Security awareness

Best Tips for Creating Strong Passwords

July 25, 2017 by Stephen Moramarco

Passwords are an important safeguard for our data, yet so vulnerable: Verizon Enterprise recently reported that 63% of breaches are due to passwords that are weak, default, or stolen.

That’s why it’s essential you use the strongest passwords possible – and different ones – for every single application or account you use.

This article is an overview of what you need to know to keep yourself and your workplace protected by creating and using robust passwords everywhere.

How are passwords cracked?

Generally speaking, hacking a password involves trying to login with as many guesses as possible, until it cracks. This sometimes done in what’s called a brute-force attack, but since some websites time out after a few attempts, others tools have cropped up that use “dictionary attacks” only using English words, for example, or common number or letter patterns that will shorten the number of tries.

There are dozens of password hacking tools available for free on the web that anyone can download (InfoSec lists 10 of them here) as well as other more sophisticated software bought and sold on the black market.

But the really scary thing is that many times hackers don’t need to use them at all. SplashData, a company that gathers information from data breaches, puts out an annual list of the top 25 most common passwords. Year after year, the top two are “password” and “12345.”

In what ways are passwords vulnerable?

As we mentioned above, the more common the password, the easier it is to get hacked. This includes not only the obvious passwords mentioned above, but birthdays, anniversaries, and number repetition. Another common problem is that many companies and/or users keep the default “admin” password out of ignorance, or simply don’t want to be inconvenienced to learn a new password.

What makes a strong password?

A strong password is generally defined as a password that would take a very long time to guess or crack. This is sometimes referred to as “password entropy” and is calculated in bits of strength. Generally speaking, you should aim for at least a 40-bit strength password. The basic guidelines here are:

  • More than 12 characters
  • A combination of letters, numbers, and special symbols (if allowed)
  • Use upper and lowercase letters, starting with lowercase first.

This obviously can make it very difficult to remember password combinations, but don’t worry, we’ll show you some tips and tricks at the end of this article.


[Free] Marine Lowlifes Campaign KitMarine Lowlifes Campaign Kit

You don’t need an unlimited budget or dozens of hours to create a truly engaging security awareness campaign. You just need the right resources and a playbook.

[Download] Free Security Awareness Kit

How often should passwords be changed/updated?

In earlier days, it was thought to be a good idea to change your password every few months, as that would prevent it from being used or sold on the black market. However, concepts have changed and security experts now feel that regularly changing passwords adds more to user frustration than increased security.

However, there are some that should be periodically changed:

  • Corporate logins
  • Social media accounts
  • Shared computer accounts
  • Email accounts (also use 2-factor authentication)

Also, if you think you’ve been hacked, received an alert, or decided it’s time to use a stronger password, by all means update it right away!

Tips & tricks for creating strong passwords

Creating strong passwords is actually not as hard as it seems, so long as you have a good guideline. Here are a few tricks we like.

Long nonsense phrase. Think of 5 different words that do not normally go together, for example “corn walrus sparkplug possession planetary”. This long connection of words makes for a surprisingly strong password and remembering it is almost as easy as a poem. In a small study conducted by USC, users were 61% more likely to remember a poem-based password and 58% for a random selection of words than a traditional number or letter combination.

Go one step further. Take these word combination ideas and remove the spaces. Next, add in a few uppercase letters and some numbers or symbols and you’ve got a pretty tight password that you can actually remember.

Create a base password and vary the endings according to the website. Ajinkya Bhamburkar, a writer at Guiding Tech showed an example of how he used a base phrase “Ajinkya@799” and then added two separate bits, one abbreviating the website he was using, and the other a number. Ajinkya admitted his version was flawed, but also made the task of creating and remembering complex passwords much easier (at least for him).

Password generating and storing tools

Finally, there are of course both password generating tools as well as password manager apps that can help with both the memory and creation problems. Two of the most popular are LastPass and Dashlane that both offer free as well as premium services. However, these third party systems also require a password; while they state that they either don’t store your password or keep it encrypted, the truth is if your master password does get compromised, there goes your entire system of passwords!

The convenience and security, along with generally positive reviews, make these a perfectly valid choice for creating and storing passwords. Then again, the old-fashioned method of writing them down and keeping in a locked drawer may give you a bit more peace of mind.

You may also be interested in these tools: – evaluates the general strength of your password using a variety of criteria and expressing in percentage. – Diceware is a password generator that uses a random combination of a fixed set of words to help you create a passphrase that is easy to remember but hard to crack. It’s very old-school, you must download the list and roll an actual set of dice. – this tool equates a strong password with a needle in a haystack. Plug in your password and find out how long it would take to find yours.

[Free Trial] Email Reporting and Threat Analysis

Sign up for a SecurityIQ free trial and try PhishNotify email reporting and PhishHunter threat analysis today!

Learn More


Posted: July 25, 2017
Stephen Moramarco
View Profile

Stephen Moramarco is a freelance writer and consultant who lives in Los Angeles. He has written articles and worked with clients all over the world, including SecureGroup, LMG Security, Konvert Marketing, and Iorad.