The Newbie’s Guide to Creating Strong Passwords

I’m sure we’ve all got the speech memorized: your password must contain at least eight characters, a number, a symbol, and a partridge in a pear tree. If you’re anything like me, you’re inevitably going to forget what you choose and resort to clicking the Forgot Password link of shame.

Strong passwords might be a hassle, but the extra two minutes they’ll cut from your day could be the difference between a safe account and a hack attack. In today’s world — where our entire lives are online in one way or the other — you can’t afford the latter.

The days of “12345” and “Password” are long gone, so what’s the best and safest way to keep up with the times? Consider this your comprehensive guide to passwords — how to create effective ones, why they’re non-negotiable, and why we’re in this position in the first place.

What’s the Deal with Passwords?

It’s not something we think about often, but passwords aren’t a young idea. Most sources credit their origin to ancient Rome, when sentinels used watchwords to distinguish enemies from comrades. 

They’ve also been prominent for most of history, from identifying bootleggers during Prohibition to separating allies from German forces during World War II. Let’s not forget about entertainment — passwords have central roles in stories like Ali Baba and the Forty Thieves, Harry Potter, and even The Lord of the Rings.

Passwords as we know them came about in 1960 at MIT. Personnel needed a way to separate their sessions and files on shared devices, so a computer scientist named Fernando J. Corbató took matters into his own hands and developed modern passwords.

They were the simplest and most effective way to solve MIT’s problems, so, naturally, other institutions adopted them — namely the military and research facilities, since the PC hadn’t made its way into households yet.

We’ll have to cut Dr. Corbató some slack for this, but one big issue was that his original password system had a security flaw. Users could simply print out all stored passwords and access any session they desired. Some accounts claim users would do this to sneak more than their allotted hours in, while others would leave nasty messages for associates they didn’t get along with.

With the dawn of the personal computer, passwords became more than a solution to MIT’s time-sharing problem. They evolved into a necessary security measure no one in cyberspace can do without. Rather than protecting military secrets and classified information, they do something far more important: they protect our privacy.

⚠️ Types of Password Hacks
Brute Force Attacks
Simple Brute Force Attack	Hackers obtain your password by systematically attempting possible combinations until they succeed.
Dictionary Attacks	Similar to a simple brute force attack, a hacker goes through a list of common words until they find a match.
Credential Stuffing	Since many people use the same password for multiple accounts, if a hacker discovers your password, they’ll try your credentials on other sites to see if they can get in.
Password Spraying	This is when a hacker obtains a large list of usernames and attempts to log in using one password until they find matches. If the password is unsuccessful, they’ll move onto a new one.
Spidering	Sometimes hackers crack passwords simply by paying attention. In spidering, a cybercriminal studies your account, compiles a list of words you’re likely to use, and deciphers your password from there.
Rainbow Table	Some companies protect your password with a process called hashing — when your password is replaced with a cryptographic sequence. A rainbow table is a tool cybercriminals use to decode this cryptograph.
Social Engineering
Phishing	Phishing is when scammers masquerade as legitimate brands, contact you, and request your personal information or credentials. Often, these scammers pose as tech support and lie about issues with your account, or they try to lure you in with news of fake giveaways and prizes they claim you’ve won.
Spear Phishing	Instead of pretending to be trusted brands, scammers might pose as someone you know — a good friend, a relative, or a colleague — in hope you’ll more readily reveal your credentials or private information.
Whaling	As if phishing weren’t already bad enough, a whale phishing attack is when scammers impersonate your boss (or any senior at work) and demand your credentials from you. Most people don’t think twice.
Eavesdropping
Man-in-the-Middle	This is when hackers position themselves between you and the website you’re accessing without your knowledge, to intercept your data or communications. Sometimes they listen in and steal your data, other times they redirect you to dodgy websites that do the heavy lifting for them.
Keylogging	A keylogger records everything you type on your computer. Sometimes they’re used legitimately, but more often than not they’re spyware, and cybercriminals use them to figure out your credentials.
Shoulder Surfing	If you’re not careful, cybercriminals don’t have to go to great lengths to break into your account. Some hackers simply watch you log-in and make a mental note of your password.

Why Simple Passwords Put Your Privacy at Risk

Quick quiz: If you acquired a large sum of money, where would you rather keep it?

1. In your lunchbox in the communal fridge at work
2. In a safe in your garage
3. In a vault at the bank

A communal fridge isn’t safe at all — think about lunch thieves. They simply look to see who’s lunch they can take, and they do. A safe might suffice, but it comes with some issues. It obviously has valuables in it, and a determined enough thief could steal the whole thing and find a way to break it open later. C is your best bet, because even though breaking into a bank is not impossible, it’s the furthest thing from easy.

This same logic applies to passwords. Cybercriminals really want your data, and silly, sentimental, or simple passwords won’t stop them from getting to it. They depend on your carelessness to do what they do, and prey on people who aren’t tech-savvy or careful.

As with a bank, you can count on the fact that cybercriminals will try, so the best you can do is make it as difficult as possible for them to succeed. 

How to Create the Strongest Password Possible

1. Focus on Length

The more characters in your password, the trickier it becomes for cybercriminals to decode it, for two reasons. 

Firstly, longer passwords are more difficult to guess, so they reduce the likelihood of a successful brute force attack. Secondly, most hacking software attempts every possible character combination until it finds a match. In this case, more characters means exponentially more possible permutations.

2. Implement Complexity the Right Way

Length isn’t the be-all-end-all of password security, and sometimes the site you’re signing up for will have a character limit anyway, so don’t rely on length alone. You’ll have to add a curveball or two to the mix.

When you set up a new password, you’ll almost always be prompted to include a letter, number, and special character. This is to add complexity — for the same reason above. It creates more work for cyberthugs who want to break into your accounts.

Here’s the problem. You might not have ever been taught how to add complexity effectively. 

Capitalizing every word, replacing a vowel with @, adding 1 to it, and ending with an exclamation point or question mark is the oldest — and therefore most predictable — trick in the book.

M@ryHadlittlelamb1! is just as ineffective as admin123 because it’s obvious. M#r¥h*d1l!tTleL@mB) on the other hand, not so much. 

If you want to be really creative, you could throw in a few foreign characters. For example, if you’re an English speaker, try Kanji, umlauts, or cyrillic letters. But keep in mind, you might be limited by your device or the website you’re signing up for. 

3. Never Use Personal Information

Most people choose sentimental passwords because they’re easy to remember, but if you have any presence online, chances are you’re advertising your credentials without even realizing it.

Think about all the personal details you share — everything from your name, birthday and warm memories of your hometown, to your favorite sports team, celebrity crush, or where you went on honeymoon. Never add these details to your password, you never know who’s watching you.

TaylorSwiftStan1993 might be hardwired into your brain, but ease of access isn’t worth the security risk.

 

4. Don’t Be Repetitive

If you made your Facebook password JohnDoeFacebook, and a hacker figures this out, what do you think their next step will be? They’ll try JohnDoeInstagram, JohnDoeYouTube, JohnDoeTikTok, and so on and so forth. The same applies to updated passwords. If your password is JohnDoe1, never update it to JohnDoe2.

Variation might seem like a good idea, but it’s the opposite. We’re creatures of habit, and cybercriminals know this. It’s yet another trick they’ve learned to default to and exploit.

5. Use a Password Generator

When creating your logins, you should try to create as chaotic a password as you can. If a cybercriminal were to attempt a brute force attack, randomness reduces the chances of them guessing your password correctly.

It protects against hacking software too, to a point. Most hacking tools use specific and systematic algorithms. The more inconsistent your password is, the longer it will take machines to crack it.

The problem is, we’re really bad at creating true randomness, because of something called patternicity — our natural inclination to seek patterns in everything. To add to this, creating lengthy, complex and unpredictable passwords is harder than it sounds, so what do you do?

While you could try your best to slap something together you could always rely on a password generator to do it for you. Computers aren’t capable of creating true entropy, but it’s the closest we’ll ever come. Randomly generated passwords are often customizable (in length, if nothing else), and they remove personality entirely. Hackers can’t pick up on clues, and your credentials will be safer than if you thought of a password yourself.

Best Practices for Creating Strong Passwords

Your job isn’t done once you’ve created a strong password. These 5 tips will further ensure nasty cyberthugs can’t get their hands on your data.

1. Never Leave a Paper Trail

Making a note of your password isn’t a crime, and I’m willing to bet most of us have resorted to it at some point, but if unwelcome eyes were to stumble upon it, they’d gain immediate access to your accounts. If you need a reminder of your password, keep it cryptic and out of sight. You could also opt for a password manager, to make your life a little bit easier.

2. Never Click on Suspicious Links

Here’s a rule of thumb: if links or attachments seem dodgy, they are. Whatever you do, do not click on or download them. Nine times out of ten, they’re phishing bait intended to acquire your credentials, by interception or malware. 

3. Use Different Passwords for Different Accounts

If the worst happens and someone steals your credentials, the last thing you want is for them to have access to all of your accounts. Never use the same passwords across your apps. All it would take is a single data breach for a cybercriminal to hijack your entire digital life. It’s more of a hassle to remember dozens of passwords, but it’s a small price to pay for extra security.

4. Don’t Change Your Credentials Unnecessarily

The National Institute of Standards and Technology (NIST) recommends against arbitrarily changing your password. Not only will it affect your ability to recall your passwords, it also has no significant impact on digital security. If you have a strong password, keep it!

5. Use Other Security Tools

Multi-factor authentication is your best friend. It requires your intervention before any of your profiles are accessed, either by your biometrics, email confirmation, a one-time pin, or a physical security token. This way, even if someone else were to acquire your credentials, they’d still be locked out of your accounts.

A VPN won’t protect your password by default, but it will prevent cybercriminals from tracking you or intercepting your connection. Download PIA to double-down on security. You’ll get all the tools you need to reinforce your privacy, including world-class encryption, a Kill Switch, DNS Leak Protection, and a free ad blocker.

Are Password Managers Safe?

Good password managers are generally the safest way to keep your passwords in good standing, because they’re encrypted. If a cybercriminal were to get their hands on your secrets, they wouldn’t be able to decipher them, and your data would be useless (and untouched). 

You’re better off with a password manager than without one, but you should still proceed with caution. They’re excellent tools, but they’re not impenetrable. Many have experienced data breaches, and in a few cases, sensitive user data was successfully acquired by the attackers.

Offline password managers aren’t as convenient, but since they store your password vault on your device rather than a cloud or remote server, their attack surface is significantly smaller.

As with anything, do your research and double check your preferred password manager’s reputation and history before you commit. 

Don’t Invite the Vampires In

All this talk of passwords has reminded me of G.I. Joe: A Real American Hero. When I was a child, I was obsessed with the NES game, but I was so bad at it, and used Rock ‘n Roll’s password so many times, I recall it to this day.

Speaking of the Joe team, remember their PSA, knowing is half the battle? We were never told what the other half is, but we suspect it’s action. Knowledge doesn’t serve us much if we don’t do anything with it. 

The truth is, there is no lazy way to strengthen your passwords — unless you opt for a password manager. Even then, multifactor authentication is recommended to be on the safe side. 

More importantly, you can’t afford to rely on passwords alone to protect you. You could create the strongest password in the world, but it won’t matter if you don’t practice good digital hygiene.