, , ,

How to Create Strong Passwords & General Password Guidelines

Secure PasswordsAs we use the internet for just about everything, including financial services, online banking, shopping, social media and more, one thing is clear. Strong password protection is critical! It’s important to understand that humans are not the main concern when it comes to guessing passwords. Instead, we are at the mercy of password cracking software that runs billions of different password combinations against ours to enter the sites we are trying to protect ourselves on.

In addition to tips for creating sturdy passwords that are likely to stump hacking software, here are general guidelines to help protect your online accounts and passwords.

  1. Create strong passwords:

    • Use combinations of uppercase and lowercase letters, numbers, punctuation and special characters.
    • Strong passwords are 8 to 20 characters long – passwords over 9 characters are difficult for hacking software to crack.
    • If you must memorize passwords, use the first letter of each word in a phrase and intersperse special characters.  ie Humpty Dumpty – H&D&s&o&a&w&H&D&h&a&g&f. But on most sites you should include numbers too.
    • Avoid including usernames in your passwords in any form (backwards, doubled etc).
    • Don’t use obvious passwords such as names and numbers pertaining to you or your family. “Password1”, is one of the most commonly used passwords. “Monkey” and “0123456” are popular too. Stay far away from these.
  2. Check the strength of your passwords:

  3. Keep your passwords private:

    • Don’t store password lists in unencrypted computer documents. These lists can be accessed if computers are hacked.
    • Avoid storing written passwords close to your computer.
    • Pairing passwords with account names and numbers on paper or technology is risky but it’s worse if you carry that information with you.  Purses, wallets, cell phones, tablets and computers are easily stolen and why be an easy victim?
    • Refrain from storing passwords in cell phones.  
    • Do not share your passwords with others.
    • Be cautious when an app asks you to enter a password to another site in order to use that app. 
  4. Do not use the same logons and passwords for multiple accounts. 

    • Hackers will obtain passwords from sites that are easier to break into and will try those same passwords on more secure sites.
  5. Do not have your browser remember passwords for you.

    Do not allow software or browsers to save your passwords

    Do not have browsers remember your passwords for you

  1. Change your passwords regularly:

    • Suggested frequency is every 3 months.  If that’s not realistic for you, change them as often as you can manage. (I rarely change my own passwords because they are all extremely secure passwords created by my Password Manager.)
  2. Use a Password Manager or Biometrics:

    • Use a password manager to create unique and strong passwords and to remove the need to memorize a huge volume of passwords. Click here for the reasons I like my Password Manager.  Research options such as 1Password, LastPass, KeePass, KeePassX, and RoboForm.
    • Biometrics can replace passwords or they can be used in combination with them. (I use them in combination myself.)

      Iris scan, facial recognition, fingerprinting

      Biometrics: Iris Scan, Fingerprint Reader, Facial Recognition

 
With never ending data breaches, elaborate phishing scams and other types of cybercrimes being a daily occurrence, it is wise to take advantage of all levels of protection available.  Strong password protection is the easiest place to start!

Until next time … Stay Cyber Safe!

14 replies
  1. Joel
    Joel says:

    Great tips. I like that password strength checker tool.

    I’ve used sites like http://random.pw to help me create strong, memorable passwords. Something I can easily remember, but has all the crazy numbers and special characters. It also has a password strength checker.

    Reply
  2. BlahBlahBlogging
    BlahBlahBlogging says:

    I use a great password manager. It not only has two factor authentication and client-side encryption, but I can use it on any browser and it provides virtual email addresses I can use for an extra layer of privacy and spam control. It creates and stores not only strong passwords, but also usernames too.

    http://kemesa.com. There’s a free version but its probably not going to be enough if you use it regularly.

    Reply
  3. Allison
    Allison says:

    Good set of guidelines, and I was pleased to see that one old guideline (“don’t write down passwords”) was missing.(These days people have too many passwords, they HAVE to write them down – just don’t write them down in an obvious way or in an obvious location.

    One guideline that I think was missing is to have classes of passwords. Since every site seems to require one these days, I have a couple reasonably secure passwords I use for sites that have no personal info (e.g. newspaper web site), and I don’t worry about changing them; then a totally different schema for sites with personal info, and a third schema for work.

    Reply
    • Hayley Kaplan
      Hayley Kaplan says:

      Your suggestion regarding having different classes of passwords is excellent. I actually do that myself but didn’t think to include it in the article.

      Thanks Allison!

      Reply
  4. Carpool Goddess
    Carpool Goddess says:

    Excellent advice, Hayley. I have a hard time remembering the passwords I do have, I think I would go bonkers if I had to keep changing them. But I will. The thought of being hacked sounds awful. Thanks for keeping us safe.

    Reply
    • Hayley Kaplan
      Hayley Kaplan says:

      Carpool Goddess – I also go bonkers from changing my passwords. I prioritize password changes for those sites that have sensitive personal and financial information and I don’t worry much about the others.

      Reply
  5. Bob Siegel (Privacy Ref)
    Bob Siegel (Privacy Ref) says:

    A timely posting Hayley! A simple trick is to do letter-number replacements such as 1 for 1, 4 for “for” or “fore”, 8 for “ate”, etc, but not to do it consistently.

    Someone also shared a tip with me about answering password reset questions that I can pass on. “Be a politician” they said. “Don’t answer what they are asking, but answer what you want to answer.” For example if the challenge question is “What was the make and model of your first car?” answer something totally unrelated like “spare ribs”. It makes it tougher to remember the correct response, but avoids bad guys from using social engineering techniques to guess the answers. (see http://privacyref.com/wordpress/2012/08/13/social-engineering-and-challenge-questions/)

    Reply
    • Hayley Kaplan
      Hayley Kaplan says:

      Bob,

      Thank you for your excellent suggestions. I’d like to second your point of not using number-letter replacements too often as hacking software takes those into account and consistent usage can reduce the effectiveness of a password.

      I hope readers of this article will read and more importantly, follow your advice in your article regarding Challenge Questions and Social Engineering. Many people are overly generous with the private information they share on Social Media and it is indeed easy to answer many of the security questions in your article by doing public searches.

      Thanks again.
      Hayley

      Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *