How to create strong passwords

Laptop displaying text 'Enter password' and 'Log in'.
(Image credit: mangpor2004/Shutterstock)

How many websites have you visited today that require a password? It's probably quite a few.

Do you need a password to access data or email at work? You likely do. In fact, you may have needed a password to log on to the computer you're reading this on right now.

Passwords are the front line of defense in protecting the data on your computer and in your online accounts. They keep your kids from hijacking your Twitter account and keep cybercriminals from gaining access to your bank accounts.

But because we need so many passwords today, many of us take the easy way out. We use the same password for everything, or we use very simple, easy-to-remember passwords. And that's where we can get into trouble.

The risks of weak or multiple-use passwords

"Let's say you fall for a phishing attack on Facebook," explained Boston-based digital-security expert Beth Jones. "They can see your email address and try that same password there.

"If you have sensitive information in your email, such as bank statements or credit-card statements, then the attacker can try that password to access bank accounts or credit-card accounts as well," Jones said.

"They would have several key pieces of [personal] information ... so in theory they could try the 'forgot username' on other accounts, such as Twitter, or online games," Jones said. "You can see how this snowballs quickly."

Not only should you have a unique password for each site you log into online, but, as Gunter Ollmann, founder of the Atlanta-based computer-security firm Ablative Security, pointed out, you should also avoid recycling old passwords.

"Criminals — and unethical webmasters — often try to use the passwords that have been taken from one site and use them against other sites, especially if your email address is also known to them," Ollman explained.

"Each website or application you use should have a different password, and ideally you should not use a predictable algorithm for generating them," he said. "For example, a bad practice is to use a password that contains the particular website's name or address in it."

How to create perfect passwords

So what makes a good, strong password?

"Password strength is measured by two characteristics — length and complexity," said Josh Shaul, chief executive officer of Allure Security and author of Practical Oracle Security: Your Unauthorized Guide to Relational Database Security. "In general, the longer the password, the more difficult it is to guess and the stronger it is."

Password complexity, Shaul added, means avoiding passwords that can be easily guessed.

"The easiest passwords to remember are simple words, places, dates or easy-to-type text strings," Shaul said. "Favorite sports teams, cities, names, birthdays and even strings like '12345' or 'qwerty' are very commonly used. These are all weak passwords."

Most experts agree on the basics of creating strong passwords. Here are some tips based on suggestions from the San Diego-based Identity Theft Resource Center:

  • A password should contain at least 16 characters. (When we first wrote this story, the recommendation was eight characters, but password-cracking computers have gotten better.)
  • It's best if the password has at least three of the four following types of characters — upper-case letters (ABC), lower-case letters (abc), numerals (123), and punctuation marks or other special characters (!#$%&*_=+? ).
  • Length is better than complexity. "MonitorHouseboatFibonacciRuler" is probably stronger than ";S)5uRvN+w". Long phrases may be easier to remember, but don't use one everyone knows.
  • If you're using only one capital letter or special character, don't make it the first or last character in the password. That's just too obvious.
  • Avoid common names, slang words or any words in the dictionary. Computers can run through entire dictionaries in a few minutes.
  • Don't include any part of your name or any part of your email addresses.
  • Choose an especially strong password for websites that hold especially sensitive personal information — for example, social networks, online email services, or banks and online retailers that store your credit-card information.
  • Don't ever refer to anything that can be learned from your social networking profiles or an internet search. In other words, don't make it your favorite band or movie, your pet's name, your nickname, your phone number or, especially, your birth date.

Here's a good way to create a strong password. Pick a phrase you'll remember. Take the first letter of each word and run them together into a "word." 

Capitalize some of the letters and substitute numerals where it would make sense to — but don't make the substitutions too regular or obvious.

For example, the phrase "I hate to work late on Friday evenings in the summer" could become "iH82wkl80n5r13v31NT5mm."

Or tweak that formula and don't abbreviate all the words. "This little piggy went to market, this little piggy stayed home" might become "tlpWENT2mTLp665tyH0."

Not sure, even after following those tips, whether your password is strong enough? Go to one of the many websites that will check it for you.

Can't think of a good password? There are also dozens of websites that generate them.

Should you write down your passwords?

So if we need a unique, strong password for nearly everything we do online — check multiple email accounts, use Facebook and Twitter, make comments on CNN, buy something from Amazon — then how can we remember them all? Is it okay to write them down somewhere?

Several years ago, the conventional wisdom was to never write down passwords — but that was when most of us only had a few to remember. Some experts have since changed their minds.

"With today's threat landscape being dominated by password-stealing malware, physically writing down your passwords is becoming more acceptable," Ollman said.

"The probability of someone breaking into your house and stealing your written-down passwords is considerably more remote than the 1-in-3 to 1-in-4 probability that your computer will fall to a criminal's malware," he said.

Jones sticks to the old advice — don't write them down.

"This is really not a great idea, particularly for work," Jones said. "Physical security is just as important as online security.

"Anyone walking by could see the sticky note next to your machine and then break into your accounts (especially if you use the same password for everything)," she added. "The risk is even greater if, as a user, you log into more than one location and have your password written at all those locations."

Web browsers often ask if they can remember your password for you. Is that safer than writing down your password?

"For some passwords, it may be okay to let the browser remember your password on your personal laptop or home PC," said Chris Burchett, VP of client security software at Dell.

"In general, if the information on the website that requires your password is what you consider to be public, then it may be okay to let the browser remember the password," Burchett said. 

"But be careful. Never let the browser remember passwords to banking websites or other sites where private personal identity information is used or available."

"Also be careful when using a public-kiosk computer like the ones at the airport. Never let browsers on computers you don't own store passwords," Burchett added. "In fact, it would be best not to log into any website requiring a password from a computer you don't own."

Password-management software

Instead, the experts suggest using one of the best password managers, which will store all your passwords in one place and protect them with one very strong master password — the only one you'll have to remember.

"Managing passwords is a challenge because there are so many online accounts requiring passwords these days," Burchett said. "Using a password manager to securely generate, store, rotate and supply passwords on demand may be worth considering as long as you remember to make the master password strong enough."

There are dozens of password managers, both free and inexpensive Some of the better-known ones include Web Confidential, LastPass, KeePass and its Mac/Linux sibling KeePassX. Many run on PCs, Macs, iPhones and Android phones alike, and many have browser plug-ins, so you can keep your passwords "synced" on all your devices.

Now that you've read all this, do yourself a favor this weekend. Go through all your online accounts and use these tips to create strong, unique passwords for each one, and then use a password manager to remember them all.

It'll take less time than you think. Next time a friend or relative has an email account hijacked or gets charged for dozens of iTunes songs he didn't buy, you'll be glad you did.

Sue Marquette Poremba is a security and technology writer based in Central Pennsylvania.