How to Create Good Passwords That Hackers Will Never Guess
Memorize these tips and tricks to create strong passwords and protect your online accounts
You already know to avoid using common, easy-to-guess passwords for your online accounts, but creating good passwords is easier said than done. Putting in the extra work to make unique, strong passwords is worth it, though. Why? “Without a strong password, you are making it easier for an attacker to steal from your bank account, read your health records and impersonate you on social media,” says Brian Contos, chief security officer at Phosphorus Cybersecurity.
If your favorite password shows up on this easy-to-crack passwords list, it’s time to change it. Luckily, we can help you get started. Follow these expert-approved tips for creating good passwords—and remembering them. And be sure to read up on other important online security issues, including how to tell if your computer has been hacked, what phishing is and what two-factor authentication is.
What is a good, strong password?
Good passwords have several features in common: length, complexity, uniqueness and unfamiliarity. Make sure your passwords have all these characteristics to deter hackers and protect yourself from doxxing and other digital attacks.
When it comes to creating good passwords, longer is typically better. “Shoot for at least 15 characters,” Contos says.
Attackers use an automated software tool to try passwords until one works, but longer passwords are harder for the software to guess. “This is really about economics,” Contos explains. “You are trying to make the cracking of your password not worth the time and resources an attacker is willing to spend cracking it.”
The same theory applies to using a mix of upper- and lowercase letters, numbers and special characters in your passwords. The more complex your password is, the tougher it is to crack.
“Even adding upper-case letters can make a password cracking program take longer,” Contos says. “Add in numbers and special characters, and an attacker might just move on.”
Repeating or reusing passwords is one of the biggest password mistakes people make, according to Contos. Each password you create should be new and unique, or you could be putting your information at risk.
If your password is leaked in a data breach, every account that you used that password for becomes vulnerable. That also goes for these everyday items that are vulnerable to hacking.
“By setting unique passwords—ones you use for one, and only one, of your accounts—you limit the potential damage if or when an online service you use is breached,” says Tom Hickman, chief innovation officer at ThreatX. “Instead of the hacker gaining access to all of your online accounts, you limit them to just one.”
Finally, you should never pick a password with personal information that could be easily found online, such as your birthday or the names of your children or pets. It’s likely that hackers will try different combinations of those words and numbers first, Contos says. He recommends using a password that can’t be found in the dictionary, like a random collection of letters and characters.
FYI, there are not-so-good things hackers can do with your phone number, so remain vigilant in that regard too.
How can you create good passwords?
If you have ever been hacked on Instagram or needed to know how to recover a hacked Facebook account, you’ll know the importance of picking good passwords. Making strong passwords doesn’t have to be a headache, though. Here are some ways to create complex, unique passwords for every online account without repeating them.
Use a password generator
Digital password vaults, which store and protect passwords for all your online accounts, can often suggest strong, unique passwords for you to use.
You can also find free password generators online. The Norton Identity Safe Password Generator allows you to customize each password by length and type of characters, including letters, numbers, mixed cases and punctuation.
Choose a passphrase
Worried about remembering your password later? Contos suggests using a passphrase, instead. “You’ll be surprised how easy it is to remember a longer phrase that means something to you personally instead of a shorter password of gibberish,” he says.
Try choosing a phrase that is meaningful to you, like lyrics from your favorite song or the first sentence of your favorite book.
Tweak a sentence you’ll remember with symbols
While a hacker is more likely to guess your password if it’s your beloved dog’s name than, say, a line from a book, a passphrase isn’t totally unguessable. (Especially if you share book quotes or song lyrics all over social media.)
So once you pick a passphrase you’ll remember, make it more secure by replacing the letters with symbols or numbers. The letter S can become a dollar sign ($), the letter A can become the @ symbol and the letter E can become the number 3.
What is an example of a good password?
Good passwords can be a random combination of letters, numbers and symbols, such as “fK&5#kl9&sSWn!” For passphrase ideas, try putting a math formula into words, Contos says. For example, “3+11=14” can be written as “3+EleveNequal$14.”
Contos also suggests swapping letters with symbols, such as “I ate two pizzas for dinner” but written as “I8twoPi**as4Dinner!” or “I like jazz and bourbon” written as “iL1KEj*zz&B0urb0n.”
How can you remember your password?
Lengthy and complicated passwords will protect your online accounts, but “the risk you run with good passwords is that they can end up being too good,” says Chris Pierson, CEO of the cybersecurity company BlackCloak. If your passwords are difficult to remember, you might be tempted to write them down or reuse them for multiple accounts, which exposes your info to hackers.
Knowing all the bad things hackers can do with just your email address or phone number, you can probably imagine how much damage they can inflict with your passwords. That’s why experts recommend using an encrypted password vault program, also known as a password manager, to store your passwords.
Think of a password manager as a safe that holds all your valuables. You just need to remember the code to the safe—a single strong password—to gain access to a list of your hard-to-remember passwords.
“Password managers make it easy for you to maintain numerous strong, lengthy, unique passwords for your accounts without actually having to remember them yourself,” Contos says. “Using a password manager is a lot safer than jotting down your passwords on a sticky note or storing them in a web browser.”
Pierson considers 1Password the best password manager out there. In addition to syncing your data across all your devices and browsers, “with 1Password, the security is enhanced because you use a master password to access your vault across platforms,” he says. Plus, the product will alert you if your password has been compromised so you can change it ASAP.
The downside: There’s no free version. That said, the subscription fee is fairly small.
LastPass offers a free version that lets you experience most of the features without committing to a monthly rate. Like the product but want the full range of features? You can always upgrade to a premium account.
If you’re downloading security apps and want to include a password manager, this is a good option. Just keep in mind, the free version allows you to save passwords on one device; if you want to access those passwords on multiple devices, you’ll need to upgrade to the premium account.
Like LastPass, Dashlane stores your passwords for free, but you will need to pay a little more for extra features. The free version saves up to 50 passwords on one device, while Dashlane’s premium plan saves unlimited passwords on an unlimited number of devices.
For a free password manager, check out Bitwarden. It creates and stores as many passwords as you need—no limit required. If you want to upgrade, Bitwarden also offers a premium option with multifactor authentication for additional security.
Google password manager
Google password manager, which you can access via the Chrome browser, is another free option. While it’s a convenient option for Chrome users, it is unfortunately not compatible with iPhones or other Apple devices.
Password mistakes to avoid
When creating good passwords for your online accounts, you might be tempted to write them down—but that’s a big mistake. Writing passwords down on paper is “an open invitation for a social engineering attack,” Hickman says. Anyone who finds that piece of paper, including a malicious coworker or IT contractor, will be able to access your online accounts or sell your password on the dark web to criminals.
Another common password mistake is forgetting to frequently change the passwords on your accounts. Contos recommends creating new passwords every 90 days for business accounts or every six months to a year for personal accounts.
Keep in mind that hackers know tricks to get around strong passwords with spyware, malicious software that gains access to your computer and steals your data. To protect yourself, avoid clicking pop-up windows without reading them, downloading files from unreliable sources and clicking links in phishing emails, like the common Apple ID phishing scam.
- Brian Contos, chief security officer of Phosphorus Cybersecurity
- Tom Hickman, chief innovation officer at ThreatX
- Chris Pierson, PhD, CEO of BlackCloak
- Norton: “Norton Identity Safe Password Generator”