Posts

Passwords

How to create strong passwords and passphrases — updated from the 2009 guide with password managers and two-factor authentication.
Table of Contents

Strong passwords are important protections to help you have safer online transactions. The best approach today is a password manager that generates and stores unique passwords for every site, combined with two-factor authentication (2FA) wherever it is offered.

Keys to password strength: length and complexity

An ideal password is long and has letters, punctuation, symbols, and numbers. Even better: use a passphrase — a sequence of random words that is easy to remember but hard to guess.

  • Whenever possible, use at least 14 characters or more.
  • The greater the variety of characters in your password, the better.
  • Use the entire keyboard, not just the letters and characters you use or see most often.
  • A password manager can generate 20+ character random passwords for you — you only need to remember one master password.

Create a strong password you can remember

If you are not using a password manager yet, here is one way to create a long, complex password you can remember:

What to doSuggestionExample
Start with a sentence or two (about 10 words total).Think of something meaningful to you.Long and complex passwords are safest. I keep mine secret. (10 words)
Turn your sentences into a row of letters.Use the first letter of each word.lacpasikms (10 characters)
Add complexity.Make only the letters in the first half of the alphabet uppercase.lACpAsIKMs (10 characters)
Add length with numbers.Put two numbers that are meaningful to you between the two sentences.lACpAs56IKMs (12 characters)
Add length with punctuation.Put a punctuation mark at the beginning.?lACpAs56IKMs (13 characters)
Add length with symbols.Put a symbol at the end.?lACpAs56IKMs" (14 characters)

For everyday use, a passphrase like correct-horse-battery-staple (four random words) is even easier to type and just as strong when it is long enough.

Use a password manager

The original 2009 version linked to a Microsoft online password checker that no longer exists. A better approach today:

  • Install a reputable password manager — Bitwarden (free, open source), 1Password, or KeePass are all solid choices.
  • Let the manager generate a unique password for every account.
  • You only need to remember the one master password (make it a strong passphrase).
  • Enable 2FA on the password manager itself.

Protect your passwords from prying eyes

The easiest way to “remember” passwords is to write them down. It is okay to write passwords down, but keep them secure. See 5 tips to keep your passwords secret.

Common password pitfalls to avoid

Cyber criminals use sophisticated tools that can rapidly decipher passwords. For example, here is Passwords used by the Conficker worm — a reminder of how predictable people can be.

Avoid creating passwords using:

  • Dictionary words in any language. Words in all languages are vulnerable.
  • Words spelled backwards, common misspellings, and abbreviations.
  • Sequences or repeated characters. Examples: 12345678, 222222, abcdefg, or adjacent letters on your keyboard (qwerty).
  • Personal information. Your name, birthday, driver’s license, passport number, or similar information.

Enable two-factor authentication

Even a strong password can be stolen in a data breach. 2FA adds a second step — usually a code from an app like Google Authenticator, Microsoft Authenticator, or a hardware key — so a stolen password alone is not enough to break in. Turn it on for e-mail, banking, social media, and any account that offers it.