Password Security Tips: How To Create Secure Passwords

Like flossing, password hygiene is something that you know is good for you but would probably rather not do. However, using secure passwords for all of your online accounts is a necessity to avoid data breaches and financial losses. Fortunately, there are free tools to generate secure passwords and increase your online security.

Password Security Tips

Using the same password for multiple accounts certainly makes your logins easy to remember, but it’s not great for your digital security. Want to see if your passwords are secure? Use our password strength calculator, which tells you how long it would take a computer to crack your password. However, how do you generate a secure password in the first place?

How To Make Secure Passwords

The easiest way to generate secure passwords is to use a password manager. Personally, we use LastPass, which gives us secure passwords at the touch of a button. However, if you don’t want to generate passwords automatically with password managers, you can do it manually.

Password Do’s and Don’ts

When making a secure password, what not to do is equally important as what to do.

How To Store Passwords Securely

As with generating passwords, the easiest way to store passwords is through a password manager. A password manager, in addition to generating strong passwords, stores passwords in encrypted vaults.

If you do use a different password for each account, it’ll be hard (if not impossible) to remember them all. But with a password manager, instead of remembering each and every password, you’ll either enter a master password or use biometrics.

For example, we use Touch ID to unlock accounts when we’re on our iPhones, which is so much quicker and easier than typing in passwords manually, not to mention safer.

However, again, not everyone wants to deal with the hassle of importing passwords into a password manager and paying for yet another subscription. If that’s how you feel, you can store your passwords in one of two ways.

• On a physical list: Remember pens and paper? Unlike a Google Doc, paper lists cannot be hacked. However, they can be stolen, so be sure to lock up this notepad where thieves can’t find it, ideally in a hidden safe.
• In an encrypted document: You can use encrypted storage or word processors to store your passwords. They should also be password-protected with advanced authentication, if available.

How To Share Passwords Securely

Not to repeat ourselves, but the easiest way to share passwords securely is — you guessed it — through a password manager. The software will encrypt your data in transit and make sure it gets to the recipient safely.

Of course, there are ways to share passwords securely without using a password manager. If you’re talking to someone in person, you can just share it verbally (ideally whispering if there are other people around). You can also write it down on a piece of paper and then cross it out or shred it before throwing it out.

If you’re sharing a password remotely, you can use an encrypted messaging app like Signal, Telegram, or WhatsApp.1 But whatever you do, don’t email it, text it, or send it over Slack, as these platforms lack end-to-end encryption.

How Often To Change Passwords

How often you should change your passwords is a somewhat controversial topic among security experts, but according to the popular password manager Keeper, you don’t need to change them regularly, assuming they’re strong. In fact, you should change your passwords only after one of the following events:

• Data breach: If your credentials have been part of a data breach, change the passwords of the affected accounts ASAP.
• Unauthorized access: The same thing goes if someone has taken over any of your accounts. Learn how to deal with account takeover in general.
• Malware or phishing attack: Change your password right away if you think you’ve been the victim of malware or phishing.2

Adding Authentication

Account security goes beyond passwords. To make your accounts even harder to track, add on two- or multi-factor authentication. What’s the difference?

• Two-factor authentication sends a passcode to your mobile device.
• Multi-factor authentication requires biometrics like fingerprint or facial recognition.

Even if a hacker obtains your username and password, if the account uses a form of advanced authentication, they still won’t be able to access your account. We recommend using authentication whenever it’s available, although it does add an extra step to logging on to your accounts.

Stolen Passwords

People have a variety of reasons for stealing passwords, from identity theft to obtaining credit card numbers. But how do they get other people’s passwords in the first place?

How Passwords Are Stolen

There are a few different ways that thieves can steal passwords. These are the most common:

• Phishing: Phishing is when a thief creates a legitimate-looking website that has users log in, handing over their credentials through social engineering. It usually happens over email, although phishing can also occur over texts, phone calls, and other forms of communication.
• Data breaches: Data breaches reveal the login information of potentially millions of people. Hackers then buy and sell this information on the dark web.
• Credential stuffing: Sometimes, stealing passwords isn’t so simple, so thieves need to use “dumps” of data from breaches to test username and password combinations. Of course, the savvy thieves don’t do this process manually; they use bots, automating the process of password theft.
• Password spraying: Similarly, if the hacker knows the user’s email, they can use bots to test it with known passwords.
• Brute-force attacks: A less sophisticated method, a brute-force attack simply means that someone guesses passwords until they stumble upon the right one.
• Dictionary attacks: These are similar to brute-force attacks but use the dictionary to guess words that may be your password.3
• Lost or stolen devices or password lists: Forgot to set up a passcode for your iPhone? If you lose it and have an unencrypted list of your usernames and passwords, you could be in trouble.
• Malware: There’s a variety of malware, from spyware to ransomware, that steals users’ credentials,4 which is why it’s always good to use antivirus software.

Has My Password Been Stolen?

Not sure if your password has been stolen or not? The antivirus software company Avast has a free tool on its website to help you find out. This database of stolen credentials can tell you whether your email address has been breached, which is a common way that hackers steal account credentials.5

Common Passwords

When it comes to passwords, you don’t want to blend in with the crowd. Our research on password habits in the U.S. found that 1 in 5 people use curse words in their passwords, and only 15 percent of people use password generators. Take a look at the words U.S. adults use in their passwords the most:

More Digital Security Tips

Digital security doesn’t end with password management. There are a few other tools you can use to prevent your accounts from being taken over, or at least decrease your risk.

• Use VPNs. VPNs hide your browsing history along with your IP address. Since VPNs encrypt your web traffic, no one will see your usernames or passwords, even if they’re on the same public Wi-Fi network. Learn more in our VPN guide.
  

  

• Use antivirus software. We’ve said it before and we’ll say it again: Using antivirus to stop hackers is incredibly effective, as it blocks malware, ransomware, spyware, and other cyberattacks that steal passwords. However, not everyone needs antivirus; it depends on what type of device you have. Find out whether you need antivirus software.
• Use identity theft protection. Finally, we like to have a backup plan for the worst-case scenario — someone stealing our passwords and then our identities. Identity theft protection services will check if your identity has been stolen, and if it has been, they’ll help you report fraud.

Recap

The truth is that managing your passwords can be as easy or as complicated as you want it to be. However, if you have a system in place, whether that’s a password manager or a sheet of paper that you keep locked in a safe, then generating, storing, and sharing your passwords securely will become instinctual.