Password Security Best Practices: How to Create a Strong Password

What’s “dadada”? Not just the title of the German band Trio’s biggest hit, those six letters were also Facebook founder Mark Zuckerberg’s password for his LinkedIn, Twitter, and Pinterest accounts.

We know this because Zuckerberg was among the 167 million LinkedIn users whose passwords were harvested in LinkedIn’s security breach.

Even though it happened in 2012, LinkedIn’s breach has been making headlines recently. That’s because back when the attack occurred, the business-focused social network thought that only 6.5 million users were affected.

However, just last week, reports emerged that an additional 161 million member passwords were stolen—117 million of which were paired with an email address.

Passwords are a significant commodity that are traded in the darkest corners of the internet because many people, including Zuckerberg, use the same password for multiple accounts. When paired with an email address, this can give a hacker access to your personal email, Facebook, financial information and more.

How Do Passwords Get Hacked? 

There are multiple ways that hackers attack your passwords, including:

  • Guessing attacks, which are when a hacker takes information that they’ve learned about you, usually from social media accounts, and attempt to make an educated guess as to what your password might be. For example, if both your Facebook profile and cover photo pictures referenced your favorite sports team, a hacker would likely try combinations of words related to that team.
  • Dictionary attacks are exactly what they sound like—when someone takes a dictionary of words, and tries them against your account to see if any get them in. (We’ll explain how shortly.)
  • Brute force attacks try every possible combination of alphanumeric characters against your password. This method isn’t fast. However, software programs automate the process and allow a determined individual to crack even your not-so-obvious passwords.

With so many hackers skilled at the art of exploitation, ensuring that your online life is secure means paying attention to some specific dos and don’ts—especially when it comes to your email.

That’s right, not your financial accounts, but your email.

Why are we suggesting that your email password security should be a top priority? This article by Quincy Larson at Free Code Camp does a fantastic job illustrating exactly why email is important, but here are the basics.

When you visit almost any account and click “I forgot my password,” you’ll be sent an email containing a link that allows you to visit the site already logged in, then come up with a new password.

Called “passwordless login,” it means that anyone who can access your email can take a peek at your inbox, assess where you have accounts, and follow just a few steps to gain access.

While Free Code Camp is one of several websites that have decided to ditch passwords altogether and, instead, email users a link when a new device is recognized, it’s a trend that’s yet to really catch on. Since you’re still stuck making up secret codes, next we’ll share what not to do.

What Are Common Password Mistakes?

Passwords are our weakest link when it comes to protecting our online data. That’s because most people are pretty darn bad at coming up with a good password.

Just how weak is the average password? When security experts looked at the list of 167 million leaked LinkedIn passwords, they found that the most popular password was “password” and the second was “123456.” The latter is such a bad password that it was the butt of a Mel Brooks joke in 1987’s “Spaceballs.”

“That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!”

Three decades later, people are still using it—“123456” was also found to be the most common Twitter password in the recent 32 million accounts that were leaked.

Before we share with you how to make the most secure password possible, here are a few common mistakes that security experts say make it much easier to compromise your account:

1. Stop using real words as a password. 

Remember that dictionary attack we mentioned above? This isn’t done with a paperback Webster, but with a program plugged into a password cracking tool that will run through the entire dictionary in a short period of time.

These programs don’t just catalog the English language, either, but will scan for words in Spanish, French, Dutch, Finnish—pretty much any language known to man, including Klingon and the names of your favorite fictional characters. This means that no matter how obscure the word, there’s software that can identify it.

2. Don’t think that “@” or “$” will thwart a hacker.

Do you use a real word for your password, but swap some of the letters for special symbols? Common swaps include using an “@” for the letter “a,” an “$” for the letter “s,” a “0” for an “O,” or a “3” for an “E.”

However, it turns out that doing so isn’t security savvy after all. According to Microsoft Certified Trainer Dale Meredith, so many people use this trick that doing so is actually a detriment to your password’s strength, and should never be relied upon to disguise a real word.

3. Make your security answers less obvious.

Password security doesn’t end at your password, but also includes the security questions associated with your account. One well-known security breach that led to hundreds of celebrity pictures being leaked last year was accomplished by hackers who hit the “I can’t remember my password” button.

And, while it might be much easier to find out informative details about a celebrity, the answers to questions such as your pet’s name, the street you grew up on, and the model of your first car can likely be found online as well.

How to Make the Strongest Possible Password?

According to Dale Meredith, it’s all about the length. When you’re trying to come up with the best possible password to secure your accounts, longer equals stronger.

How long is up to you, but Meredith recommends exceeding fourteen characters in length.

The significance of fourteen comes from one of the earliest methods used to decode, or “hash,” passwords called LM hash, in which passwords under fourteen characters were particularly easy to attack. The vulnerability was due to two factors: passwords were stored in two groups of seven, meaning that once one grouping was cracked, the same method could be applied to the second, and all letters were made uppercase.

To keep your head from spinning, we’ll skim past a more in-depth look how passwords are decoded. All you need to remember is that fourteen isn’t an arbitrary number. Instead, it’s the shortest length any secure password should include.

The Trick to Remembering Really Long (and Secure) Passwords

Before you start to fret about creating nonsensical fourteen-plus character passwords to thwart an attack, know that there’s an easier way. The trick is to disguise your password by sandwiching it in between a few characters that we use every day, thus won’t forget.

To learn what those characters are, look no further than the URL of any website, where you’ll see a “www.” before any given word or phrase, followed by a “.com.”

How does this apply to your next password? According to Meredith, the password “ilovebatman” can be cracked by software in less than one second. However, change that password to “” and the same program would take several lifetimes to decode the nineteen-character phrase.

Granted, this method still uses real words and, should it become popular, will be rendered as ineffective as that “@” symbol. However, when creating a password for secondary accounts, sandwiching words in a URL format is an easy way to remember any phrase while adding length.

What about creating and remembering passwords consisting of random characters? Greg Kelley, a digital forensic expert, suggests that you use a random character generator, like this one, to create strong passwords before storing them in a password management application.

However, even using a password management tool requires that you remember one master password. While most of the experts we spoke with advised against writing one down, Bill Horne of Telecom Digest says that it’s okay to do so:

“It's OK to write passwords down and put them in your safe at home. After all, most attacks are from places thousands of miles away, and it's unlikely that you know any nuclear launch codes or the Swiss bank account numbers of the Republican leadership.”

For the other passwords? Horne recommends the free management tool Password Safe, which will generate and encrypt passwords for all of your accounts.

What Are Other Ways to Be Smarter About Password Security?

Longer is stronger when it comes to creating a password that will secure your online accounts, but that’s not the only security consideration. Here are our top password tips:

Password security tips

Password Tip #1: Use different passwords for each of your accounts. 

Using different passwords for each of your accounts is the number-one suggestion for best password practices from security experts. The reason, of course, is that if one account is compromised, you don’t have to worry about your other accounts as well.

We understand that you can only remember so many passwords. Even with applications like 1Password to help you organize and remember multiple secret codes, it’s unlikely that you’ll create a new, elaborate password for each new website that demands you create an account.

While we might not be able to convince you to make a different fourteen-plus character password for every log-in, experts suggest that you should be extra vigilant not to use generic or duplicate passwords for your business and financial accounts.

Password Tip #2: Rotate your passwords every couple months.

Meredith recommends changing your passwords every 30 days. But, let’s be realistic—you’re probably not going to change the password to the account at your favorite online retailer every four weeks.

However, you should change those at least every three months. That’s because, according to Ruben van Vreeland, a security expert and co-founder of BitSensor, it normally takes companies at least nine months to detect that they’ve been hacked.

This means it could be almost an entire year before Lowe’s, Sears, or LinkedIn lets you know that your password is no longer secure. And, since those retail accounts generally save your credit card information and address for convenient shopping, you want to take steps that minimize the time someone could be accessing your account.

Want to take every step possible to protect your information? Then change your financial and email account passwords every 30 days. And yes, they each have to be unique, fourteen-plus characters, and not a real word—or combination of words.

Password Tip #3: Don’t use password testing websites.

If you’re wondering just how secure your new combination of alphanumeric characters is, you might be tempted to try a password testing website—don’t.

These websites will ask you to enter your password, and sometimes your email to send the results of their “analysis.” However, these services are a scam designed to trick you into handing over your security codes. And, you guessed it, even the most secure password won’t keep out hackers if you hand it right over.

Password Tip #4: Use a two-factor authentication when available.

Two-factor authentication, sometimes called multi-factor authentication (MFA), is an extra layer of protection that uses an extra step to verify your identity before allowing access to your accounts. It could come in the form of a pin, a fingerprint, or even an authentication link sent via email.

If you’ve ever used a fingerprint reader on your phone, you’ve used two-factor authentication. For example, when you download an app from an app store, it first checks you’re on a trusted device (Factor 1) and then verifies you’re you with your fingerprint (Factor 2).

If you’re on a computer, usually it’s like this: when you enter your username and password, you’ll be asked for a verification code that will be texted to your phone. Pop in that single-use code, and you’re in. Ta-da!

While it’s not available everywhere yet, you can activate two-factor authentication in the settings for most major websites—be sure to check for the option next time you log in.

Takeaways for Thwarting Password Hackers

No matter how secure a website's system, your information is only as safe as your password is strong. In fact, your passwords are probably due for a change right now!

Before you get ready to rotate, remember these tips:

  • The longer your password, the more secure it is. Passwords should be 14 characters, at the minimum.
  • Don’t rely on commonly used special characters such as the “@” “$” or “0” in place of a letter to make your password more secure.
  • Create different passwords for each of your accounts, paying special attention to your email and financial account passwords.
  • Rotate your passwords at least every three months for secondary accounts, and up to once a month for sensitive accounts.
  • Don’t trust password testing websites! Remember, your passwords should never be entered into any area aside from the secure field on the associated website.

While password security is important, there are other steps you can take to minimize the risk of your accounts being compromised.

This includes reviewing the privacy settings on your social media accounts to ensure that you’re not over-sharing with strangers. And, while we’re on the topic of social media, don’t be so quick to accept friend requests from strangers—doing so invalidates those security settings that you just checked.

Finally, remember that nothing is completely secure, and it’s critical to have a risk management plan in place. Keep an eye on your accounts to spot any unauthorized activity early, back up your computer regularly, and update your OS and browsers to avoid allowing any malware to harvest information that could be used to compromise your security.

Related: Are You Digitally Literate? If Not, You Could Be Putting Your Money at Risk


Bill Horne is the moderator of The Telecom Digest, the oldest continuously published E-Zine on the Internet.

Greg Kelley is the Chief Technology Officer at Vestige Digital Investigations, a leading U.S. Electronic Evidence Experts company specializing in Digital Forensics and Cybersecurity solutions

Dale Meredith has over 17 years of experience as a  Microsoft Certified Trainer, as well as an additional 7 years of Senior IT Management experience. Learn more from Dale on his website, or through his Pluralsight courses.

Autumn Yates

Autumn draws from a reporting background and years of experience working remotely, while living abroad, to focus on topics in travel, beauty, and online safety.


comments powered by Disqus

Want to Learn to Shop Smarter and Scam-Proof Your Life?

Join over 2 million HighYa readers who receive weekly how-to guides, tips & reviews and get a FREE COPY of our 145 Scam Hacks e-book. Enter your email below to get started!