A strong password should include a mix of lower-case and upper-case letters, numbers, and special characters. However, the overall password length is even more important than the characters used, as password cracking programs will start with shorter password guesses before moving on to longer phrases. A very strong password should include all kinds of characters and be at least 12 characters long. Refrain from using pet or family names, your address, Social Security number, birth date or other personal information. It's annoying but you must never recycle or reuse a password. Remember to change your passwords every three months or if there's a security incident and lastly, don’t let Chrome, Firefox, Safari or any other browser save passwords for you.
How do you rank against others? Click on the button below to take our survey to find out.
Why Randomness is Important
Another common vector of attack on passwords is to use common English words that many people have used before. This is called a dictionary attack, because the attackers will guess combinations of common dictionary words in an attempt to gain access. This is why the best passwords will include a random combination of characters, symbols, numbers, and words.
Try to mix it up—for example, “BigHouse$123” fits many of the requirements. It’s 12 characters and includes upper-case letters, lower-case letters, a symbol, and some numbers. But it’s fairly obvious—it’s a dictionary phrase where each word is capitalized properly. There’s only a single symbol, all the numbers are at the end, and they’re in an easy order to guess.
Password Security vs. Memorability
One tradeoff with generating a random password is that it can be too difficult to remember for everyday use. This is where using a reputable password manager can save you countless headaches, while simultaneously increasing your security.
Password managers have oodles of upsides. You can change all your passwords without having to remember new ones. All of your passwords are kept in one extremely safe, encrypted virtual vault – but with a secure app that works on all of your devices. Password managers can help you find your weak or duplicated passwords and change them. What's more, these handy tools can also help you make excellent passwords, following current guidelines and conventional wisdom about making them secure.
Password vs. Passphrase Generator
Another option for generating a strong random password is to use a passphrase, or a combination of 4 – 6 words strung together into a mnemonic device. Because passphrases are often over 20 characters or longer, they are extremely resilient to brute force attacks. However, we recommend including at least 2 – 3 numbers and/or symbols to throw off any would-be dictionary attackers.
XKCD did the above comic about this many years ago that’s still widely linked to today. Throwing all the usual advice out, the comic advises choosing four random words and stringing them together to create a passphrase. The randomness of the word choice and length of the passphrase makes it strong.
The most important thing to remember here is that the words need to be random. For example, “cat in the hat” would be a terrible combination because it’s such a common phrase and the words make sense together. “my beautiful red house” would also be bad because the words make grammatical and logical sense together. But, something like “correct horse battery staple” or “seashell glaring molasses invisible” is random. The words don’t make sense together and aren’t in grammatically correct order, which is good. It should also be much easier to remember than a traditional random password.
What are Bits of Entropy?
Entropy bits refer to the unpredictability of your password. It is a measure used in information theory, and is based on the length of the password and character set used. The more bits of entropy your password or passphrase has, the harder it is for an attacker to guess.
What is the Charset Size?
The charset is simply the total number of unique characters in the password. For example, the password “abcdabcdabcdabcd” is a good length at 16 characters long, but not secure at all because the charset is only 4 characters. This is why using capital letters, numbers, and symbols is a necessary practice.
Just remember—it’s not all about password strength. For example, if you re-use the password at multiple locations, it may be leaked and people may use that leaked password to access your other accounts.
Using unique passwords for every site or service, avoiding phishing sites, and keeping your computer safe from password-capturing malware is also important. Yes, you should choose a strong password—but you need to do more than that. Using stronger passwords won’t keep you secure from all the threats out there, but it’s a good first step.
For example, Kyle Milliken, a 29-year-old Arkansas man, was released earlier this month from a federal work camp. If users had reused their passwords, Milliken would access their email inboxes or social media accounts, and post spam promoting various products and services. From 2010 to 2014, Milliken and his colleagues operated a successful spam campaign using this simple scheme, making more than $1.4 million in profits. Milliken has a message for internet users: stop reusing your passwords. And he also suggests enabling
