For most online accounts, your password is the first, and sometimes only, line of defense against threat actors. As such, it’s important to give it serious thought when selecting one. We’ve collected here 8 best practice tips you can follow to ensure your passwords are strong.
Before we get into the nitty gritty, there’s one caveat. Something you’ve likely discovered is different sites have different password requirements. For example, some insist you use special characters (e.g. “!@#$%^&*”) while others won’t allow you to use special characters. Adapt your use of the following suggestions to the particular password requirements of the account in question.
Tip #1: Avoid common or easily guessed passwords
According to NordPass analysis reports, “password” is still one of the top-5 passwords used for corporate accounts. Yes, hard to believe, but true. Also avoid “123456”, “qwerty123”, and “secret”. For a list of the Top 200 Most Common Passwords (and therefore to be avoided), click here.
Also avoid simple passwords based on information that might be readily discoverable by others: for example, information available on your social media accounts. Don’t use the name of your dog, the birth dates of your children, or the title of your favourite song which you sang at karaoke and posted to Facebook last week.
Tip #2: Longer is better
Longer passwords are harder to hack. They’re harder to guess, and if a hacker were to use a brute-force attack (where the hacker runs a program that attempts all possible combinations of words and letters), a short password can be broken much more quickly than a longer one. In fact, most sites will insist on a minimum length for your password. For a while, the standard was eight characters, but nowadays, many sites are insisting passwords be at least 12 or 16 characters long.
To put this in perspective, a hacker armed with a fast computer can break an eight-character password consisting only of numbers in just 37 seconds. How long for a 16-character password consisting of upper and lowercase letters? Thirty-three trillion years based on today’s best computing technology.
Tip #3: Don’t leave your passwords where they can be discovered
It sounds obvious, but don’t write your password on a sticky note beside your computer where anyone walking by can see it.
Less obvious: don’t keep passwords in your email account. Email accounts are often hacked by fraud actors specifically to get at login credential information contained within. If a password is given to you via email, make sure to delete the email once you’ve recorded the password more securely.
Also, be aware of your surroundings when entering passwords or PINs in public—make sure no one is watching over your shoulder. It’s also a good idea to avoid using public wifi to access sensitive accounts.
Tip #4: Use passphrases when you can
Passphrases are a great option because they are easy for humans to remember, but hard for computers to crack. For example, a four-word passphrase like “donkey-tricky-kicks-grass” can be memorized more easily than “J3!ak49&4l” but is actually harder to hack. Making it easier to remember also means you’re less likely to write it down on a sticky note.
Not all accounts will allow simple passphrases (for example, many sites will insist on the use of special characters, numbers and upper- and lowercase characters), but you can combine these requirements with your passphrase to come up with something both compliant and hard to hack: e.g. “Donkey-tricky-kicks-grass!75”
Tip #5: Change passwords regularly
It’s a good idea to change your password regularly and many sites will demand you update your password on a regular basis (for example, every three or six months). Many sites also insist you don’t reuse recently used passwords.
It’s also a bad idea to continue using the initial password assigned by the vendor when installing or enabling new hardware and software. A good example of this would be your home internet router, which acts as a gateway into your home network. The default administrative passwords for these devices may be known in the public domain, so change it to something else as soon as you can.
Tip #6: Password managers are a great option
If you feel overwhelmed by the number of passwords you need to keep track of, one option is a password manager. These are a valid and generally secure option, but ensure the password manager you use is from a reputable organization and that it is updated regularly.
Good password managers give you the option to generate secure random passwords, which you can store in the password manager instead of having to remember them.
When using a password manager, the only password you will need to remember is the one to access the password manager, while keeping the rest of passwords unique, random, and difficult to compromise.
Tip #7: Where possible, combine with MFA
Batman and Robin are stronger together—the same is true when you combine a strong password with multi-factor authentication, or MFA. MFA is a security method that requires more than one way to verify a user’s identity—for example, requiring both a password and a one-time code sent to your cellphone. According to Microsoft, enabling MFA reduces the risk of password compromise by 99%. Not all sites offer MFA, but if they do, it’s a good idea to use it if given the choice.
Tip #8: Don’t take the bait: Stop the phish
The strongest password in the world won’t help you if you get fooled by a phishing attempt and voluntarily enter your credentials into a fake site designed to steal them from you. Be particularly cautious logging into a site in response to an email or text message: make sure the site has the correct URL matching where your account resides. Stay vigilant.
Additional Resources:
https://www.cyber.gc.ca/en/guidance/best-practices-passphrases-and-passwords-itsap30032
https://www.cisa.gov/secure-our-world/use-strong-passwords
https://www.euronews.com/next/2024/05/11/how-long-does-it-take-a-hacker-to-crack-a-password-in-2024