AVG Signal Blog Privacy Passwords How to Create a Strong Password — That You Won’t Forget

Passwords. We all hate them. And we hate ours especially. We know they’re terrible, but making them stronger seems so hard: use upper and lower cases. Numbers. Symbols. Don’t use sentences, don’t use words, yada yada yada.

This article contains:

    So you end up with something like M@5t3Rp@$$w0rd1967.

    And who can remember that?

    Well, what if we told you preachy glutton legislate shorter monsoon author made for a stronger password than M@5t3Rp@$$w0rd1967?

    This kind of password is called a passphrase: a random collection of common words. It’s far easier to remember than "conventional passwords" — and yet far harder for hackers to crack. Perfect!

    Before we get into the mechanics of creating your very own passphrase, you may be wondering why this is necessary. How bad could your current passwords be?

    Do I really need to change all my passwords?

    Short answer: yes. If you’re like most people, odds are high that your password isn’t very good. Having an easy-to-guess password is just setting yourself up to get hacked

    How? Well, hackers have several methods:

    • Trying the most common passwords: hackers can easily find a way into accounts by trying some of the most commonly used passwords — things like 123456 or the word password itself. If you’re using one of these and haven’t been compromised yet, you might want to buy a lottery ticket because you’re one of the luckiest people in the world. 

    • Brute force attacks: if your username and password get exposed in a data breach, hackers can use brute force attacks to unencrypt your data. Using a program, bad actors can cycle through all possible passwords (testing hundreds or thousands of possible options) until they come up with the right one. Even if you’ve used a combination of upper and lower case letters and special characters, modern technology can crack an 8-character password in about two hours (!).

    • Credential recycling: Once hackers or spammers have your username and password to one account, they can easily try these credentials on all your other accounts. If you’ve recycled your credentials (i.e., used that same username and password elsewhere) then suddenly these bad actors have the keys to the castle — access to all of your accounts that share those credentials.

    So, what does it take to beat the hackers? Which type of password would be considered secure? As annoying as it may be, you really do need to increase the length and complexity of your passwords, and use unique passwords for each account.

    But, don’t despair: it’s easier than you may think if you use passphrases.

    What is a passphrase?

    As mentioned above, a passphrase is a collection of common words combined together randomly into a phrase. Remember, an example of a passphrase is something like preachy glutton legislate shorter monsoon author.

    The best passwords are ones that are 1) easy for you to remember and 2) hard for hackers to crack. Passphrases make the best passwords because they use real words that you can remember (rather than a collection of crazy symbols and letters) and they are very long, making them much harder to crack with brute force attacks or other tactics.

    The only catch is that the common words in your passphrase need to be truly random in order to be a secure password.

    Luckily, we’ve got a method for that. All you need are a few minutes and some dice…

    How do I make a passphrase?

    Making a passphrase is simple. But don’t pick the words yourself. Humans are notoriously bad at creating true randomness. We love patterns too much and all our words have meaning, so it makes it doubly hard for us to generate random passphrases.

    Instead of using a random passphrase generator online, you can easily go through the steps yourself. We recommend using Diceware, a passphrase generating method developed by IT guru Arnold Reinhold. It involves using a simple list of 7776 words, each of which has a corresponding 5-digit number you can roll with a die.

    It’s a lot simpler than it sounds. We’ll walk you through it:

    1. Download the Diceware word list: A simple word or text editor can open it.

    2. Roll a die five times (or five dice once) and mark out the numbers in order.

    3. Find the word that matches what you rolled and note it.

    4. Repeat so that you have a total of 6-7 words.

    That’s it, really.

    So for example, if you roll your die five times and come up with 34462, you would look through the list:

























    …and find jockey.

    You repeat the process until you’ve picked at least six words.

    Feel free to add symbols, capitals, or numbers into the mix if you like. This will increase the strength of the passphrase, and most services that have any pretense at security require special symbols.

    But be careful about these two rare occurrences:

    • You end up with so many short words you have less than 17 characters.

    • You actually end up with some sort of sentence.

    In both those cases, start over.

    Remember, with this method, you’re letting the dice decide your passphrase to make it random. So don’t go around fudging the results because you think two words look good together. You’d be creating patterns (and weakening the strength of your passphrase.)

    There are multiple different English lists you can pick from and several in other languages too. Mixing and matching lists can create even stronger passphrases.

    Write down your passphrase on a piece of paper until you’ve memorized it. It should sink in after a few uses. If you’re having trouble, create a story to make it easier to remember.

    For example: The preachy glutton would legislate for a shorter monsoon season, the author said.

    This is what memory masters do. Once you have it down, destroy the paper.

    I don’t like dice. Can’t this be automated?

    It can. In fact, there are plenty of useful Diceware passphrase generators like this one.

    However, keep in mind that while generators like this one are still very secure, computers are never fully random, and this will never be as secure as rolling your own passphrase into existence.

    So can I use this passphrase everywhere?

    No, you really shouldn’t.

    Repeating passwords or passphrases for different services is among the worst security practices out there. As mentioned above, if one account gets hacked, they all get hacked.

    Ideally, you would use a passphrase as the master password for a password manager. The manager can then create long, random passwords for each of your accounts, and keep track of it all for you. (No more puzzling over good password ideas — the program takes care of all that for you!) There are plenty of free or affordable password managers out there now, so there’s really no reason not to give one a try.

    If you don’t want to use a password manager, then there are a couple of additional steps you should take:

    1. Create a passphrase for your most critical accounts, then add modifiers

      These can be simple short-hand for the service or the full name. Using the example above, you could end up with:

      G@G1 preachy glutton legislate shorter monsoon author Or

      preachy glutton legislate shorter monsoon author Facebook1@

    2. Create a second passphrase for all the throwaway accounts

      But even managing two passphrases can be a bit of a chore, so we’d really recommend a password manager.

    And that’s all there is to it. You're now armed with one of the most powerful passwords possible. Go and enjoy the web…

    …but if you want to know more about passphrases and one additional way to boost security, stick with us.

    Strong passwords: roundup

    All the usual advice you get for passwords isn’t exactly wrong. But without getting too technical (without getting technical at all, really), there are only two essential requirements for a strong password:

    • It should be long: Really long. 17 characters should be the minimum. For some future proofing, making it at 20+ characters is better.

    • It should be random: Hackers are excellent at recognizing patterns and programming their tools to look for them.

    That’s it.

    So back to our original example, M@$t3Rp@$$w0rd1967. It may seem like a strong password, and many password checkers like this one will tell you so. But it wouldn’t stand a chance against today’s hackers because it actually has a very simple structure: two words + a date.

    Not only are the two words very common ("master" and "password"), they commonly go together. The substitutions taking place are predictable and so also easy to crack: A looks like @, S looks like $, and so on. And when people add numbers to their passwords, they often do it at the end, and use a PIN or date – often of their birth.

    Hackers know all these tricks and usually try them first. And they use machines to do it, while we have trouble remembering what letter we upper-cased and where we added the @.

    Here’s a fun, visual summary of how many people get it backwards when trying to create a strong password:This cartoon shows how we’ve got it backwards when trying to create a secure password.

    So grab a pair of dice, and get to work on creating a truly strong password to keep your accounts secure.

    How to increase your security even further

    After creating your brand new passphrase, you may be wondering if there’s anything else you can do to protect your accounts. And yes, in fact, there is!

    Even if you have the best password in the entire world, you can still up your security even further by using what’s called two-factor identification, which requires a second means of verifying who you are other than your password.

    Two-factor identification usually uses one of three things:

    1. Something you know: this could be a PIN code or something else, like the answers to your security questions.

    2. Something you have: for example, your phone (which can receive an authentication code via SMS), or your physical credit card (which you can verify using the CVV code on the back).

    3. Something you are: biometric data, such as your fingerprint.

    It might seem complicated at first, but if you’re like most people, you’ve already been using two-factor identification for a long time. For example, any time you take money out of an ATM, you’re combining something you have (your bank card) with something you know (your PIN).

    Similarly, you can enable two-factor authentication on most of your online accounts: your email provider, social media accounts, and (especially!) your online banking should all offer two-factor identification. Often, this will involve the service texting you a one-time PIN when you try to log in or make a bank transaction.

    Want to see which of your accounts offer the option of two-factor authentication? You can check out this master list, and even request that a given site add two-factor authentication if they don’t yet offer the option.

    Two-factor authentication may require a few extra seconds when signing in, but trust us, it’s worth it.

    Armed with your easy-to-remember passphrase, a password manager, and two-factor authentication, you’ll be more secure than a Swiss vault. Voilà!

    Protect your Android against threats with AVG AntiVirus

    Free install

    Protect your iPhone against threats with AVG Mobile Security

    Free install