How to choose safe passwords—and remember them, too
This story has been updated. It was originally published on March 27, 2017.
Another day, another major data breach—and another article advising you to strengthen your passwords. These secret bits of information act as the keys to all of our important online accounts, from social networks to email inboxes to bank accounts.
That’s why choosing strong passwords, and managing them well, is so important. It could be the difference between keeping your identity safe and landing your information in hackers’ hands. Your password is not the only security measure you need to think about, but it’s one of the most crucial.
Unfortunately, a lot of us are pretty bad at choosing passwords. We tend to pick ones that are easy to remember, and therefore easy to guess, and we tend to reuse them again and again. If you want to toughen up your personal password security, read on.
Best password practices
Choosing a password for your online accounts is no different than choosing a password for a secret society: It needs to be difficult to forget for members, and impossible to guess for anyone planning to gatecrash.
If you’re using “123456” or “password”, you’re putting yourself at risk, because millions of other people are also using these obvious combinations. These are the first options that most hackers will try, right before “password1” and “passw0rd”.
It’s also important to choose combinations of letters and numbers that aren’t easily guessable from public data about you. For example, a quick scan of your Facebook page can tell a hacker what date you were born or even the road you live on. So working those pieces of information into a password won’t make it impossible to guess.
Another best-practice is to choose a password that’s at least 10 characters long. The longer the password, the better; the denser the mix of letters, numbers and special characters, the better; and the more nonsensical, the better. Think about a four-digit code, using only numbers and nothing else: there are 10,000 possible combinations, but add just one more digit and that goes up to 100,000. Add in letters and special characters, and extend your password up to 10 characters and beyond, and you can see how each extra letter helps.
So how do you choose this mystical combination? Security expert Bruce Schneier suggests turning a random sentence (not a famous quotation or phrase) into your password. For example, “We love getting e-mail from Grandma, but she rarely writes one.” is a unique sentence that can become “Wlge-mfG,bsrw0.” by taking the first letter of every word (except for “e-mail,” which becomes “e-m”, and “o”, which becomes “0”). The result is a password with random letters, numbers, symbols, and plenty of digits—and one that you can easily call to mind by remembering the full sentence.
Of course, now that I’ve written this potential password in a published article, it’s no longer secure—but you can easily do this trick yourself with your own sentence. You don’t need to take the first letter of every word either. Instead of turning “love” into “l”, I could have made it “<3.” Some other examples from Schneier include:
- WIw7,mstmsritt… = When I was seven, my sister threw my stuffed rabbit in the toilet.
- Wow…doestcst = Wow, does that couch smell terrible.
- Ltime@go-inag~faaa! = Long time ago in a galaxy not far away at all.
If you’re still unsure about security, many web services will tell you how strong your password is when you create it. They’ll also guard against “brute force” attacks where multiple passwords are tried in rapid succession.
Another big password mistake is using the same password for multiple accounts. To use the secret society analogy, it means a hacker can get access to all of your clubs at once, just by breaking into the one where security is the weakest. If you’re using a different password for your primary email account, then it doesn’t matter so much if that old account you used three years ago gets hacked. But if the passwords are the same, you’ve got problems.
One option to help you remember all your account passwords is to use one random or difficult-to-guess series of letters and numbers across multiple services, but tweak the combination slightly each time. Again, this needs to be done in a way that you’ll remember but other people won’t be able to guess. If your Twitter password is “Wlge-mfG,bsrw0.Twitter” and your Gmail password is “Wlge-mfG,bsrw0.Gmail”, you’re not being particularly secure.
So how do you remember which password goes with which account? We’d definitely recommend against writing down your passwords anywhere, because it’s like leaving a master key to all your online identities in one place. Luckily, there are more secure ways to keep track of all of these passwords, and make them as strong as possible.
Managing your passwords
If you’re now thinking you’ll never remember all the passwords you need to keep on top of, don’t panic—help is at hand. Your web browser includes some basic password management options to take the strain off your overloaded brain, and you’ve got the option to upgrade to a standalone password manager as well.
First of all, it’s a good idea to add two-step verification to all of the accounts you can. It’s an extra layer of protection that makes your password less important, because it can only be used with an additional code (usually sent to your verified mobile phone). It’s like needing a ticket as well as a password to get inside your secret club, and most online accounts, from Google to Facebook, support it.
Most browsers include password management options by default, so you’ll be able to find one in Google Chrome, Mozilla Firefox, and Microsoft Edge. You might have already come across them via a pop-up box asking if you want your browser to remember a password. These passwords can usually be synced across different computers and save you from having to remember your login details each time.
[Related: You should start using a password manager]
These features are secure enough to use, as long as access to your browser is secure. Otherwise, anyone who loads up your web browser can be inside your accounts in a few clicks. In practice, this means making sure you’ve got your own password-protected user account set up on Windows and macOS, which effectively prevents anyone else from accessing your password cache.
For an even more comprehensive way of keeping your passwords organized, set up a dedicated password manager program. These applications—and there are plenty to choose from—store your passwords across multiple computers and mobile devices, and usually help you pick strong passwords as well. Unlike a written-down list of passwords, everything in a password manager will be encrypted and protected with one master password.
Most managers are free to use, but premium features are available for a price. For even more protection, they’ll usually work with two-step verification services as well. A lot of password managers also store other sensitive information for you, including Wi-Fi codes, credit card numbers, and so on.
You don’t have to look far on the web for reviews and group tests of password managers, but LastPass is one of the biggest and most well-respected services. It lets you manage an unlimited number of passwords across multiple devices, with extra features (like more registered mobile devices and priority support) available for $3 a month.
Another polished solution is 1Password, which isn’t free but does offer a free trial. You pay $3 a month for unlimited password storage on all your devices for one person, with family plans available for $5 a month. We’d also recommend you check out Dashlane and Keeper as you shop around for the right password manager for you.