat a dictionary attack. One is to avoid using regular words in your passwords. A dictionary attack won’t work if your password is not in the huge dictionary of words the attacker searches.

The other way to defeat a dictionary attack is to string together multiple real words. Choosing several real words and stringing them together like this: sheeptermiterockairplane exponentially increases the difficulty of cracking this kind of password.

Acquire your password through social engineering (phishing)

Social engineering attacks (a.k.a. phishing attacks) try to trick you or pressure you into giving them your password. They use tricks like emails that claim to be from your ISP, websites designed to look like your bank’s home page, even phone calls claiming to be addressing an urgent problem with your credit card.

Conclusion on strong passwords

Everyone agrees that we need strong passwords, and that longer passwords are generally stronger than shorter passwords. Beyond that, there are many different opinions on what it takes to make a strong password, as well as many different techniques for generating them.

In this guide, we quickly covered the basics. Then we moved on to a common sense and practical approach to creating and using strong passwords and passphrases. This method doesn’t require you to have an incredible memory, is automated, inexpensive or free, secure, and doesn’t require you to go out and buy a set of dice.

To illustrate the process, we used Bitwarden, our pick for the Best all-around password manager. While we think it is an excellent choice, there are several other good options out there, which you can read about in this guide to the Best Password Managers.