Start a conversation about digital security, and it won’t be long before you’re talking about passwords. Passwords are a part of daily life, yet very few people think about what makes a password strong, to reduce the risk of its being cracked. Let’s take the time to think through it now.
Note: This page contains affiliate links. Please see Affiliate Disclosure.
81% of hacking-related breaches used stolen and/or weak passwords, according to the book Cyber Smart.
75% of people use the same password for multiple websites, and 30% use the same login info for all their online activities, according to the book Future Crimes.
The reuse of login credentials in my opinion is the greatest security flaw that we have today.Kyle Milliken, former hacker (via Sophos)
It’s practically inevitable that one or more of your passwords will be breached at some point, even if it’s through no fault of yours. This reality has led to credential stuffing: when hackers take login credentials they’ve acquired for one account and try them on other accounts, assuming that the owner has used the same login credentials for multiple accounts.
Even if you use a password manager like LastPass (which you should!), you’ll still need to remember a few passwords. You’ll need to remember the passwords for your computer and phone, and the master password for password manager, at a minimum.
Your kids need to remember these types of passwords, as well as any that they need to type at school, if they can’t use a password manager there.
Because kids don’t intuitively understand what makes a password strong, they often create weak passwords. They’re also prone to reuse them, because it’s easier than remembering multiple passwords.
So, even if you use a password manager, it’s still useful to know how to create strong passwords, and to help your kids do so.
How to Increase Your Security
You may be thinking, “Oh, no, here comes boring password advice.” Let me give you a shortcut.
If you use a password manager such as LastPass or the others listed later, and have it configured to generate strong passwords for you, you’ll hardly ever need to create passwords yourself.
However, as I said, you’ll still need to remember a few passwords, so let’s see how to make them strong.
Make Passwords Long
Longer is stronger. The most important thing you can do to increase a password’s strength is to increase its length. Why? Each additional character makes it multiple times stronger.
Password length has been found to be a primary factor in characterizing password strength. Passwords that are too short yield to brute force attacks as well as to dictionary attacks using words and commonly chosen passwords.NIST (the US National Institute of Standards and Technology)
Unfortunately, most accounts have limits on how many characters you can use in a password. I recommend using at least 15 characters. I use 20. Reformed hacker Kevin Mitnick recommends 20-25 characters.
If an account says you’ve used too many characters, you can reduce the number until you reach the maximum allowed.
Make Passwords Complex
What do I mean by complex? I mean increase the variety of the characters in the password. Use all the character classes: uppercase letters, lowercase letters, numbers, and symbols (special characters such as !, @, #, and $).
I recommend using all 4 classes in every password. If an account says you’ve used a disallowed character, just replace that character with one that is allowed.
… we get our protection from the size of the space that we force the bad guy to search. The larger the space, that is, the greater the number of combinations of wrong passwords the attacker has to try during a brute-force, try-everything attack, the greater security we have.Security Now! episode 303, “Password Haystacks” (grc.com)
The use of every type of character forces the attacker to search through the largest possible space. … So, in essence, by deliberately using at least one of each type of character, we are forcing the attacker to search the largest possible password space, because our password won’t ever be found in any of the smaller spaces.GRC’s Password Haystacks (grc.com)
… making the alphabet as large as possible is also important. I use the example, for example, of just decimal. That’s, like, the worst you could possibly do would be a digits-only password because each character only makes it 10 times stronger. Whereas, for example, if it was lowercase, each character makes it 26 times stronger because you’ve got an alphabet of 26. But if you put in even just one uppercase character, suddenly now that’s radically stronger because the alphabet is lowercase 26 plus uppercase 26, which is to say, by putting in an uppercase character, you have made the attacker use brute forcing that includes uppercase.Security Now! episode 303, “Password Haystacks” (grc.com)
… make the search … as hard as possible, in addition to length, which clearly lengthens the search, is you absolutely want to use at least one uppercase, one lowercase, one digit, and one symbol because what you’ve then done is you’ve moved your password out of any of the abbreviated searches.Security Now! episode 303, “Password Haystacks” (grc.com)
Make Passwords Random
The more predictable your password is, the easier it is to break. Why?
If someone is targeting you specifically, they may be able to learn enough about you to guess your password. For example, if you post on social media about your pet, or favorite sports team, or favorite book, a hacker may try those words.
If someone is cracking passwords in bulk, they’ll try guessing common, predictable words. There are many dictionaries available that include not only common dictionary words, but also other words and phrases commonly used in passwords. For example, names of people, pets, or fictional characters.
Password crackers often try multiple languages, so you’re not safe to simply choose words from a language other than your primary language.
Also, don’t just tack numbers or special characters to end, because that’s a common pattern, and thus predictable. Instead, mix the numbers or special characters into the inside of the password.
… as soon as the attacker has exhausted all of his lists, common password lists, maybe site-specific likely passwords based on the site they’re trying to hack, or the specific user. … Then they’ll fall back to dictionaries. Then maybe dictionaries with a digit tacked on the end because we know now that some password policies require at least one digit.Security Now! episode 303, “Password Haystacks” (grc.com)
Don’t Use Simple Character Substitution
A common piece of password advice is to replace letters with numbers or special characters. For example, password becomes [email protected]$$w0rd. These are sometimes called leetspeak passwords or munged passwords. The reality is that password-cracking applications have been able to recognize most character substitutions for years, and they’re not fooled by this.
[Password Recovery Toolkit] … runs the dictionaries with common substitutions: “$” for “s,” “@” for “a,” “1” for “l” and so on. Anything that’s “leet speak” is included here, like “3” for “e.”Secure Passwords Keep You Safer (wired.com)
Avoid common substitutions — Password crackers are hip to the usual substitutions. Whether you use DOORBELL or D00R8377, the brute force attacker will crack it with equal ease. These days, random character placement is much more effective than common leetspeak* substitutions.How to create a strong password (avast.com)
The problem … is that today’s hackers rarely start with a blank slate. Instead, they begin by searching for English words plus common substitutions, such as $ for S. That makes them very well adapted to breaking exactly the kind of [email protected]$ users tend to createEverything you’ve been told about passwords is wrong (intheblack.com)
When asked to add special characters, they tend to make predictable substitutions, such as “@” for “a” and “!” for “l.” Because the substitutions are predictable, they can be guessed algorithmically with pretty good accuracy.Unraveling the truth about the NIST’s new password guidelines (csoonline.com)
Don’t Use a Few Predictable Dictionary Words
It’s become common practice for people to string together a few words. This became much more common after the 2011 xkcd comic 936, titled “Password Strength” (see below).
However, notice that the comic says you need to use random words. Most people don’t; they pick a few words that pop into their heads at the moment. For example, a person glances around their room and creates the password chairlampwindow. That lack of randomness makes the passwords more predictable, and weaker.
If you use this method, be sure the words are random. Computers are way better at being random (or pseudo-random) than humans, so use your password manager.
Or, use 1Password’s online password generator; if you choose Memorable Password, it will generate a password made of 4 words connected by hyphens. You can make it stronger by increasing the number of words and checking the Capitalize box to add a capital letter.
You’re going to be tempted to use nonrandom words in a sentence. And as soon as you do that, wham, the strength of what you have done just collapses.Security Now! episode 297, “Pass-Sentences??” (grc.com)
it is much easier to make a much stronger password of a certain length by adding, changing the case, and salting it with some special characters. I mean, even, for example, if you took “correct horse battery staple,” and you just stuck dashes in between, or your own special joiner character that you didn’t tell anyone about, that makes it radically strongerSecurity Now! episode 313, “How The Internet Works: ICMP & UDP” (grc.com)
Make Passwords Unique
Let’s zoom out from thinking of each password in isolation. Consider your entire set of passwords and accounts. As we saw earlier, 75% of people use the same password for multiple websites, and 30% use the same login info for all their accounts.
No matter how strong a password is, if it’s one you use for multiple accounts, you’re at risk.
What’s the solution? Make passwords unique; use a different password for every account.
To do this, you need one of the following:
- An incredible memory
- A secret, unpredictable password scheme
- A password manager
You know by now that I recommend the password manager. Most people don’t have an incredible memory or a secret, unpredictable password scheme.
Use a Password Manager
Now that you have a taste for what goes into making a password strong, I’m sure you’ll agree that you don’t want to think through all these criteria every time you create a password. That’s why I recommend that you use a password manager whenever possible. It’s the most practical, most secure option for the average person!
I’ve been using LastPass for years, and I highly recommend it. I previously wrote about how LastPass solves many password problems, some of which I’ve covered here. If you’d like to consider other options, here are a few password managers:
Password managers let you control how they generate passwords. For example, LastPass lets you set the following:
- Password Length
- Easy to say (Avoid numbers and special characters)
- Easy to read (Avoid ambiguous characters like l, 1, O, and 0)
- All characters
Set your password manager to follow the guidelines we’ve walked through. Make the passwords as long, complex, and random as your accounts will accept.
If an account rejects a password, you can adjust the generated password to fit the requirements. But if you change the settings on your password generator, make sure to set it back the next time you create a password.
Here’s how I configure LastPass:
- Password Length: 20
- All characters
There will be passwords that you can’t, or don’t want to, put in your password manager. For example, the master password to your password manager. You’ll need a secure place to store those passwords. Consider a sheet of paper or a notebook that’s locked in a secure place in your house. If you have a fireproof safe, that’s a good place.
Test Your Password
Want to test the strength of a password? Password managers like LastPass will usually include a meter or rating to tell you how strong a password is. Also, there are many password tests (sometimes called password checkers or password meters) available. Some are helpful, and others are outdated or misleading. You’ll often get different results because they calculate password strength differently.
Many password meters don’t check for dictionary words and other common words, and we’ve seen that using such words in passwords significantly weaker. Look for a meter that checks for these.
Look for checkers from reputable sources. Look for ones that show how they work, so you can evaluate them.
A good password test won’t transmit what you type over the Internet (the calculations happen in your browser). But if you’re concerned, you can put in passwords that are similar to your password, rather than your actual password.
I like password checkers that are educational, explaining how they work and how to create strong passwords. I recommend using one or more of these to teach your kids how to create strong passwords.
Here are my favorites password checkers:
- Online Domain Tools’ Password Checker: Tells how long it would take to crack your password, and why. Checks if your password is one of the 10,000 most frequently used. Has an option to check for dictionary words.
- My1Login’s Password Strength Meter: Tells how long it would take to crack your password, and why. Checks for dictionary words.
- How Secure Is My Password?: Tells how long it would take to crack your password, and gives tips. Checks for dictionary words.
- GRC’s Password Haystacks: Tells how long it would take to crack your password, and why (shows search space calculations). Very educational.
- Kaspersky Password Check: Tells how long it would take to crack your password, and alerts to weaknesses.
- Rumkin.com Password Strength Test: Tells how long it would take to crack your password, and why. Checks for common passwords. Very educational.
- Unraveling the truth about the NIST’s new password guidelines (csoonline.com)
- GRC’s Password Haystacks (grc.com)
- Security Now! episode 303, “Password Haystacks” (audio and text) (grc.com)
What You Should Do
- Use a password manager. Not only will it increase your security, it will make your life easier. I like LastPass, and I listed others above.
- Make your passwords long. Longer is stronger. Use at least 15 characters. 20 or more is better.
- Make your passwords complex. Use all 4 character classes (uppercase letters, lowercase letters, numbers, and symbols).
- Make your passwords random. Avoid predictable patterns. Avoid common words. Mix numbers or special characters into the inside of the password.
- Make your passwords unique. Use a different password for every account.
- Set your password manager to make passwords long, complex, and random.
- Teach your kids how to create strong passwords, with and without a password manager. Play with a password checker to make these concepts easier to understand.