You probably wonder what a strong password is and if there is an easy way to create one. In this article, I will try to answer that question and provide you with some tools in the form of simple rules that, if applied correctly, can greatly improve the strength of your passwords.
A strong password is a password that satisfies three rules: Complexity, Uniqueness, and Secrecy. When creating a password, complexity ensures that your password is hard to guess. It is unique because every password you use is exclusive to the particular service or system. It is secret, which means that you only know it.
- 1) Password Complexity.
- 2) Password Uniqueness.
- 3) Password Secrecy.
- Free Password Checker – Check if your Password is Strong Enough.
- How do you build a strong Password?
- Get a dedicated Password Manager.
This article has been inspired by a great book I have recently come across when researching the topic. The book is called Perfect Passwords: Selection, Protection, Authentication by Mark Burnett, a security consultant, author, and researcher specializing in application security.
If you are interested to learn more about passwords, I will highly recommend getting a copy of his book on amazon – Perfect Passwords: Selection, Protection, Authentication.
1) Password Complexity.
The complexity is what makes a strong password. If applied correctly, it ensures unpredictability and resistance to brute-force attacks. When creating a password, you should consider the password length and diversity of content, which can be achieved by mixing at least three of the following elements: characters, phrases, numbers, and special characters.
- [email protected]
I believe that the requirement for a minimum of 8 characters long password is obsolete, and you should definitely consider much longer passwords if the system will allow them. Try to create 15 to 25 characters long passwords and make sure they follow the rules below.
- Avoid using more than 50% of the numbers in your password.
- Use uppercase letters – not only as a first character.
- Consider using numbers throughout the password, not only at the beginning and the end.
- Use brackets, punctuation, or other special characters.
- Consider using spaces if you can.
2) Password Uniqueness.
Password reuse is a bad but common practice and should be avoided. I still remember reusing my passwords. I thought that having one strong password will protect my accounts, but the truth is that once your password is compromised, the attacker will try to use it on any other popular service to gain access.
To avoid this problem, make sure that your passwords are exclusive to any particular system and unique. To help you with that, you can try to follow the set of rules below.
- Make sure not to use common passwords, phrases, or even dictionary words.
- Don’t reuse the password – keep it unique.
- I know you are tempted to use your mother’s maiden name, but please don’t. Avoid using any dates, words, names, and other details related to you and your family.
You can also rotate your passwords, which means you should change them every three to six months to avoid stagnation.
If you like me and struggle to remember changing your passwords, get a good Password Manager.
I have been using 1Password for a while now, and it has saved a ton of time for me. It will not only remind you when your passwords are old and should be changed, but it will also notify you if your passwords were exposed in the recent data breach.
3) Password Secrecy.
This one should be self-explanatory, but there is a bit more to it than you think. To keep the secrecy of your passwords, it means that you should not do the following:
- Do not share your passwords with anyone.
- Try to avoid recording your passwords in any form.
- Don’t use your browser to save your passwords – consider using a dedicated Password Manager like 1Password, which is my personal favorite, NordPass or LastPass, for example.
- If you ever send or receive emails with passwords – delete them.
- Avoid providing an exact answer to the Secret Questions, often seen as a recovery option when setting up an account. Just type some random phrase or sentence when asked about your mother’s maiden name, for example.
As you can see, there is nothing special about these rules. In most cases, it is just common sense that you must apply every time you evaluate or create a new password.
Creating a strong password is not difficult but requires self-discipline, and depending on the number of passwords, a few minutes to go through them all, making sure they are unique and no older than a year.
Free Password Checker – Check if your Password is Strong Enough.
The amazing thing is that the book described above has helped in the development of zxcvbn: Low-Budget Password Strength Estimator developed by Daniel Lowe Wheeler Dropbox Inc.
If you like to know more about this tool, Daniel has also published a scientific paper about it for the 25th Usenix Security Symposium and is available under the same title as the software – zxcvbn: Low-Budget Password Strength Estimation.
Password Strength Estimator – How it works?
Type your password below to receive feedback about your Password entropy or strength. You will receive suggestions, the average number of guesses needed to crack the password, and the approximate time to crack the password using different techniques.
Is it safe?
The script does not collect your passwords and is purely for information purposes only. I don’t even have a clue who you are. But if you are afraid to type your password below, then type a similar password instead. Typing a similar password will still allow you to see the approximate strength of your password and how you can improve upon it.
As a reference, you can check the library I’m using at GitHub and the official scientific paper and the presentation of the author.
- GitHub – zxcvbn – Password Strength Estimator by Daniel Lowe Wheeler Dropbox Inc.
- Usenix – The Advanced Computing Systems Association – zxcvbn – Password Strength Estimation.
Password Strength Estimator accuracy.
Let’s be honest; this is just a tool that provides a close approximation of password entropy/strength and may not necessarily be 100% accurate. However, I believe it may inspire you to reconsider your existing passwords perhaps.
You may also like: How do I manage my Passwords?
How do you build a strong Password?
Several techniques can help you to create strong and easy-to-remember passwords. However, when it comes to passwords, there is no silver bullet, and it is up to you to create the password that will satisfy all three rules of a Strong Password; Complexity, Uniqueness, and Secrecy.
In his book, Perfect Passwords Selection, Protection, Authentication, Mark Burnett outlines several techniques for creating strong passwords that are also easy to remember. I will list just a few of them, which are my personal favorite ones.
1) Use more than one word to create a passphrase.
This type of password is commonly known as the passphrase. Try to create a password using a few words which are not related but rhyme. You can use synonyms, homonyms, antonyms, or any other word combination. Make sure to add some special characters like dash, numbers, punctuations to make it even stronger.
Examples of passphrases:
- 22 Friday Too
- whiskey risky, Biscuit
As you can see, the passphrases created above are easy to remember but hard to guess.
2) Create password to mimic email address.
This one is my absolute favorite one, as is the author of the book. You need a name that can be a real one or fake. You will then select a related phrase that will complement the name.
Following the name and the phrase is the dot-com, dot-org, dot-abc, or any other extension you may have in mind. The extension does not have to be real, so you can come up with anything you like as long as you can remember.
Examples of mimicking email address when creating passwords:
Related phrase: Teacher
Password: [email protected]
Related phrase: The Dragon Capsule
Password: [email protected]
Related phrase: Hates winter
Password: [email protected]
The complexity of creating passwords using email patterns increased dramatically due to added special characters and the overall length of the passwords. On the other hand, the pattern remains the same, making them easier to remember.
3) Create passwords as a URL addresses.
Creating a password that looks like a URL address is another example of a strong, unique password that can be easily remembered if created correctly.
Below are some examples of a URL password:#
4) Create passwords with letters swapping.
This is also a really nice technique that I believe is specifically designed, so the words used in the password are less likely to appear in the passwords lists used often by hackers in dictionary attacks. You don’t have to stop swapping single letters; you can swap two or three letters if you like. Make sure to create passwords that are pronounceable and easy to remember.
- Personal Computer – (swap letters) – Cersonal Pomputer.
- Slow Motion – (swap letters) – Mlow Sotion.
- Chicken Breast – (swap letters) – Brick’n Chest
- Feeding a Dog – (swap letters) – deeding a fog
The letter swapping can now be mixed with the URL or Email Address technique to create robust, hard-to-guess passwords.
With these three simple techniques, we were able to create several passwords which have met our three rules; complexity, uniqueness, and secrecy.
You may also like: Does Bitdefender have a Password Manager?
Get a dedicated Password Manager.
Although creating a strong password may no longer be difficult, storing them might be a challenge. I have over 200 login credentials, and without a dedicated Password Manager, it was be almost impossible to maintain all of them.
I did use Sticky Password in the past due to its simplicity and offline storage. But one day, I have tried 1Password, and I never looked back. You can also try LastPass if you like although I have to admit that I did not try that Password Manager yet.
The dedicated Password Manager will not only dramatically simplify the maintenance of your passwords but will also warn you about the potential leak of your passwords in a data breach. It will also notify you when you haven’t changed your password for an extended period of time.