Privacy Canada is community-supported. We may earn a commission when make a purchase through one of our links. Learn more.
How to Choose a Strong Password
A lot of people might think right off the bat “I don’t need advice on how to make a strong password! I’ve been making passwords for decades, I know what I’m doing!”
Well, buddy, the truth is that the information that was available in 1990 and even the early 2010s is really no longer valid.
More complex and powerful computing has made older password advice obsolete, such as a minimum 8-character password.
Not only that, but we now tend to have a dozen passwords or more, which causes fatigue and makes us create worse and worse passwords.
Thankfully password creation has moved towards making it easier for humans and more convenient.
Yes, you might get asked to make a 12 or 16 character password, but you are also given the tools of how to make them easier and, more importantly, to remember them more readily.
Why Strong Passwords are Important
This might be a bit redundant to mention, but password strength is important, even for accounts you might not necessarily think are important.
For example, a lot of people tend to reuse passwords, and might accidentally use an important password on a site they will only visit once, or that maybe doesn’t have the best security.
All it takes is one misstep for your password to be found and you might accidentally put all your accounts at risk.
Not only that but with the increasing use of the online world from banking to government bureaucracy, oftentimes your password is your last line of defense from having your identity stolen.
This is why security experts keep on yelling and screaming about password importance; they really are insanely important, even more so than even just 20 years ago.
How Do Passwords Get Hacked?
So before we get into more detail on how to create a strong password, we first need to understand the ways in which passwords can get hacked.
While there are actually a few dozen different ways, these three below tend to be the ‘easiest’ ones for potential hackers to do or have access to.
Keep in mind most hackers are more like ‘script kiddies’, meaning they use a script created by another hacker and don’t really know that much about hacking.
As such, these scripts below tend to be more common.
This one does exactly what it says on the tin: It tries to attack you with a dictionary.
What that means in practice is that the potential hacker will use a program that runs through a predefined set of dictionary words.
Usually, this tends to be very common words that have been found in hacked passwords before, and also allows for variation in their placement in the passphrase.
Interestingly, more sophisticated dictionary attacks have started including symbols in their lists. That means that putting a ! or 1 instead of an i, or a @ instead of an a isn’t as useful as it used to be when it comes to creating a strong password.
In fact, the best way to defeat a dictionary attack is to just have a longer passphrase.
We’ll talk a bit more about this later, but usually, the suggestion is a minimum of four words or more.
Brute Force Attack
Brute force attacks are the dumber version of dictionary attacks, in that they basically try to guess every single number, letter or special character combination there is under the sun.
This is usually done by some automated software, similar to a dictionary attack, and also may sometimes have a predefined list of combinations.
More advanced ones may also have a percentage chance of using more common alphanumeric characters and symbols.
Sadly, given our modern computing power, cracking an 8-character password is actually relatively simple, and can be achieved in 6-8 hours with a powerful enough computer.
Again, while we will talk more about this in a moment, 8-character length passwords are no longer suggested, and in fact, even 12-character passwords might be a bit on the shorter side as well (although certainly better).
Sadly this one doesn’t use a fishing rod, but it is one of the worst forms of trying to get your password.
Phishing essentially uses social engineering tactics to manipulate you or persuade you that you need to hand over your personal information.
Usually, this involves an email from a trusted source like your bank, Paypal or Google, and might say that there is something wrong with your account.
They will then usually ask you to follow a link to their site to log-in and fix the issue. Of course, this site is fake, and your log-in information is saved for later use.
This isn’t only a digital issue though, and Phishing can absolutely happen over the phone as well, especially using robocallers.
Again it will be very similar in that they will try to scam you out of either your personal/credit card information, or will try and get you to send them money.
The most important thing here is if you get a call from your bank or a place that important, politely hang up and call them back on their official number listed, so you know it is actually them.
How to Create a Strong Password
It doesn’t matter what kind of tips and advice you follow when making a password if you don’t approach it with the correct philosophy.
Creating a password should not be something that you do off-handedly and without much thought, but instead should be something you put some effort into.
If you approach password making as something important that requires your attention, then you will always create strong passwords.
Along with that, you need to appreciate that passwords are for your eyes only, so don’t ever share your password with anybody.
This includes things like ‘well it ends with a number’ or ‘it has 10 letters in it’. Your passwords are like your underwear: something you don’t share with anybody. You must understand how strong your password is.
Dos of Creating Strong Passwords
Make It Long
As touched upon earlier, creating a longer password makes it much harder to beat. 8-Character passwords are no longer the standard here, and 12-characters have now become the minimum.
If you truly want a strong password then you should ideally be going for 16-character ones.
At that point, they are basically impossible to hack except with phishing.
One thing to make your life easier when it comes to longer passwords is to use passphrases. That’s basically a group of 4 or 5 words that you use as a password, such as ‘YelloBicycleSkyCorn’ or some other string of words.
It’s easier to remember words than a random alphanumeric, 16-character password, plus you can make even longer passwords if you feel like it. The longer the better!
Use Abbreviated Passwords
Another nice solution here is to use an abbreviation of a phrase that’s memorable to you.
For example “Thanks for all the fish” could be “tfatf” or “The quick brown fox jumps over the lazy dog” could be “tqbfjotld”. Of course, you shouldn’t use those ones because they’re quite common, but if you have a favorite book you can pull a phrase from that to use.
Use Lower, Upper, and Unique Characters
This one is probably something you know already, but it bears mentioning again.
Combining different capitalization, as well as unique characters, can help make your password even more secure. You can replace letters with symbols if you want too, but we suggest just adding them somewhere in the password randomly instead.
Change Your Passwords Regularly
By changing your passwords regularly, you won’t have to worry as much about any single password being hacked or cracked. So how often should you change it? Well, the most ‘popular’ advice is every 30, 60, or 90 days, but that just makes people create poor passwords.
The ideal time to change your password is roughly ever 1 year or if you see it on one of those cracked pass lists.
Use Two-Factor Authentication(2FA)
Another great way to make sure that your passwords are protected is to use 2FA.
Now we know it can be a bit of a pain to include that extra step, but it will make sure that your passwords, and your information, have an extra layer of protection. Who would say no to that?!
Use A Password Manager
Password managers can offer a ton of convenience when it comes to generating lots of unique passwords for the different sites you’ll probably log in to.
Just remember to make the master password a strong one that follows the rules above, because if that one gets cracked, then the potential attacker has access to all your passwords.
Don’ts of Creating Strong Passwords
Don’t Use Common Character Substitutions
You aren’t fooling anybody by using common substitutions like ‘8’ for ‘B’ or ‘7’ for ‘L’. These are actually pretty common and are usually in the predefined lists that hackers use to crack your password.
Ideally, if you’re going to be using symbols or unique characters, you want to use them along with rather than instead of the words and letters you chose.
Don’t Use Easily Accessible Information About Yourself
Your birthday, your ID number, your phone number in any form, so on and so forth. All this stuff is not only easy to get but relatively simple to try in different forms such as mm/dd/yy or yy/mm/dd or any combination thereof.
Realistically, any numbers that you use in your password don’t specifically link back to you and should be relatively random.
Don’t Use a Security Question
Security questions are weird, in that while you are asked for a complex password, the security questions themselves are not. In fact, most of the time they ask for information that is easy to get such as your first teacher’s name, or your first pet, or your first home address/number.
If you’re forced to use a security question, then just create a second password instead, it’s much safer.
Don’t Use a String of Letters or Numbers
We really shouldn’t be giving this advice in 2021, but don’t do it. Anything like ‘00000000’ or ‘abcdefghi’ should be off the table, even if you can manage to get 12 or even 16 characters out of it, it’s literally the first thing attack programs check.
Don’t Use One Word Followed or Preceded by Numbers
This is almost as bad as the first previous one on this list, but using a word and then numbers before or after is just a bad idea.
We’re talking about things like ‘apple2543’ or ‘111marble’. Both of these are easy to guess and pretty standard in terms of predefined lists.
Don’t Save Your Passwords
Most browsers and websites now offer to remember your password or keep you logged in. Avoid that if you can and just let a password manager do all that for you. This is especially the case if you don’t know or trust the site very much.
More Password Tips
Aside from just having a strong password, there are other things that are very useful in protecting your personal information:
Use a VPN
By using a quality VPN you are protecting all the traffic that comes and goes from your computer to the site you’re accessing. This means that the chances of a man-in-the-middle attack are minimized.
On top of that, there are some great benefits to using a VPN, such as unlocking geo-locked content.
Use a Random Password Generator
While most password managers can do this, you can find standalone password generators. In-fact, Avast, which makes Avast Secureline VPN, also provides a password generator to users.
However, we recommend using a strong password generator that does not save nor log any data, such as StrongPasswordGenerator.com.
Use a Secure Browser When Logging In
Secure browsers help protect not just your browsing, but your login information. They are especially useful in blocking any form of tracking like cookies, so it’s a good idea to use them for sensitive data.
Check how strong your password is: You can actually do this using “How Secure Is My Password?“. It’s a great site that can give you some insight into your password strength before you actually go ahead and use it.
As you’ve hopefully seen, creating a strong password isn’t difficult, it just requires following some basic tips and tricks, all of which are made easier if you use a password manager.
Most importantly though, is to keep yourself updated in terms of password knowledge, password renewal, and keeping yourself and your data safe.