Are your passwords strong enough? How should you use numbers when creating them? And what about multi-factor authentication? Here’s what you need to know about creating and maintaining strong passwords

How do you create a strong password, one that can withstand being cracked by even the most sophisticated attacks?

Most of us know not to use commonly used passwords and personal details when setting these, and instead to use numbers, special characters, and so on.

But even if we follow this advice, our passwords may leave us vulnerable to attacks.

So why is this? And what should we be doing instead? First, let’s look at the two main reasons our passwords don’t quite cut it.

The two main reasons your password isn’t strong enough

We’re often led to believe a password is stronger than it actually is for two reasons.

The first reason is that the average user will be happy to be guided by the site on which a password is created as to what they should do. 

This is a problem as it’s easy to confuse the minimum conditions for creating a password on a particular site with best practices around password creation in general. 

A password you create may well satisfy the criteria for a particular website, and may include a number and a special character for additional security, but if it’s one you tend to use elsewhere, it’s not necessarily a good idea to continue using it on additional sites. The site in question, of course, won’t know just how frequently you’ve used it previously, and so it cannot advise you here.

It’s perfectly normal to want to make life easy for yourself and to balance security with convenience. If you only need to define a password that’s eight characters in length, with one special character and one number among these, why make it longer and more complicated than that?

The second key reason explains why we should.

Most online users want their accounts to be secure, but they lack sufficient awareness of how threats to passwords have evolved over time, and whether the advice we have always believed to be best is still sound.

Again, this is perfectly understandable. Password security is hardly the most exciting subject and it takes effort to stay on top of how things change in this space.

As online threats evolve over time, we should take notice of new recommendations so that these can be defeated. But in reality, most of us slip into a habit of doing things one way and just stick with it.

For example, many of us will now habitually use special characters and numbers in our passwords as we have been prompted to do so for some time. The theory behind this is that a more unique combination will be harder to crack. 

But as the use of special characters has become commonplace, password-cracking methods have adapted to this. To understand how, it’s useful to look at the two main ways in which passwords are cracked, namely through dictionary attacks and brute force attacks. 

Dictionary attacks vs brute force attacks

Dictionary attacks are commonly thought of as the process of using every word in a dictionary to guess a password until the correct one is found.

The title is somewhat misleading, however, as the requirement for special characters and numbers in today’s password means this approach wouldn’t be particularly effective today.

For that reason, these attacks may not actually use every word in a dictionary as such, but will typically make use of common words together with lists of commonly used passwords, such as those that have been scraped from previous data breaches.

Brute force attacks differ in that they attempt to use every combination within a set of parameters. This could, for example, be every combination of numbers, characters, capital letters, and symbols within a set password length. This means that they can guess passwords dictionary attacks may easily miss.

How to create a strong password

So what’s the best way to create a strong password? In short, a reasonably long password that’s randomly generated, or made using random words to create a nonsensical phrase, and saved with a password manager for convenience will serve most users best. Let’s examine this in more depth.

Use a longer password

Longer passwords are harder to crack than shorter ones, as there is more information to work out and a broader range of number-letter-special character combinations. So you should aim to make your password as long as is practical.

A brute force attack may attempt every combination up to a certain point, but it cannot guess forever. This is why a twenty-character password is more secure than a ten-character one. This is harder to remember, of course, but if you are using a password manager (discussed below) to remember your password, there is little excuse for not making this particularly lengthy. 

Don’t use a single password on every site

Password lists that are sold on the dark web are known to be used for dictionary attacks. This is where commonly used passwords are added to dictionary attack lists in order to maximize the chance of successfully guessing a password.

If you’re unlucky enough to have your details included in such a list, using the same password across multiple sites opens you up to the risk of having other accounts associated with your email address being compromised.

If you use a password manager, even one built into your browser, you may be notified when you have repeatedly used the same password, and you may be prompted to change this.

Avoid personal details

NordPass’s Top 200 Most Common Passwords list for 2021 shows that a number of popular passwords are simply first names such as Thomas and Jennifer. 

While dictionary attacks will easily discover these, they are also obvious passwords that can be guessed by people known to the account holder, so they should be best avoided.

The same applies, albeit to a lesser extent, to cities, sports teams, and musical groups. 

Don’t use obvious substitutions

A handful of numbers and symbols make obvious substitutions for letters, such as 4 for A and 5 for S. The idea behind this approach is that it makes passwords more secure while keeping them memorable.

But as a general rule, what’s obvious is best avoided as some dictionary attacks now incorporate searching for these kinds of obvious substitutions.

If you do plan on using a memorable word or phrase and you need to make use of numbers, it’s best to place them randomly as additional, rather than substitutional, elements.   

Avoid the obvious – and the not so obvious too

Everyone knows that using qwerty, password, and repetitive or sequential number combinations such as 111111 or 123456, is best avoided when creating passwords. 

In fact, you may actually find some common options to be automatically banned when creating a password. This is typically the result of a website operator feeding a list of common passwords into the system to prevent them from being submitted.

But what they may not know is that some of the most common passwords make use of less obvious combinations that follow some kind of order, such as 1q2w3e, asdasd, 123321, and qwe123. And given that some dictionary attacks are known to make use of lists from previous data breaches, commonly used passwords like these are obvious candidates for attack. 

So as a general rule, you should be wary of passwords that are convenient to type out. If you’re thinking of doing it, it’s highly likely other people have done so too.

Use password generators

There are various online tools that can be used to generate passwords, and many of these allow you to specify password length, the use of special characters, and even whether to exclude similarly appearing characters to create a more unusual result. 

Of course, there is nothing stopping you from simply hitting keys on your keyboard at random as an alternative to this, although this approach may end up with a password that’s a little less diverse overall. 

Use password managers

Traditionally, the role of a password manager has been to encrypt and store passwords that have already been created so that they can be quickly recalled when needed. This has made them useful for longer and more complex passwords, particularly those that have been randomly generated. 

Today’s password managers, however, provide many additional conveniences. They will typically generate strong passwords and let you know if you are using these across multiple sites, for example, and even notify you if these may have been among details discovered in recent data breaches.

These used to only exist as standalone programs (or browser extensions), which would typically come in both free and paid-for versions. The majority of people who use password managers today, however, will typically opt for the equivalent features that are built into browsers such as Safari and Chrome.   

Aside from the convenience of remembering longer passwords, a further advantage of these is that they make passwords easy to recall across different devices. Premium, paid-for options will also typically allow passwords to be shared with trusted friends and family, together with extra storage space, and easy syncing of other credentials such as credit card details and Wi-Fi passcodes. 

Use nonsensical passphrases

One obvious drawback to the use of numbers and special characters is that it can make a password less memorable, particularly if those numbers and characters have been added randomly.

An alternative way to create a strong and memorable password is to use a phrase that makes little or no sense to someone else, but that can be easily remembered by its creator.

For example, the phrase ‘PackageSidewalkCrushingDonkeyBright’ makes little sense, but it’s not difficult to remember and such a unique combination would test even more advanced cracking approaches. Using the lyrics from a song can also work here. 

Another significant advantage of using a phrase of this nature is that it will naturally create a relatively long password, which is also a boon for security.

How to keep a password protected

Setting a strong password is one thing. Making sure it continues to provide the protection you expect long after you created it is another. So what should you consider?

Stay up to date on data breaches

Data breaches occur when a hacker obtains a list of personal details from a website and these will typically include passwords. Depending on the jurisdiction, and whether this information was encrypted, the company in question may notify you by email that this occurred and the extent of information that leaked out.

You should stay up to date on these breaches by keeping an eye on security-focused news, perhaps by following social media accounts that tend to report on these for ease.

Checking whether your details were included in any historic data breaches using a site such as Have I Been Pwned is also recommended.

Routinely scan your devices for threats

Password-stealing malware isn’t just confined to laptops and desktop devices. It can also hide in apps downloaded for mobile devices. Common signs that a phone is infected with malware include high data usage, fast battery drainage, and general sluggishness in operation.

While it’s possible to download apps that can scan mobile devices for threats and neutralize them, some phones have anti-malware features installed as standard. If you are unsure whether yours does, check the manufacturer’s product page for your specific device.

If you use an Android phone or tablet, you can also run a quick check by using Google’s Play Protect feature. You can find this option by clicking on your profile icon in the Google Play store. 

Should you use multi-factor authentication?

Multi-factor authentication (MFA), which is most commonly two-factor authentication (2FA), provides an additional layer of security to a straightforward username/password login.

While this process is still initiated by a conventional username/password login, by requesting that a user inputs a code that’s sent to their email address or phone – or alternatively from an authenticator app such as Google Authenticator or Microsoft Authenticator – they can quickly prove they are in possession of the phone or email account that has been specified as belonging to them, which increases the likelihood of them being who they claim to be.

Multi-factor authentication is now standard across many social media sites and online services, and many of us use it without much thought. But a number of incidents in recent years have highlighted how it’s not always the failsafe measure one would expect.

These include using sim swapping to intercept text messages sent to users with one-time passwords, as well as various phishing attempts, and even exploitation of account recovery processes.

Phones can, of course, also be stolen or infected by malware, and email addresses can be hacked. Nevertheless, as you will generally be the only person to have access to both your devices and your email account, the benefits outweigh the risks, so you should consider setting this up if it has not been set up already.

Multi-factor authentication systems that work on the submission of some kind of biometric authentication, such as a fingerprint, rather than a code that may be sent via email or text message, are generally better from the perspective of security. Bear in mind that some apps that use some form of MFA may offer biometric authentication without having it enabled as the default option, so it’s worth exploring available options.

Get into the habit of changing key passwords regularly

A password can only provide sufficient protection as long as it’s unknown to others, but it’s easy to miss a data breach in which this may have been revealed.

For this reason, you should consider changing passwords on a regular basis and saving them using a password manager for convenience.

Set up suspicious activity alerts

Some social media platforms and other online properties allow you to request an alert whenever your account has been accessed from an unknown location or device.

You may have already received such an alert when accessing an online account from a new device or when on holiday, or perhaps when using a VPN. 

These alerts aren’t necessarily on at default so you should investigate whether the site or service in question offers this. And, of course, if you do receive one of these, you should respond to it promptly to protect your account from any authorized access.

Use a VPN when using public Wi-Fi

Public Wi-Fi networks are convenient, and sometimes even essential, but they’re also notoriously risky as anyone with the necessary know-how can intercept your communications and steal sensitive information such as passwords. 

If you must use public Wi-Fi, you should do so in conjunction with a Virtual Private Network (VPN). These mask your IP and hide it from all third parties – even your ISP – and provide a tunnel between yourself and the internet that encrypts all your data and online activities.

Not all VPNs are the same, however, and some are viewed more favorably than others when it comes to privacy and protecting your information.

Ideally, any VPN service you use should have a strict no-logging policy that is periodically audited by an independent third party.

Many free VPNs exist, although paid-for versions typically offer more by way of security and convenience. They may, for example, include a broader range of worldwide servers to connect to, and might also have a kill switch that immediately takes you offline if the VPN momentarily loses its connection.

Related articles