What Makes a Strong Password?

Apr 19, 2023

By now, we all know that the word “password” is a terrible password. But why? Because it’s easy to guess? There’s actually more to it than that. There are a lot of passwords out there as simple for hackers to crack as just the word “password,” because hackers are relying on various programs to break into your accounts, including programs that just go through the dictionary, filling in literally every word until they get one that works. And once they have one password, they’re more likely to gain access to more than one account, since 83% reuse the same password for multiple accounts.

So then, what are some ways to tell a weak password from a strong password and avoid some program figuring out your password and handing over your private information to some hacker in a dark room? Let’s take a look at the criteria for both kinds of passwords so you know what to avoid, and what are considered best practices in an increasingly account-driven online world.

What makes a weak password? 

  • Common words (cat, dog, flower, mom, etc.). Common words will be exploited by hackers using a dictionary program.
  • Personal information (kid’s names, pet’s names, phone number, birthdays, address, etc.). This information is easily accessed. 
  • No randomization. Meaning your password is all lowercase or with only one capital letter at the beginning. This kind of password is much easier to crack.
  • Same password used across multiple accounts

What makes a strong password?

  • 8-12 characters at minimum. Longer passwords are harder to crack.
  • Both uppercase and lowercase letters. Randomization prevents many programs from cracking your password.
  • Includes a special symbol (& $ #). 
  • Mixing these variables in the password (ex. P@sSw0rD).
  • Having a different password for every site so a hacker can’t access all of your accounts if they get one password. Don’t be in the 83% of people who reuse passwords.

Additional tips:

  • Avoid saving passwords to your web browser. If you decide to continue saving your passwords to your web browser, at least check them regularly for vulnerabilities. You can find out how to do that for Google here and for Firefox here.
  • Change your passwords a few times a year and/or anytime you suspect one of your accounts may have been breached.

If you’re concerned about remembering your password, you have a few options:

  • The classic pen and paper option. You can buy a password book for just a few dollars. Most are organized alphabetically and unless you lose the password book itself, no one can gain access to your passwords the way they could if you save them to your browser or keep them in a notes document on your phone or computer.
  • Password services. There are services that will store your passwords securely for you. Some even recommend strong passwords for you to use–but do your research on the company before you commit to one as they are often paid services with contracts.
  • Create a formula for your passwords. A lot of tech experts recommend a formulaic approach to creating a password, so we’ve given an example of what this looks like practically. And there’s no algebra involved.

The password created below is for example purposes only, we recommend you use these principles to create your own formula:

  1. Start off the same way for each password, with a three letter combination, mixing upper and lowercase letters. You can choose for yourself which letters will be capitalized and which will not. We’re going to use VIP:

VIp

2. Now replace one letter with a number or symbol:

V!p

3. Now, choose two letters from the domain name of the site you’re creating an account for. We’ll use www.viptsg.com as an example, and we’ll choose the first and second letters–you can choose the second and third letters, or third and fourth, or first and last, whatever works for you–and capitalize them, so for us, that’s “VI” and add those to the first part of the formula:

V!pVI

4. Next, add another symbol, this will be the symbol you use every time:

V!pVI@

5. Lastly, add a number that will be easy for you to remember, but avoid your birthday or anniversary:

V!pVI@89 this would be our password for viptsg.com using our formula.

Say we were creating a password for Outlook instead, the password would then become V!pOU@89. The only part of the formula changing are the two capital letters that we’re using from the domain.

By applying a rule to every account password you create or replace, you’re only having to remember the formula, but you have a different–and most importantly, secure–password for every account.

Explore other blogs

Today’s cyber outage has affected flights, banks, and even emergency responders, but we want to

Resources and References accompanying our breakout session at TASTS on June 7th, 2024 NSA’s Top

Experts in technology suggest using a formula to make strong passwords. With a password formula,