A strong password is your first line of defense against cybercrime. After all, some of your most important information is locked behind a handful of characters, and there’s no shortage of people looking to use whatever means possible to find out those characters. Fret not, however, we’re going to show you how to set up a strong password.
For the short answer, you need a password generator to create a strong password, which uses a combination of letters, numbers and special characters to generate something unique. You’ll also need to use a password manager, which takes those randomly generated passwords and stores them in a secure vault.
Our go-to recommendation is 1Password, which combines a slew of features, excellent security and a no-nonsense user experience under a fairly cheap price tag. You can read our 1Password review to see why we rate it as the best password manager around, or give it a shot yourself with a 30-day free trial.
What Makes Some Passwords Weak?
With minimum password requirements on nearly all websites, most people have an understanding of what makes a password secure. You should use some capital letters, a few numbers and, if you’re really feeling up to it, a special character or two. Although it’s easy to understand what makes a password safe, it’s not as easy to understand what makes one weak.
When it comes to the safety of your passwords, it’s all about odds, which we’ll explore throughout this guide. Attackers who want to access your passwords usually do so by running a program that can guess possible combinations. Given a set of criteria, the machine can figure out your password simply by brute forcing every possible combination of characters.
As an example, imagine you knew that a password to someone’s account was compromised of three single-digit numbers, including zero through nine. There are only 1,000 possible combinations of those three numbers, so if you tried every possible combination, you’re sure to find the correct password.
That’s the logic behind what makes a password strong versus weak. The more possible combinations your password has, the harder it is to brute force attack. That’s the defining principle when it comes to setting strong passwords. The goal is to make your password long, unique and random, making it infeasible for a computer to guess.
Passwords vs. Passphrases
Many use “password” and “passphrase” interchangeably, referring to the key you use to secure your accounts online. In the world of online security, however, the two phrases hold very different meanings.
A quick Google search on how to set a strong password will result in a list of articles detailing how a passphrase is beneficial to securing your online accounts. That’s true, though it’s not the best solution. A passphrase is a series of words — typically three or four — written in sequence that’s easy for you to remember.
An example of a passphrase could be “yellowdogballoon.” There are a number of benefits to a password like this over something like “dog805.” It’s long, the words don’t really have any relationship to each other, and it’s difficult for a machine to guess not only the words, but the sequence they’re in.
Furthermore, a passphrase is easy to remember, which is why it’s hailed as the ideal solution for securing your online accounts. A much better solution is a long, random password that you store with a password manager. Sure, a bundle of gibberish isn’t easy, or even possible, to remember, but it is safer.
Breaking Down the Math
Password managers usually come with a password generator (if not, you can use our own password generator). These tools use a random number generator with a list of criteria, such as the number of characters and certain letters, to create a new password. This solution is far more difficult to crack than a passphrase.
Before getting to some math, let’s talk about how password attacks happen. When a hacker steals passwords, they’re in a hashed form, making them unreadable. In order to uncover the passwords, the attacker uses a program that can guess possible passwords and combinations, often referred to as a dictionary attack.
Using the above “yellowdogballoon” example and the 470,000 or so words in the Oxford English Dictionary, there are 1.03823e+17 possible combinations of three word passphrases (more than 103 quadrillion, for those unfamiliar with scientific notation).
We can apply the same math to a password with the same number of characters, though with each character being unique. There are 94 possible characters on a U.S. keyboard, not including a space. Applying the same permutation calculation with 16 variables instead of three, we get 3.7157429083e+31 — or 37.16 octillion — possible combinations.
The passphrase system is still a better solution than using the same, easy-to-remember password across all of your accounts.
Factoring in the fact that password managers exist, however, the use of passphrases is trying to solve a problem that doesn’t need to exist. By the numbers, randomly generated passwords are more secure, making a password manager essential in the fight against cybercrime.
Tips for How to Set a Strong Password
Having provided some knowledge about what makes certain passwords more secure than others, it’s time to go over our four tips for setting a strong password.
These are guiding principles when signing up for an account, but you can skip the hoopla by just using a password generator with any password manager. There are plenty of free options, too, as you can read in our best free password manager guide.
Make It Random
Randomness is the name of the game when it comes to setting a strong password. Although true randomness is somewhat of a pipe dream, you can get pretty close with a password generator. Ideally, when you sign up for a new account online, you’ll generate a password with your password manager.
LastPass, for example, can quickly generate and fill a unique password whenever you sign up for a new account (read our LastPass review for more on that). The important thing here is that the password shouldn’t be recognizable through any pattern.
Make It Unique
In isolation, randomness should make your password unique, but that’s not the focus of this tip. Each of your online accounts should have a different password generated using a password manager. That way, the number of possible combinations of passwords across your accounts goes up significantly.
The logic behind this practice isn’t hard to figure out; if an attacker figures out a password for one of your accounts, they have the password for all of them. Furthermore, unique passwords across your accounts provide some damage control.
A lot of online services have ineffective security practices, allowing a crafty attacker to figure out your password. Should they access it, at the very least they’ll only crack one password. Consequently, that’s only one password you need to change, too.
Longer Is Better
As described above, the more characters your password has, the tougher it is to crack. In the above example, we used 16 random characters, leading to 37 octillion possible combinations. Moving down to 10 random characters, the possible combinations are around 53 quintillion (18 zeros after 53).
It’s a massive number by any metric, but it’s not as massive as 16 characters. Each additional character you add to your password exponentially increases the number of possible combinations your password could have, making it that much more difficult to crack. We recommend anywhere above 12 characters, but higher is obviously better.
Change It Often
Changing your passwords often is a good security practice, though a tedious one. Thankfully, modern password managers make it easy to stay up to date on how old your passwords are. For example, Dashlane offers an identity dashboard that shows all of your old passwords, as well as if your passwords show up on the dark web (read our Dashlane review).
Dashlane also includes an automatic password changer, which can update your logins with a strong password with a single click. The list of supported sites doesn’t cover everything, but some major platforms, such as Reddit, still show up.
Of course, updating a weak password to another weak password doesn’t really solve the problem. The goal with changing your passwords often is to go from a secure password to another one, making it more difficult to pinpoint a single account’s login.
Enter the Password Manager
Thankfully, you don’t need to worry about any of these tips as long as you’re using a password manager. These tools allow you to store your logins inside an encrypted vault and autofill them in your browser. In addition to making your passwords more secure, password managers make the browsing experience easier.
There are countless options available, with tools like Dashlane, 1Password, Keeper and Bitwarden topping the list (read our Keeper review and Bitwarden review).
Although most password managers are targeted at individuals, there are plenty of multi-user options, as you can see in our best password manager for families and best password manager for small business guides.
Acting as a central hub for all of your logins, a password manager is an essential tool for any modern browser. With one, you can stop fighting the uphill battle of trying to remember passwords for all of your accounts, while adding your online security with long, randomly generated passwords for each of your accounts.
Although it’s important to remember our tips for setting a strong password, you shouldn’t have to worry about them if you’re using a password manager. They enable you to create long, random, unique passwords for each of your online accounts, aiding in security and usability in the browser.
There are plenty of other critical tools when it comes to securing yourself online, including an antivirus and a virtual private network. However, none of them are as inexpensive and easy to implement as a password manager.
How are you securing your passwords? Let us know in the comments below and, as always, thanks for reading.