Guide to password security: How to create strong passwords and manage logins

In this guide

istock/ronenWe entrust a huge amount of personal data to web sites and services which could be enormously damaging if it is exposed, yet often all that stands in the way is a password.

Even worse, many of us are guilty of practicing poor password security, making it easy for hackers to gain access.

But it doesn't need to be this way. Securing your privacy with a strong password is straightforward provided you follow some basic rules. And managing a large collection of logins can be simplified with affordable (sometimes free) tools.

The golden rules for great password security

  • Never use the same password more than once
  • Don’t use individual words or names
  • Mix upper and lower case letters, numbers and special characters
  • Use at least 12 characters when possible. The longer the better
  • Enable multi-factor authentication for additional protection whenever it is available
  • Never write down passwords or store digitally in plain text without taking steps to secure them
  • When logging in to sites check that they are secured with HTTPS - look out for the padlock symbol

What makes a good password?

When it comes to creating strong passwords, length is crucial.

Modern computer hardware is not only very powerful, it's affordable enough for one person on a relatively tiny budget to be able to bring a huge amount of processing grunt to bear on a problem like figuring out a password.

But the longer a password, the harder it is to crack.

A short passphrase with random mixed characters such as ‘dxs&3sA’ could, according to the Password Haystacks tool, take just 11 minutes to crack. But if we expand that to ‘dxs&3sA%M3Y!k2’ the estimated time balloons to 15 million centuries.

What length should you aim for? There is no official minimum, though 12-14 characters is commonly cited. A good password of at least 12 characters would take a long time to break with current technology. But it does need to be a good password.

Length isn't everything

But while length is vital, you also need to avoid passwords that could be easily guessed by either a computer or a person.

Password crackers can utilise books, dictionaries, music lyrics, social media posts, leaked password lists and many other sources to build up a database of common phrases and combinations. A dictionary word, favourite football team or pet’s name is worthless as a password, even if they're really long. And tricks like character replacement - such as ‘@’ instead of ‘a’ - are a well known tactic that won’t make a password cracker break a sweat.

Password cracking is advancing all the time. Not only can home computer hardware run through billions of combinations in seconds, but well known password generation techniques and leaked password lists allow crackers to break seemingly secure phrases by analysing common patterns. You may think you’re being clever by shifting one key over on the keyboard - so ‘password’ becomes ‘[sddeptf’ - but this can be accounted for and bypassed in the blink of an eye.

This is why, in addition to length, the key to creating strong passwords is randomness. Removing predictable human behaviour from the equation to generate long random phrases makes them practically unbreakable.

Generating secure passwords

One common technique for creating long and seemingly secure passwords is to use a memorable phrase or quote as the seed.

For example, take the first couple of lines from The Beatles A Hard Day’s Night - "It's been a hard day's night, and I'd been working like a dog. It's been a hard day's night, I should be sleeping like a log". Using just the first letters and replacing some with numbers or characters we get '1BahdN&ibWlaDiB4hDn!5bSlAL'.

This seems like a very robust password which would be effectively impossible to beat but could also be memorised. Yet it may not be as secure as it appears.

A study of these mnemonic passwords by Carnegie Mellon University found that 65% of people chose phrases they found through Google, and two even selected lyrics from the same song.

If there’s a likelihood that people will use well known phrases and follow the same steps to create a mnemonic password (using the first letter of each word, replacing characters with numbers and symbols) then crackers could start including common quotes and lyrics into their attacks to greatly increase the chances of breaking very long passwords which have been selected in this way.

This isn’t to say that mnemonic passwords are useless, but you need to be sneaky about it. Use a phrase that means something to you alone, rather than a quote from a popular movie or song.

Diceware passwords

One great way to create random strong passwords is Diceware, a simple and effective system which uses dice rolls to select words from a list. As well as being random, the nonsense phrase passwords it generates can also be quite memorable so they're useful for situations where you need to commit them to memory or are manually filling out a login field.

Password cracking software does now attempt to account for Diceware by stringing words together so we would recommend using at least six words (and sufficient characters - it is possible to generate very short passwords using Diceware).

Password generators

You can also use password generator tools to let a computer do the hard work and produce a string of nonsense. These are included with any worthwhile password manager tool (see below). There are also lots of online generators, but be cautious when utilising these as you cannot be certain of who is operating the site or what information may be retained. A recommended tool is the GRC Ultra High Security Password Generator, which goes to extreme lengths to produce secure passwords.

However, random passwords introduce another problem. While the password ‘h£g0F34n~q221*/”29nsorK^’ might take a government supercomputer an eternity to break, you’re going to struggle to remember it. And when we’re faced with so many different sites and services which require login details it’s easy to fall back on one password you use everywhere, or rely on a method of creating passwords which can be analysed for patterns.

(No matter how strong a password is, it’s useless if you use it more than once or your system can be determined from a single password - e.g. ‘2sT?3jhGoo4n#’ for Google, ‘2sT?3jhTwi4n#’ for Twitter - all it takes is for one login to be compromised and an attacker could gain access to everything else.)

Why you need a password manager

For the best password security we would recommend a password manager.

A password manager retains your login details in a secure encrypted container protected by a master password, and automatically enters them on web sites (and sometimes desktop or mobile applications) when required. And when you don’t need to remember or write them down every login can be long, complex and random.

Any worthwhile manager will also include random password generators, so you don’t need to rely on any predictable techniques or third party tools each time you create a new account. Remember, any password generation technique you have is of questionable value if it’s used by anyone else or can be easily replicated if someone gets hold of just one of your passwords. It’s far better and easier to randomly generate a long string of gibberish.

There are many different password managers on the market, but we would recommend one of the following:

Dashlane - free / $40yr

A popular choice thanks to its slick interface and useful features, like the ability to change passwords on multiple sites via the Dashlane UI without visiting each one.

Lastpass - free / $12yr

Our favourite password manager. Lastpass is extremely powerful and has a wide choice of multi-factor authentication options, and the premium edition is inexpensive.

1Password - $50

1Password has an excellent password generator tool which provides greater customisation than many others. It offers a similar feature set to the competition, though notably provides the option to keep the password vault stored locally, rather than on the cloud.

Keepass - Free

This open source password manager is a good option if you don’t trust anyone but yourself to manage your passwords as it does not offer cloud sync. There are Keepass plugins and apps available for multiple browsers and operating systems.

Useful online resources

Leaked Source

Have I been pwned?

Check if your logins have been compromised by searching databases of leaked passwords.

GRC password generator

Securely generate strong passwords.

GRC Password Haystacks

Check the strength of your passwords.