Passwords are the main way we protect everything on the internet. So it is no surprise that an entire (illegal) industry has grown up around trying to hack passwords. Today we’ll take a brief look at the situation, then dive right into how to create strong passwords.
We want this guide to be short and actionable, so let’s get right into it.
The password situation today
Once upon a time, a simple password was enough to protect your accounts on the internet. But that was long ago.
Today, an entire industry has grown up around defeating your passwords. Crooks aim to buy, steal, or hack your passwords to get access to your bank accounts, social media accounts, corporate databases, and anything that might have value to someone else.
While buying and stealing passwords is a giant problem, today we are looking at the passwords themselves. Specifically, how to create strong passwords.
Hackers now have several approaches to hacking your passwords, and the computing power to make them realistic. Consider that in 2012 there were already hacking systems that could try every possible 8-character Windows password in 6 hours. These creeps have some serious hardware to throw at your password. You know which password we’re talking about, that same 8-character password you’ve been using for everything since 2012.
It is time to strengthen your defenses.
Note: Yes, fixing this will hurt. Going through every account and replacing “abcd1234” with a strong password won’t be much fun. But waking up one morning to find your identity was stolen, or $20k of cryptocurrencies missing from your online wallet would be even less fun.
If you made it here, we have to assume you decided to suck it up and fix your passwords. It’s a smart decision, so let’s get on with it.
Okay, just one more thing…
It turns out that there is not a lot of consensus on the best way to generate strong passwords. As you’ll see, there is more to this problem than simply creating the most difficult-to-hack passwords possible.
A strong password is only part of the story
We know how to create a strong password. In fact, it’s pretty simple:
Create a random string of characters: upper case, lower case, numerals, and punctuation.
If you want to make it stronger, simply add more characters. It’s that easy.
Encryption algorithms like AES-256 use 256-bit encryption keys. That’s roughly equivalent to a random password 32 characters long. In theory, a random string of 32 characters would make a great password. But there is one big difference between encryption keys and passwords: humans “touch” passwords.
Encryption algorithms live in the bowels of your device and are only manipulated by the device.
Passwords are meant to be typed into little boxes on the screen by busy, nearsighted, tired humans like us. Passwords have to be entities that humans can manipulate. Not only do we need to be able to type the passwords, we need to be able to remember them. To truly protect your accounts, you need to use a different password for every single account.
And it gets worse. There is little consistency in how websites handle passwords. Most sites limit the length of passwords they will accept. Many have very fussy requirements for the form that a password may take: include at least one of these characters, none of this type, the first character can’t be punctuation, etc., so on. Sometimes even generating a password that a particular site will accept is a major headache; much less memorizing it afterward.
Fortunately, a good password manager can make your life easy and help you securely manage long, complex passwords for every website you need.
What makes a strong password
Many authoritative-sounding people give lots of (sometimes conflicting) advice on what makes a password strong. After reviewing more password-creation systems than seems healthy, we concluded that there is no real consensus on what it takes to makes a strong password. Some sources insist on long strings of random characters. Others suggest long passphrases. Still, others suggest passphrases comprised of random words selected by rolling dice and selecting words from published lists.
Based on our own research, and recent guidelines from the National Institute of Standards and Technology (NIST), here are our criteria for making a strong password:
Long – The longer your password, the better. Every additional character you add to your password multiplies the difficulty of some entity (a hacker or a password hacking system) guessing it. The NIST guidelines suggest minimum password lengths of 8 characters, and using long passphrases that are easy to memorize, rather than complex passwords.
For example, online password test sites like kaspersky password checker and my1login rank both of these as strong passwords:
- 7dEgkzBk8QxwVfLoaUwV
- the sheep is a fluffy creep
While both are strong, the phrase would be much easier to remember and to type in when necessary. Happily for anyone who needs to memorize or type passwords themselves, NIST no longer recommends those annoying requirements to have at least one upper case character, one lower case character, one number, and one punctuation mark.
Note: You can up the complexity of a passphrase another notch by avoiding sentences, and using random, bizarre, or uncommon words.
Uncommon – Don’t use a commonly-known phrase as your passphrase. A phrase like, “all men are created equal” will be easy to guess because it is so well known.
Unrelated – Avoid passwords or passphrases that contain personal information. If the hacker knows that information about you, they will make guesses using that information, which makes your password far less secure.
How to create strong passphrases you can remember
Optionally, you could eliminate the spaces between the words, add numbers or special characters, and so on. Because they are composed of random words instead of random characters, you can memorize a long passphrase much easier than an equally-long password.
It might look like using passphrases would eliminate the need to use a good password manager. However, the situation is similar to that with passwords.
Memorizing one secure password is doable. Memorizing the 5, 10, 20, or more secure passphrases you are going to need is a whole different project. Letting a password manager create and manage secure passwords for you is a lot easier.
But don’t rule out passphrases entirely. As you’ll see shortly, there is one place where using a passphrase is a perfect choice.
It makes a lot more sense to let your password manager create strong passwords for you. You are already going to have to trust the manager, and doing it this way means that the password gets generated on your device, and doesn’t have to get shipped to you across the internet.
Letting your password manager generates strong passwords for you right on your device is the safest and simplest way to go.
Creating and using strong passwords
Unless you have the time, energy, memory capacity, and desire, we see no reason for you to memorize dozens of passwords or passphrases. Instead, we recommend you invest a few bucks in a password manager. Then, the only passphrase you will need to memorize will be the one you need to log into your password manager. And you can even get the password manager to generate that passphrase for you.
We’ll use an example from our NordPass review to show you what we mean. By the way, if you are not already using a good password manager, you can get a great deal on NordPass with the coupon below:
NordPass Cyber Deal:
Get 52% Off NordPass (drops the price to $1.43 per month) plus 1 month free:
(Coupon is applied automatically.)
Now, we can use NordPass to easily generate very strong passwords. Here’s how:
- Simply open the NordPass app on your device (or the NordPass browser extension within your browser).
- Navigate to the tools area and then select the Password Generator tool within NordPass.
- From there, you can select the parameters of your strong using the criteria we listed above.
Note: Below are some reviews of the password managers we have tested:
– NordPass Review
– 1Password Review
– Dashlane Review
– LastPass Review
– Bitwarden Review
– KeePass Review
How to create strong passwords
Now that all the preliminaries are out of the way, it is time to create some strong passwords:
- Navigate to a website where you have a weak password.
- Log in to the site as you do normally, using your old password.
- Navigate to the change password page of the site.
- Check the page carefully to see if there are any special requirements for the password of this site.
- Using the process outlined above, create a new password or passphrase for the current website. If necessary, make adjustments to the way NordPass generates the password or passphrase to match special requirements of the website. Within the limits imposed by the website, we suggest you create a password with a length of 20 characters. That is overkill for current circumstances, but provides some protection against further advances in hacker technology.
- Select Copy Password, and paste it in where necessary to replace the site’s old password with the one you just created, and continue with that site’s password change process. When you log into the site for the first time with your new password, NordPass will ask you if you want to save the login credentials for the site, which of course you do.
- Once you complete the process for this site, move on to the next website with a weak password.
This process may be time-consuming if you have weak passwords for numerous sites, but once you update a site and its information is stored in NordPass, logging in becomes fast and easy.
Using your strong passwords
Using your new strong passwords is super simple. Make sure to login to NordPass before you go on.
- Navigate to the login page of a site for which you have generated a new password.
- Be sure you are logged in to the NordPass app or browser extension on your device.
- When you visit a website for which NordPass has saved login credentials, you should see a NordPass logo near the login area. Simply click this icon to have NordPass enter your credentials, and then you can securely log in.
With a good password manager like NordPass, password management and security are a lot easier to deal with.
How to create strong passwords – FAQ
In this section of the post, we’ve gathered together some of the most frequently asked questions on the subject of creating strong passwords. But before you dive in, we would like to remind you that when we talk about passwords here, we are really referring to passwords and passphrases. With that said, let’s look at those questions:
How strong is your password?
You can test to see how strong your password is at sites like my1login and kaspersky password checker. These will give you rough scores on the difficulty of cracking your password.
Note: While it is easy to get carried away trying to make a password that can’t be hacked in a trillion years, don’t do it. Once you have a password that is rated as very strong at my1login, or 10000+ centuries at Kaspersky, you should be plenty safe.
How does a password get hacked?
You might be wondering how it is that someone could have your password in the first place. It turns out that there are several ways to do so:
- Buy your password on the dark web
- Figure it out with a brute force attack
- Figure it out using a dictionary attack
- Acquire your password through social engineering (phishing)
Buy your password on the dark web
Did you ever wonder what happens to the billions of user names and passwords (login credentials) that get stolen every year when hackers breach the security of some big corporation? One thing that happens to them is they go on sale on the dark web. This part of the internet, invisible to search engines, is a place where many things can be found that would not appear on the part of the internet normal people use.
Huge lists of login credentials can be purchased from hidden sites on the dark web. Hackers can use these credentials to log into the service they originally came from. They can also use the credentials to probe other accounts owned by the same person. Because many people use the same credentials on all their accounts, there is a good chance that Hacker B will be able to hack your account using credentials he purchased from Hacker A on the dark web.
Figure out your password with a brute force attack
As the name implies, a brute force attack aims to hack your password by simply trying every conceivable combination of characters until one works. That might sound like a ridiculous approach, but the speed and power of modern computers make it a realistic weapon. Way back in 2012, someone demonstrated a brute force attack system that could reportedly try over 350 million passwords a second! That was supposedly enough to crack any 8-character password in under 6 hours.
Considering that system existed back in 2012, it is likely that professional hackers now use systems vastly more powerful than this. The longer your password the better the chance your password has to survive a brute force attack.
Figure out your password with a dictionary attack
One way to create a memorable password is to use a real word as the password. A dictionary attack uses a list of real words to speed up password guessing.
There are two ways that we know of to defeat a dictionary attack. One is to avoid using regular words in your passwords. A dictionary attack won’t work if your password is not in the huge dictionary of words the attacker searches.
The other way to defeat a dictionary attack is to string together multiple real words. Choosing several real words and stringing them together like this: sheeptermiterockairplane exponentially increases the difficulty of cracking this kind of password.
Acquire your password through social engineering (phishing)
Social engineering attacks (a.k.a. phishing attacks) try to trick you or pressure you into giving them your password. They use tricks like emails that claim to be from your ISP, websites designed to look like your bank’s home page, even phone calls claiming to be addressing an urgent problem with your credit card.
Conclusion on strong passwords in 2023
Everyone agrees that we need strong passwords, and that longer passwords are generally stronger than shorter passwords. Beyond that, there are many different opinions on what it takes to make a strong password, as well as many different techniques for generating them.
In this guide, we quickly covered the basics. Then we moved on to a common sense and practical approach to creating and using strong passwords and passphrases. This method doesn’t require you to have an incredible memory, is automated, inexpensive or free, secure, and doesn’t require you to go out and buy a set of dice.
To illustrate the process, we used NordPass, our pick for the best all-around password manager. While we think it is an excellent choice, there are several other good options out there, which you can read about in this guide to the best password manager apps.
Note: We are also working on a collection of password manager comparisons:
– 1Password vs NordPass
– 1Password vs LastPass
– LastPass vs NordPass
– NordPass vs RoboForm
– Bitwarden vs NordPass
This Strong Passwords article was last updated on January 3, 2023.
There is a more secure way of using password managers (in my opinion) Search Double blind password and learn how to use it with your password manager. thanks
Hi RP,
This is a fantastical article reading it again.
I went through the process of cleaning up my passwords some time ago;
And as said in the article it is time consuming but so important.
The strategies outlined above I completely agree with.
What I would like to emphasis is that partially following the advise is as good as not following the advise.
Hackers know of peoples simple mental short cuts.
I believe it is common for people to create passwords using a keyword and a designator that meets password requirements. For example, keyword: ‘pizza’. designator: ‘gmail’, would become “Pizza_Gmail1” or “Pizza_Twitter1” or “Pizza_Netflix1” etc. This is known to hackers and what this means is if your password is dumped in any breach and in plain text, kid hackers are going to go after all your accounts and test everything; and what they really want is Gmail access because with that they can reset all your passwords and have all your accounts.
It get worse, where one is involved in two breaches, hackers are going to use programming to run through both data sets and look for patterns in the data. So if your email is exposed in two breaches and your passwords are a human mental shortcut, the pattern, is going to get noticed. Then your’ accounts are going to get highly targeted as you appear to be a weak victim.
GL all,
BoBeX
My IT guy says for those working at home (and thus a physical password book is unlikely to be stolen) then using an online password manager is a lot less secure than just writing down passwords and occasionally changing them (6x/yr). Does seem a contradictory for the goal of internet security to use an online vault. Best security he believes is sure laptop with Spyhunter & virusware run every day but also redundancy in backups. Your comments please.
So saving my protonmail password in my Firefox browser is stupid?
Also what is wrong with an old notebook full of passwords & changing them?
That may not be a bad idea in some respects, but keep in mind:
1) You need to have the physical security of the notebook locked down very well;
2) You need to be able to actually manage lots of long complex passwords using the notebook
3) You will need to hand type passwords, rather than copy/paste from a secure password manager.
I think you should still consider a secure password manager.
Sorry if my email passwords are inside of Firefox browser (which has been modified per your privacy& security recommendations) is that much less secure than having them in a secure password manager at least?
Sorry but that question a bit different from my original.