Create and maintain strong passwords

Updated22 March 2018

Table of Contents

...Loading Table of Contents...

    Many applications and services require a password. Passwords allow us to feel safe using digital technology to do things that only we should be able to do: signing into our computers and sending email, for example, or encrypting sensitive data. These secret words, phrases and strings of gibberish are often the only barrier between our information and those who might want to read, copy, modify or destroy it without our permission. We also rely on passwords to prevent others from impersonating us on social media and other online platforms. Attackers use various tricks when trying to learn our passwords, but we can defend against most of them by applying a few specific tactics and by using a secure password manager.

    What you can learn from this guide

    • The elements of a secure password
    • A few tricks for remembering long, complicated passwords
    • Reasons why you might want to use a secure password manager to store passwords instead of remembering them
    • What you can do, in addition to setting a strong password, to protect your accounts and your information

    Selecting and maintaining secure passwords

    When you want to protect something, you lock it up with a key. Bicycle locks have physical keys, bank cards have PIN numbers, email accounts have passwords and protected files have encryption keys. Whether physical or virtual, all of these keys have one thing in common: they open their respective locks just as effectively in the hands of somebody else. You can avoid malware, encrypt your files, communicate securely and hide your online traffic, but none of it will do you much good if your password is weak or if it falls into the wrong hands.

    Elements of a strong password

    A password should be difficult for a computer program to guess.

    • Make it long: The longer a password is, the less likely it is that a computer program will be able to guess it in a reasonable amount of time. Some people use passphrases that contain several words, with or without spaces between them. Passphrases are a great idea for services that allow long passwords.

    • Make it complex: In addition to length, the complexity of a password also helps prevent automatic 'password cracking' software from guessing the right combination of characters. Where possible, you should include upper case letters, lower case letters, numbers and symbols in your password. See the Password math section below for more about this.

    A password should be difficult for others to figure out.

    • Don't make it personal: Your password should not be related to you personally. Don't choose a word or phrase based on information such as your name, date of birth, telephone number, child's name, pet's name, or anything else that a person could learn by doing a little research about you. It is also a good idea to provide fake answers to the "security questions" that some services use to verify your identity if you forget your password. This prevents others from impersonating you by looking up your personal information online. Secure password managers are useful for recording these fake answers.

    • Keep it secret: Do not share your password with others unless you absolutely have to. If you must share a password with a friend, family member or colleague, you should first change it to something temporary and share that one, then change it again when they are done using it. Often, there are alternatives to sharing a password, such as creating a separate account for each individual who needs access. Keeping your password secret also means paying attention to who might be reading over your shoulder while you type it in.

    • Make it practical: If you have to write your password down because you can't remember it, you may end up facing a whole new category of threats that could leave you vulnerable to anybody with a clear view of your desk or temporary access to your home, your wallet or the trash bin outside your office. If you are unable to think of a password that is long and complex but still memorable, have a look at the Remembering secure passwords section below. As an alternative, you can choose a strong password, record it in a secure password manager like KeePassX or KeePassXC and give up on memorising it. Password managers are specifically designed for this purpose. You should not store your passwords in a regular file, even one that claims to be encrypted.

    A password should be chosen so as to minimise damage if someone does learn it.

    • Make it unique: Avoid using the same password for more than one account. Otherwise, anyone who learns that password will gain access to additional services and the information they contain. For similar reasons, it is a bad idea to rotate passwords by swapping them around between different accounts. Uniqueness is particularly important these days, as more and more websites are being compromised and having their password databases exposed online. Take a look at security researcher Troy Hunt's Have I Been Pwned for specific examples and to see if any of your passwords have been leaked. (But keep in mind that many account breaches go undiscovered, so you should still upgrade your weak passwords even if none of your accounts show up here.)

    • Keep it fresh: Change your important passwords occasionally. The longer you keep one password, the more opportunity others have to figure it out. If someone is able to use a stolen password without your knowledge, they will continue to do so until you change it. As long as your passwords are strong in the other ways described above, you do not need to do this frequently, but it remains a good idea to refresh your passwords every year or so.

    Remembering and recording secure passwords

    Looking over the advice in the previous section, you might wonder how anyone without a photographic memory could possibly keep track of such long, complicated and meaningless passwords without writing them down. The importance of using a different password for each account makes this even more difficult. There are a few tricks, however, that might help you create passwords that are easy to remember but extremely difficult to guess, even for a clever attacker with powerful 'password cracking' software. You also have the option of recording your passwords with a tool like KeePassX or KeePassXC that was designed specifically for this purpose.

    Remembering secure passwords

    Words are considerably easier for us to remember than strings of random characters, but passwords based on a single word are extremely easy to guess. Computers can test all known dictionary words in a very short time. Working offline, an average computer could test all of the (approximately) 10,000 English words in a matter of seconds. And even online — subject to, say, a five second delay between guesses — finding the correct password would only take a few hours on average.

    And, unfortunately, including a handful of upper case letters, replacing that "a" with an "@" and putting an exclamation mark at the end does not really help. Attackers are familiar with such techniques, and password cracking dictionaries include all of these variations. They might increase the time required to crack your password from one second to ten, but that's nowhere near good enough. (And yes, these dictionaries exist for all languages.)

    A better technique is to use at least six randomly chosen words to create a passphrase that is both secure and memorable. This method is often called "diceware" because it was initially recommended that people roll dice to select words from a specially formatted list. This is important because humans are bad at thinking randomly, and those password cracking dictionaries also contain famous quotations, song lyrics, poems and common phrases.

    Below are a few example diceware passwords:

    • cake brute tragedy outmost frostlike playroom
    • QuaintlyFreshResilientSnowstormReworkAbnormal
    • Myst!fyFrostlikeDisorderChessReversePortal

    For the sake of convenience, many people now use random diceware generators, such as the one included in KeePassXC. But the old fashioned way still works quite well if you happen to have five six-sided dice on hand.

    Recording passwords securely

    With some imagination and a bit of practice, you should be able to remember quite a few diceware passwords. But given the sheer number of passwords we have to keep track of these days, you might want to consider using a password manager as well. Password managers like KeePassX and KeePassXC allow you to generate truly random passwords for most of your accounts and store them in a portable, encrypted database so that you do not have to memorise them.

    Hands-on: get started with KeePassX - Secure Password Manager [Windows] [Mac] [Linux]

    Whenever you need to enter a password for a specific account, you can copy and paste it from your database using only your master passphrase. This makes it much easier to follow all of the recommendations in the previous section. KeePassX and KeePassXC are portable, as well, which means you can put your database on a USB memory stick in case you need to enter a password while you are away from your primary computer. That said, you should only access your database on computers that you trust. If you do so on a device that is infected with malware, all of your passwords could be exposed.

    Furthermore, although it is probably the most effective solution for anybody who has to maintain a large number of accounts, these password managers have a few drawbacks as well.

    First, if you misplace or delete your only copy of a password database, you will lose access to any of the accounts you were using it to manage. Unlike some other password managers, KeePassX and KeePassXC do not store a copy of your data online. This is advantageous in terms of security, but it also makes it extremely important that you back up your password database. Have a look at our guide on how to protect the sensitive files on your computer for more information on this. Fortunately, the fact that your database is encrypted means that you don't have to panic if you lose a USB memory stick or a backup drive onto which you have copied it. You should still change your passwords, just in case, but as long as you set a strong master passphrase, they should be safe for a very long time.

    Second, if you forget your master passphrase, there is no way to recover it or the contents of your database. So be sure to choose a master passphrase that is both secure and memorable!

    Finally, it is important that you protect your database with a very strong master passphrase. If somebody learns your master passphrase and obtains a copy of your database, they will gain access to all of the passwords in that database. This could happen if you are forced to surrender these things or if your computer becomes infected with malware. (Though of course malware could also just record your passwords as you type them in.) Some people create a separate password database for their most sensitive information and take extra precautions with it. Our guide on how to protect the sensitive files on your computer includes a few relevant suggestions.

    Making the most of your passwords

    In the sections above, we discuss passwords primarily in the context of online accounts. In fact, passwords are used to control access in many different situations, including some that do not involve "accounts" in the usual sense. Examples include logging onto our devices, encrypting our data and connecting to wireless networks. In some cases, these passwords are optional. In others, they are set to default values that may be quite weak.

    • The software that starts the operating system on your computer is called the Basic Input/Output System (BIOS). You can set a BIOS password that is separate from your normal user account. Doing so makes it more difficult for someone with physical access to your computer to install malicious software.

    • When you set up the wireless router in your home or office, you can require users to enter a password before connecting to it. This partly encrypts traffic between your device and the router, but it will not protect that traffic from others who are using the same router. Fortunately, it does prevent those without your wireless password from snooping on legitimate users.

    • Your router also has an administrator account (typically called "admin") that can be used to modify or disable many of its security-related settings. Whenever you get a new router, you should lookup its default password in the documentation, sign in and change that password to something stronger. You will rarely use this account, so you might want to record it in a secure password manager so that you don't forget it.

    Account recovery questions

    Many web services ask you "security questions" when you create your account. Examples might include:

    • Your favourite fruit,
    • Where you went to primary school,
    • The name of a street you lived on as a child, or
    • Your mother's maiden name.

    Some services use these questions to verify your identity if they suspect that someone else is trying to access the account. In many cases, the answers to your security questions can also be used to change your password in case you forget it.

    Information like this is sometimes available online, so it is often a good idea to provide false answers to these questions. You will need to keep track of your made up responses, however, in case the service decides that your connection attempt looks suspicious (or in case you really do forget your password). Once again, a secure password manager is a great place to store details like this.

    Two Factor Authentication

    After you've begun setting strong passwords for all of your accounts, the next most important thing you can do to protect those accounts is to setup two factor authentication, which is sometimes given a slightly less inscrutable name like 2-step verification or abbreviated as "2fa." Whatever you call it, two factor authentication means that, in addition to a password, you will need to provide a second piece of information to sign in. Fortunately, you won't have to memorise this one or store it in an encrypted database.

    This second piece of information is typically a short numeric code that is either sent to you as an SMS text message or generated by an app on your phone whenever you try to sign in. It can also be generated by a dedicated hardware device (which is often called a "token" or a "dongle"). Many such devices rely on an open standard called Universal 2nd Factor (U2f). Either way, you will get a new code each time you sign in.

    One open-source app that many people use to generate these one-time codes is called FreeOTP. It is available for both iOS and Android devices. (Google has its own app called Google Authenticator, but it is worth noting that FreeOTP can be used to sign into Google services as well.) Once they are configured to work with your account, these apps do not require an Internet connection to generate valid two factor authentication codes.

    Many online service will give you a list of backup codes when you first enable two factor authentication for a given account. These backup codes are special in that they never expire. It is important that you keep them safe as they are your only way back into your account if you lose access to whatever device normally generates your one-time codes. And, of course, anybody who has your password can access your account using any one of them. A secure password manager is an excellent place to store these sorts of things.

    A note on using text messages for two factor authentication. If a service supports both text- and app-based two factor authentication codes, you should opt for the latter. SMS text messages are not encrypted, and attackers have successfully intercepted these one-time codes on their way to a target's phone.

    Password math

    Many strong passwords include different types of characters such as upper case letters, numbers and symbols. This increases the "search space" of possible combinations that must be tested by brute force attacks that try guess every possible password until they find one that works. You can expand that search space by increasing the length of the password and by using different types of characters.

    Brute force attacks

    A password made up of lower-case letters, for example, has only 26 possibilities for each character it contains. Using upper- and lower-case letters increases that number to 52. Adding numbers and symbols may raise it as high as 78. This does not, however, mean that complex passwords are three times stronger than simple ones. Depending on the length of the password, they may be thousands or millions of times stronger.

    This is because of exponential arithmetic. In short, the total search space is multiplied by the number of possible characters for each character in the password. So, while an eight character password that uses only lower-case letters has about 200 billion (26^8) possible combinations, a more complex eight character password may have 5000 times that number (78^8 is over a million billion). This difference grows even more pronounced for longer passwords. A complex, 12 character password may be 500,000 times stronger than a simple one.

    Dictionary attacks

    Dictionary attacks use words (and v@r!ations of w0rd5!) as a shortcut to crack weak passwords more quickly. There are fewer than 10,000 common words in English. Even a simple, lower-case password can be stronger than that using only three randomly chosen characters. (26^3 is over 17,000). Once again, however, exponential arithmetic helps us out here. As mentioned above, in the discussion of diceware passwords, you can create a strong password based on dictionary words as long as you randomly select at least six of them. (10,000^6 is a trillion trillion.)

    The first table below estimates how long it might take an attacker to crack a list of progressively longer diceware passwords. The second table shows a similar set of estimates for passphrases that were "scrambled" using common techniques. As you can see, "special characters" alone are not enough to strengthen a weak passphrase. In fact, they make very little difference unless the passphrase is already quite long.

    Diceware passphrases:

    Sample passphraseNumber of combinationsTime to crack
    Purple9,000Immediate
    PurpleCarpet79 MillionLess than one day
    PurpleCarpetJump699 BillionLess than one day
    PurpleCarpetJumpGarage6,000 TrillionFour days
    PurpleCarpetJumpGaragePaint55 Million TrillionAbout one century
    PurpleCarpetJumpGaragePaintStrangely488 Billion Trillion7,695 centuries

    "Scrambled" diceware passphrases:

    Sample passphraseNumber of combinationsTime to crack
    Purp13177,000Less than one day
    Purp13C@rp3+47 BillionLess than one day
    Purp13C@rp3+Jump419 TrillionLess than one day
    Purp13C@rp3+JumpG4rage37 Million TrillionAbout one century
    Purp13C@rp3+JumpG4ragePa!nt3 Trillion Trillion52,036 centuries
    Purp13C@rp3+JumpG4ragePaint5trangely293,000 Trillion TrillionOver four Billion centuries

    These tables are based on calculations from Passfault. Passfault is one of several websites that allow you to test the strength of your passwords. Reputable services like this perform calculations on your computer and do not send anything back to their servers. They can be useful when testing the relative effectiveness of different password strategies but you should still avoid submitting your actual passwords.

    Further reading