Password security: How to create strong passwords

Even as innovative new login methods like fingerprint scanning and face recognition grow in popularity, passwords are still on the frontline of account security. Knowing what a good password looks like and how to create one is arguably the single most important element of personal cybersecurity.

We’ve put together a complete guide to password security so you can rest assured that your online accounts — and digital identity — are as safe as possible.

How to create a strong password

A strong password should be 15+ characters long, unique, appropriately random, and entirely disconnected from your personal identity. These attributes make it harder for cybercriminals to guess or crack your password using hacking software.

An automatic password generator, often built into password manager tools, can help you create strong, secure passwords. Or, if you prefer to create your own, follow these simple guidelines:

1. Aim for 15 or more characters: It’s generally accepted that a longer password is better, because longer passwords are usually harder to crack. Follow advice from the National Institute of Standards and Technology (NIST) and aim to create passwords containing 15+ characters (eight characters is the absolute minimum).
2. Avoid using personal information: Including personal information like your birthday or surname in your password increases your vulnerability to hacking, as these details may be publicly available.
3. Use random words, phrases, or characters: The more apparently random your password is, the less likely it is to be guessed. Using meaningless or obscure sequences of letters, numbers, and punctuation can make your passwords more random. Just make sure that you can remember them.
4. Make it unique: Using the same password across multiple accounts is one of the biggest dangers to your digital security, as one account being compromised could leave others vulnerable. Ensure each of your online accounts has a unique password for maximum security.

Remember, you don’t have to make your passwords overly complicated to meet these criteria. While a complex password like 6i^w1Jk1vp%/ is very strong, it’s also hard to remember. A password like CoolBroken%Centauri75 is also difficult for hackers to guess or crack, but much easier for you to recall.

Strong password examples

While you should always use unique passwords that you come up with yourself or get from a password generator, seeing examples of strong passwords can help you understand how to create them.

Here are some strong password examples and an estimate of how long it would take to crack them according to security.org, highlighting how different approaches to creating passwords can yield secure results.

Randomly generated passwords:

Human-generated passwords:

Weak password examples

You only have to look at examples of the most common passwords to see what a weak password looks like. They’re generally short, generic, and predictable.

Here’s a table showing 10 of the most common passwords, according to the Open Worldwide Application Security Project (OWASP), and how long it would take to crack them, according to Security.org.

How to remember strong passwords

More secure passwords are naturally harder to remember, but you can strike a balance by using the following techniques to make them both strong and memorable:

• Use a passphrase: Sequences of words that may appear random but have some meaning to you may be easier to remember than traditional secure passwords made up of a completely random string of letters, numbers, and symbols.
• Modify words you remember: Repurpose song lyrics, a line from a poem, or a movie quote as a secure password, adding symbols and numbers for extra security. Just make sure it isn’t something obvious to people who know you well.
• Use a password manager: Password managers can securely store hundreds of unique passwords, along with other login information like email addresses, usernames, or PINs, meaning you can safely use strong and unique passwords across all your accounts without having to memorize them.

5 more password security tips

Creating a strong password is a great first step to protecting your online accounts and digital identity from scammers, fraudsters, and hackers. But there’s more to password security than creating uncrackable passwords.

Follow these five additional security tips to keep your online accounts safer:

Never reuse passwords

You should use a unique password for every online account you create, with no exceptions. Otherwise, a single data breach or hacking incident could leave multiple accounts vulnerable to account takeovers, compromising your digital security and privacy.

Use a password manager

Strong passwords are essential for digital security, but remembering dozens or even hundreds of them is nearly impossible. A password manager offers a secure, convenient way to store and access your passwords across all your devices, allowing you to follow best practices for password security without the burden of memorizing complex or random combinations.

Don’t share your passwords

Strong passwords protect your accounts, but it’s your responsibility to protect your passwords. You should avoid sharing them with anyone, including trusted friends and family members, to minimize the risk of leaks. Never send passwords using unsecured channels like email, as they’re at risk of being intercepted.

Password privacy will help you avoid phishing schemes, where cybercriminals impersonate trusted individuals or companies and use social engineering tactics to get you to reveal your password.

Enable two-factor authentication

It doesn’t matter how strong your passwords are; if they’re leaked following a data breach, your account may be at risk of hacking. Two-factor authentication (2FA), or multi-factor authentication (MFA), can minimize this vulnerability by providing an additional layer of security.

With 2FA or MFA enabled, you’ll need to confirm login attempts are legitimate by providing a code that’s sent to your phone number, email address, or authentication app. That step will stop hackers in their tracks, even if they somehow get access to your password.

Update compromised passwords immediately

If you know or suspect that one of your passwords has been compromised, whether you accidentally revealed it to a fraudster or got a notification about a data breach involving your data, change it immediately to protect your account.

However, you don’t need to change your passwords regularly if you haven’t been alerted to a threat. NIST guidance states that changing passwords regularly may actually harm, rather than help, password security.

How do hackers steal passwords?

Hackers use a variety of techniques to steal passwords, including targeting user data stored by businesses through data breaches, launching phishing attacks, or using malware to track keystrokes. They can also use brute force approaches like password spraying, credential stuffing, or dictionary attacks to try and get access to your accounts.

Here’s a more detailed look at some of the biggest risks to your password security:

Data breaches

Data breaches happen when hackers get access to business databases and steal user data in bulk. Along with sensitive or personally identifiable information, like Social Security numbers (SSNs), data breaches can reveal users’ passwords.

The hackers may then use these passwords, combined with email addresses or usernames also leaked in the breach, to try and get access to accounts on other websites. Alternatively, they can sell them to other cybercriminals on the dark web.

Phishing scams

Phishing is a type of social engineering attack that involves fraudsters tricking victims into giving up sensitive or personally identifiable information. Cybercriminals may target you by posing as a customer service or technical support agent on social media, claiming you need to send them your password to resolve an issue.

Alternatively, fraudsters may pose as a legitimate company and send an email or text message with a malicious link to a spoofed website. This fake site often includes a form or login prompt designed to steal your credentials. If you interact with it, you could unknowingly expose your username and password.

Password spraying

Password spraying is a hacking technique cybercriminals use to guess their victims’ passwords. It involves using trial and error to test a list of common passwords pulled from a public database, combined with a known username or email address.

It’s often supported by password spraying bots — automated tools that systematically work through a huge list of potential passwords to find a match and grant the hacker access to the targeted account.

Credential stuffing attacks

Credential stuffing is similar to password spraying but uses leaked passwords to target accounts instead of public lists of common passwords. If one of your passwords has ever been compromised in a data breach, a credential stuffer might try it across a range of other accounts, hoping you’ve reused it elsewhere.

Dictionary attacks

Dictionary attacks are a type of brute force cyberattack in which hackers use automated bots to systematically test passwords made up of common words found in the dictionary. Unlike password spraying, which relies on trying a few common passwords across many accounts, dictionary attacks focus on guessing one account’s password by cycling through potential word-based combinations.

Keylogging

Keylogging involves hackers installing malware on your device to log your keystrokes as you type and transmit the data back to them. If you’ve logged in to an online account with a keylogger installed on your device, a hacker may be able to see your username and password.

Malware, including keyloggers, can come from a variety of sources. It may be downloaded and installed on your device automatically if you click a suspicious link in a phishing message or hidden in the code of a legitimate program that’s been compromised.

Why is password security important?

Password security is essential because it serves as the first line of defense against unauthorized access to your personal and financial information. By following strong password practices, you can better protect your online accounts and reduce the risk of identity theft or financial fraud.

Research by security.org shows that more than two in three Americans use the same passwords across multiple accounts, and over 35% share their passwords with other people. These bad habits leave users vulnerable to hacking, with almost 40% of people surveyed saying at least one of their passwords had been guessed or cracked by a hacker.

Unfortunately, a compromised account is rarely an isolated problem. A hacker who can access one of your accounts can scrounge information that may help them hack another, and the cycle can continue until your entire digital identity is at risk.

And, if your digital identity is at risk, so is your real life. A hacker’s end goal could be to steal funds from your online bank account, scam your friends using your social media account, or steal your identity to commit fraud in your name.

Protect your identity online

Taking password security seriously by creating strong, unique passwords for all of your accounts can help protect you against hacking. Join LifeLock Standard for an extra layer of protection that includes dark web monitoring and identity alerts that notify you of potentially fraudulent activity linked to your credentials or accounts.

FAQs

What is password security?

Password security is the practice of creating, managing, and protecting strong passwords that keep your online accounts safer. It’s a critical component of cybersecurity, helping prevent hackers, fraudsters, and scammers from getting access to your accounts and the information they contain.

How do I make my password secure?

You can make your password secure by ensuring it’s 15+ characters long, made up of random sequences of words or letters, unique to the account you’re creating it for, and free from personal information like your birthday or pet’s name.

What are the most common passwords?

According to the OWASP, the most common passwords include “123456,” “password,” “qwerty,” “111111,” and “dragon.” Aside from being generic and easily guessable by hackers, these passwords also don’t follow strong password guidance.

How do hackers get your password?

Hackers employ various techniques to gain access to your password, such as phishing, social engineering attacks, or installing malware that tracks your keystrokes. They may also acquire your password if it’s leaked in a data breach or exposed on the dark web.

Does changing your password stop hackers?

Changing your password as soon as you discover a cybercriminal has access to it might help prevent them from getting access to your account. You can also enable 2FA or MFA on the vulnerable account to add an extra layer of security.

Can a password be attacked by brute force?

Yes, passwords can be cracked using brute force attacks that involve using trial and error to guess a password. These attacks are often carried out using automated tools that systematically try different passwords, either randomly or by pulling from a list of common passwords.