How do you make a strong password?
You don’t.
Yup, it’s that easy; the last thing you should be doing is personally making any password.
Instead, you should be using a password generator and letting it pick the passwords. This can be from a password manager or a password generator for your password book.
Why Shouldn’t You Make Your Own Passwords?
The reason you shouldn’t make your own passwords is that you suck at it.
There, someone needed to say it.
People are way too predictable and lazy to be making their own passwords. It’s not a personal attack; if anything, it’s freeing as it’s one less thing for you to worry about.
Not only that, but when people pick their own passwords, it often leads them to picking the same or similar passwords, which is the worst thing you can do. Reusing the same or similar passwords leads to credential stuffing attacks, and it’s how most people get hacked.
What Should You Do To Make Passwords?
What you need to do is either two things…
- Use a password manager
- Or use a password book
It doesn’t matter what path you take so long as you use a randomly generated password for every account.
Ideally, a password manager is better for most people as it will fill, save, and organize your passwords for you. A password manager is so helpful that after using one for a while, you’ll wonder how you made it this far without one.
Though, a password manager is not for everyone, which is fine. Some like pencil and paper, so long as you use a randomly generated password for every account, that is good enough.
Isn’t Writing Passwords Down Bad?
Writing passwords down is not bad; in fact, it’s one of the most secure things you can do.
Of course, context matters, and writing passwords down on a sticky note placed on your computer screen at work is not good. But keeping passwords in a notebook you keep hidden is quite fine.
To explain why writing passwords down is a good thing, I have a whole article on it here.
And if you write your passwords down, you’ll need a password generator here, it creates over 100 passwords for you to use. Print that page out and put it in your password book so you’ll be ready to go when you need a password.
Uniqueness > Length > Complexity
All the people telling you to swap an “a” for an “@” are wrong; it doesn’t make your passwords more noticeably secure.
Also, the people telling you to make a password by using the first letter of a song or other written work are just as wrong.
When picking a password, what matters the most is that the password is unique. By unique, I mean you’ve never used this password before, and it’s not like other passwords you’ve used before.
Here are some examples of unique passwords…
- yCrbbjfoChUm3un7
- 2a!Rw?Psz8
- Coastline86keep
- zfwrp-TRHJK-42387
All the passwords were randomly generated and don’t relate to each other. There is no “Fluffy123” and “Fluffy123???” as that is not unique enough. “Football81defender” and “Eardrum43relight” are unique as they were randomly generated.
The next important factor is length.
The reason why length is not the most important factor, despite what many “experts” say, is that “maryhadalittlelamb” is long, but it’s not secure because it’s been in breaches before. Neither is taking the first letters of each word “mhallifwwas” strong either.
Just enter “mhallifwwas” into https://haveibeenpwned.com/Passwords to see how many breaches it’s been in.
You can have a long password that has been in breaches before as it’s common or easy to guess. This is why uniqueness is more important, longer does not always mean better.
Complexity is the least important because it makes your life harder without making it much more secure. Swapping an “a” for an “@” only slows you down, not the attacker, as all cracking stations know to try this trick.
Also, if the password is unique and long, there is no real benefit to making it more complex.
The password “dismay-overpower-outrage-jester” is already strong enough, and making it into “d15m@y-Ov3rpow3r-0utrag3-j3st3r” is only slowing you down and annoying you. Time would have been better spent making the password longer by one character than making this mess.
How Long Should Your Passwords Be?
As talked about earlier, the length of your passwords is not as important as how unique it is.
But length can’t be ignored once the unique criteria have been met.
How long you should make your passwords will come down to personal preference.
Ideally, I shoot for 10 to 20 characters, but it can be whatever you want. Do keep in mind, you can make your passwords too long.
Isn’t Using Words From A Dictionary Bad?
Using multiple words in your passwords is fine.
What is not fine is using one word.
If your whole password is “Football,” then that is a bad password. But if your password is “Football81defender,” that is vastly better.
I have a whole post on the topic of why it’s okay to use words in your passwords.
When they say not to use dictionary words, they mean don’t use passwords in a dictionary set of already known passwords. This means already cracked passwords like “Football,” “iloveyou,” “P@ssword123,” and all the other 1,000 most popular passwords.
Should You Change Your Passwords Often?
The only time you should change your passwords is if anyone of them have been exposed.
This could be when a website tells you to change it because they were hacked, you gave the password to the wrong person, or as simple as a gut feeling.
Regularly changing passwords is a thing of the past and not something we need to keep doing.
If you’re giving every account its own random password, then changing your passwords every X days is just pointless. The only person you’re more likely to keep out is yourself than some attacker.
Pick a good and random password from the start, and you make regular password changes pointless.
Should You Remember Your Passwords?
You should not remember all your passwords besides a few critical passwords like your master password, computer login password, and a few others.
The average person has over 100 passwords, and it’s growing every year.
It’s not physically possible to remember every password, and thus why I suggest you use a password manager or a password book.
Write Down Your Master Password
Since your master password is used to encrypt your password manager’s vault, you mustn’t lose it.
Ideally, you shouldn’t be making your own master password either, as talked about here.
You should be writing your master password down and keeping it somewhere secure in your home. Just because you’re using a password manager doesn’t mean you miss out on the wonderful world of writing passwords down.
It’s a good idea that every home has a “just in case” folder or book that contains things like your master password, health information, what bills you have, and other mission-critical items you’ll need in a time of emergency.
If 2020 has taught us anything, being prepared for the unexpected is super valuable.
Can I Use My Password System?
From time to time, I get someone that says they have a system to make passwords.
It’s often something complicated involving using the site name, some common phrase, or whatever mess they come up with.
Don’t do this.
This is such a bad idea that I wrote an article about why it’s so bad here.
This Website Says It Will Take A Million Years To Crack My Password!
First, don’t enter your password on any website that it’s not meant for.
Second, those websites don’t factor in password reuse or even passphrases. So, for a lot of them, they’re no better than some guy on the street telling you a random number that “feels right.”
Instead, we have a password cracking calculator here and a passphrase cracking calculator here.
Our calculator isn’t perfect either, but it at least is based on some real-world information while also not asking you to enter your actual password.
I Don’t Trust Password Managers Or Password Books!!!
You’re in luck; I have a solution if you don’t trust password managers or password books!
Pepper your important passwords!!!
With peppering, someone getting access to your passwords won’t know the whole password.
There is no excuse not to use a password manager or even a password book!