Password Security Tips: How To Create Secure Passwords
Still using the same password for all of your online accounts? You may be in trouble.
Like flossing, password hygiene is something that you know is good for you but would probably rather not do. However, using secure passwords for all of your online accounts is a necessity to avoid data breaches and financial losses. Fortunately, there are free tools to generate secure passwords and increase your online security.
Password Security Tips
Using the same password for multiple accounts certainly makes your logins easy to remember, but it’s not great for your digital security. Want to see if your passwords are secure? Use our password strength calculator, which tells you how long it would take a computer to crack your password. However, how do you generate a secure password in the first place?
How To Make Secure Passwords
The easiest way to generate secure passwords is to use a password manager. Personally, we use LastPass, which gives us secure passwords at the touch of a button. However, if you don’t want to generate passwords automatically with password managers, you can do it manually.
Password Do’s and Don’ts
When making a secure password, what not to do is equally important as what to do.
- Use a mix of letters, numbers, and special characters.
- Use unique passwords (slight variations do not count!) for every account, from your bank to social media.
- Close your eyes and type.
- Use 16 to 20 characters (or more if you want).
- Use the same (or very similar) passwords for multiple online accounts.
- Use consecutive or repeated letters or numbers.
- Use your personally identifiable information (PII) in your passwords.
- Use the word “password.”
NOTE: PII includes your full name, address, and phone number. You shouldn’t include this data or any other PII in your passwords.
How To Store Passwords Securely
As with generating passwords, the easiest way to store passwords is through a password manager. A password manager, in addition to generating strong passwords, stores passwords in encrypted vaults.
If you do use a different password for each account, it’ll be hard (if not impossible) to remember them all. But with a password manager, instead of remembering each and every password, you’ll either enter a master password or use biometrics.
For example, we use Touch ID to unlock accounts when we’re on our iPhones, which is so much quicker and easier than typing in passwords manually, not to mention safer.
However, again, not everyone wants to deal with the hassle of importing passwords into a password manager and paying for yet another subscription. If that’s how you feel, you can store your passwords in one of two ways.
- On a physical list: Remember pens and paper? Unlike a Google Doc, paper lists cannot be hacked. However, they can be stolen, so be sure to lock up this notepad where thieves can’t find it, ideally in a hidden safe.
- In an encrypted document: You can use encrypted storage or word processors to store your passwords. They should also be password-protected with advanced authentication, if available.
How To Share Passwords Securely
Not to repeat ourselves, but the easiest way to share passwords securely is — you guessed it — through a password manager. The software will encrypt your data in transit and make sure it gets to the recipient safely.
Of course, there are ways to share passwords securely without using a password manager. If you’re talking to someone in person, you can just share it verbally (ideally whispering if there are other people around). You can also write it down on a piece of paper and then cross it out or shred it before throwing it out.
If you’re sharing a password remotely, you can use an encrypted messaging app like Signal, Telegram, or WhatsApp.1 But whatever you do, don’t email it, text it, or send it over Slack, as these platforms lack end-to-end encryption.
How Often To Change Passwords
How often you should change your passwords is a somewhat controversial topic among security experts, but according to the popular password manager Keeper, you don’t need to change them regularly, assuming they’re strong. In fact, you should change your passwords only after one of the following events:
- Data breach: If your credentials have been part of a data breach, change the passwords of the affected accounts ASAP.
- Unauthorized access: The same thing goes if someone has taken over any of your accounts. Learn how to deal with account takeover in general.
- Malware or phishing attack: Change your password right away if you think you’ve been the victim of malware or phishing.2
Account security goes beyond passwords. To make your accounts even harder to track, add on two- or multi-factor authentication. What’s the difference?
- Two-factor authentication sends a passcode to your mobile device.
- Multi-factor authentication requires biometrics like fingerprint or facial recognition.
Even if a hacker obtains your username and password, if the account uses a form of advanced authentication, they still won’t be able to access your account. We recommend using authentication whenever it’s available, although it does add an extra step to logging on to your accounts.
People have a variety of reasons for stealing passwords, from identity theft to obtaining credit card numbers. But how do they get other people’s passwords in the first place?
How Passwords Are Stolen
There are a few different ways that thieves can steal passwords. These are the most common:
- Phishing: Phishing is when a thief creates a legitimate-looking website that has users log in, handing over their credentials through social engineering. It usually happens over email, although phishing can also occur over texts, phone calls, and other forms of communication.
- Data breaches: Data breaches reveal the login information of potentially millions of people. Hackers then buy and sell this information on the dark web.
- Credential stuffing: Sometimes, stealing passwords isn’t so simple, so thieves need to use “dumps” of data from breaches to test username and password combinations. Of course, the savvy thieves don’t do this process manually; they use bots, automating the process of password theft.
- Password spraying: Similarly, if the hacker knows the user’s email, they can use bots to test it with known passwords.
- Brute-force attacks: A less sophisticated method, a brute-force attack simply means that someone guesses passwords until they stumble upon the right one.
- Dictionary attacks: These are similar to brute-force attacks but use the dictionary to guess words that may be your password.3
- Lost or stolen devices or password lists: Forgot to set up a passcode for your iPhone? If you lose it and have an unencrypted list of your usernames and passwords, you could be in trouble.
- Malware: There’s a variety of malware, from spyware to ransomware, that steals users’ credentials,4 which is why it’s always good to use antivirus software.
DID YOU KNOW: 82 percent of U.S. adults say they have antivirus software for personal use, according to our research on the personal antivirus market.
Has My Password Been Stolen?
Not sure if your password has been stolen or not? The antivirus software company Avast has a free tool on its website to help you find out. This database of stolen credentials can tell you whether your email address has been breached, which is a common way that hackers steal account credentials.5
When it comes to passwords, you don’t want to blend in with the crowd. Our research on password habits in the U.S. found that 1 in 5 people use curse words in their passwords, and only 15 percent of people use password generators. Take a look at the words U.S. adults use in their passwords the most:
|What do U.S. adults include in their passwords?||Responses|
|I use a password generator||15%|
|None of the given options||13%|
|Series of keys on keyboard||8%|
|Name of site password is for||6%|
More Digital Security Tips
Digital security doesn’t end with password management. There are a few other tools you can use to prevent your accounts from being taken over, or at least decrease your risk.
- Use VPNs. VPNs hide your browsing history along with your IP address. Since VPNs encrypt your web traffic, no one will see your usernames or passwords, even if they’re on the same public Wi-Fi network. Learn more in our VPN guide.
- Use antivirus software. We’ve said it before and we’ll say it again: Using antivirus to stop hackers is incredibly effective, as it blocks malware, ransomware, spyware, and other cyberattacks that steal passwords. However, not everyone needs antivirus; it depends on what type of device you have. Find out whether you need antivirus software.
- Use identity theft protection. Finally, we like to have a backup plan for the worst-case scenario — someone stealing our passwords and then our identities. Identity theft protection services will check if your identity has been stolen, and if it has been, they’ll help you report fraud.
The truth is that managing your passwords can be as easy or as complicated as you want it to be. However, if you have a system in place, whether that’s a password manager or a sheet of paper that you keep locked in a safe, then generating, storing, and sharing your passwords securely will become instinctual.
Password hygiene is a huge topic that pretty much everyone on the internet is interested in to some extent, so naturally, we get many questions about it.
What is an example of a strong password?
An example of a strong password is “Q!OtIM@A6i6q5G$KSPvFd@I.” It is over 20 characters and uses a combination of lowercase and uppercase letters, numbers, and symbols, with no repeated characters or recognizable words or phrases.
What are the do’s and don’ts of password security?
Here are the do’s and don’ts of password security.
Who We’d recommend
- Do use a combination of letters, numbers, and characters.
- Do use a different password for each account.
- Do use 16 to 20 characters per password.
Who We Wouldn’t Recommend
- Don’t reuse the same password for multiple accounts.
- Don’t include personal information, common phrases, or common words in your password.
- Don’t repeat characters.
- Don’t use the word “password” as your password.
What are the requirements of strong passwords?
These are the requirements of strong passwords:
- 16 to 20 characters long
- Symbols present
- Letters present
- Both uppercase and lowercase letters used
- Numbers present
- No repeated characters
- No common words or phrases
- No personal information
- No repeats of the same or similar passwords for multiple accounts
What are the top five most common passwords?
According to our research on America’s password habits, these are the five most common passwords:
Words most commonly used in passwords Responses Curse word 20% Birth year 16% Pet’s name 16% “Covid” 14% “Trump” 12%
AVG. (2021). The Very Best Encrypted Messaging Apps.
Keeper Security. (2021). How Often Should You Change Your Passwords?
NordPass. (2020). Learning Password Security Jargon: Dictionary Attack.
LastPass. (2021). How Do Hackers Get Passwords?
Avast. (2020). Has my password been stolen?.