How to Create A Secure Password
Editor’s Note: This article was published in 2017 and has been updated for accuracy and comprehensiveness as of November 2020.
Creating a secure password is an important part of protecting your digital identity. Most people know not to use the password “Password1” to protect their private information at work or online. But, there is a bit more to the story than that. Everyone knows you want to avoid using very common passwords and simple dictionary words. But, even certain character substitutions have been shown to be ineffective, e.g. “P@ssw0rd1” is no more secure than its “simple character” counterpart. This may come as a shock, as we have been told to add random characters most of our password lives, but it turns out length may be the most important factor. Most brute force attacks and password crackers will run variations like this against common or likely passwords and phrases.
Things to avoid:
It is still important to incorporate multiple character types (capital, lowercase, numbers & symbols). Use a phrase or combination of words that aren’t familiar or generated from related experiences you have. Here is what you must avoid when creating a secure password:
- Your name or the names of your kids, pets or other close relations.
- Dates that are significant to you (e.g. birthdays, anniversaries, etc.)
- Anything else that might be easy to learn or guess about you
- Addresses, phone numbers, zip codes
- References to your hobbies/interests
Furthermore, if you pick a random phrase or set of words, be sure not to use “obvious character replacement” like substituting @ for the letter “a” or zero for the letter “o.” These won’t slow down attackers. Consider purposefully misspelling or dropping characters, or replacing certain letters with a random substitution instead. Here is a quick example of one method to build stronger passwords. First, let’s generate a random string of words:
Here are four seemingly random and unrelated words strung together in a nonsensical phrase that I think I can remember. Even opening a book to a random page or using a random word generator here could work. Just make sure you aren’t pulling these words from things about your life. Don’t use your favorite animal, for example. Let’s mess this phrase up. Drop some letters, add a number or two, etc.
As you can see, I don’t necessarily capitalize every new word in the phrase, I don’t make easy substitutions, and I purposefully dropped a letter or two entirely. This is a good method for creating a secure password. At 16 characters in length, with some multiple character types and randomization built-in, this password weighs in as “very secure” by almost any measure.
Tips for making a secure password
To summarize, this is a good formula to follow to create a secure password:
- Use random words or phrases, not related to you or other people/pets/dates/places that you know
- Multiple character types, randomized substitutions and/or misspellings
- Phrases that are longer are better (challenge yourself by trying for 12 or more, 8 is the recommended minimum)
So how do you make this practical to use in real life? In my experience, muscle memory works best. When you select a new password, you get good at remembering it by practicing. So, open a notepad and start typing. As you type the password, say it in your head. This will help you start “hearing” it and remembering it better. Once you are done with the document, restart your computer and make sure it is permanently deleted.