Password Best Practices for Truly Strong Passwords


Photo from Pixabay

We are frequently asked to create passwords for the numerous things we interact with: our laptops, our smartphones, our tablets, and the many websites and services we use on these devices, including banking websites, email apps, social media websites, and virtually any other account we create on any other website or app.

The problem is, we seldom think about how to create a good password, and often don’t even know what a strong password is. And since we know we can’t remember a unique password for every account we create, we tend to reuse the same password for all websites, which means that if one of them is compromised, all our accounts are compromised.

We will discuss in this article the importance of passwords, shedding a light on how we can create strong passwords that throw a wrench in hackers’ cracking attempts.


Compare prices of network security devices and buy here


What do strong passwords look like?

A good point to start from is knowing what a strong password looks like. Many websites have some guidelines in place and a meter that measures that strength of the password you create. These guidelines, however, may not be actual best practices or they could become obsolete as hackers evolve their methods with time. Also, not all website have the guidelines, leaving each user to create the password based on their own judgment.

Security experts tell us that there are several guidelines that offer safety.

Photo by typographyimages

The number of characters

The rules of mathematics tell us that the possible options for any password equal the number of possible characters power the number of possible slots (password length). A typical password will allow upper and lower case letters and numbers (totaling 62) plus or minus the special characters (32 not counting “space”, totaling 94).

Here are the possibilities based on the number of characters (including specials, without which the figures will be a bit lower), as well as the time hackers will take to crack it using a technique called a Brute Force Attack

Number of charactersPossibilities (approximately)Time to brute force (@ 350 billion/s)
478 million (7.8 X 107)About 0.2 milliseconds!
6690 billion (6.9 X 1011)A little less than 2 seconds
86 quadrillion (6 X 1015)4.8 hours
1054 quintillion (5.4 X 1019)4.9 YEARS! (now we’re talkin’)
12476 sextillion (4.76 X 1023)43,000 years


These numbers are based on a specific rig set up in 2012 that used 25 GPUs and could attempt 350 billion possibilities per second. Actual speeds may be much lower based on each hacker’s hardware, but it never hurts to be a few steps ahead. Dictionary attacks and common password trends could make the time taken a bit lower as well.

Bottom line: Password length is an important factor in your security. Make sure your passwords are more than 12 characters. Go for 15 or even 20 for maximum protection.

Using all character categories

If your password is only numbers, then each character has only 10 possibilities. This makes the base (the number on the bottom) significantly smaller; even if it is to the power of 10, that only gives you 10 billion possibilities, crackable in under 2 seconds. The same password length using lower and upper case letters, numbers, and symbols gives you the 54 quintillion possibilities shown above, which is infinitely harder to crack.

Multiple Word Phrase

Image source

It should also be obvious that you should not use a single word as your password. As outlined in the now famous XKCD comic and by even-more-famous NSA whistleblower, Edward Snowden, a “passphrase” made up of multiple words strung together makes it difficult to apply a brute force or dictionary attack.

Another technique based on the passphrase idea is to take a sentence, and then apply a rule to it. This is called the Bruce Shneier method. An example would be to take a memorable phrase, such as “Feed the birds, tuppence a bag” and you take the first letter of every word, followed by the second letters, giving you “FTBTABehiua”. It looks like absolute gibberish, but it’s memorable, it’s long, and it’s not a dictionary word. You can play around with capital letters and symbols to make it even more complex.


Compare prices of network security devices and buy here


Practices to Avoid

Don’t use personal information

Personal information in a password may be a good way to remember it, but it’s vulnerable. Someone who knows you or know that information about you could figure it out. What’s even scarier, is that there are bucket loads of personal information sprinkled here and there on different platforms and social media. Your pet’s name, your birthday, your city of birth… all of these can be gleaned by hackers from information you, yourself, have made public on these outlets.

Avoid common trends

As hackers became privy to password databases, they discovered trends in how people create their passwords. Practices that might seem like a good idea are probably the worst thing you could do, because everyone has been doing them, and hackers now know and screen for them. These include:

  • Using common substitutions: “$” instead of “S”, “0” instead of “O”, “3” instead of “E”, and any other substitutions that constitute what is called “leetspeek” are all things that don’t make it any harder to crack a password.
  • Using symbols between the different words of a passphrase.
  • Using standard, first letter capitalization.
  • Using words in the dictionary (or permutations or edits of those words, like “passwerd”) and common phrases that everybody knows (like supercalifragilisticexpiallidocious; although the spelling for that is probably contentious, it was in autocorrect with one “L” in the fifth to last syllable).

Good Password Hygiene

Photo by Jaydeep_

Besides the actual creation of the passwords, other behaviors can help keep us safe.

  • Never write your passwords down
  • Never send them via messages or email
  • Never reuse them across different services
  • Change them immediately after a security breach (which respectable services will duly announce if they occur)
  • Change them every once in a while, but make sure you don’t just reuse old ones or transform the ones you already have into something new; try creating a new one altogether


Compare prices of network security devices and buy here


Alternatives: Password managers and vaults

Since hackers are using powerful computers to try and obtain your passwords, you might do well to enlist those computers to create and protect your passwords. A password manager is an application that creates long, unique randomly generated, extremely difficult to crack (and highly unmemorable) passwords for different services you use , and enters them into the service for you. They keep all your passwords locked away, accessible through a master password, which you will create using all the guidelines above.

They’re not, however, a magic solution. Hackers know about them, which makes them targets, albeit powerful ones. So it’s a trade-off: you can put all your treasures in a fortress, but everyone knows where it is, as opposed to hiding them in an unmarked tract of land, the signs to which only you know.

In the end...

We must all be wary of our passwords and learn how to create good ones, lest we find ourselves between a rock and a hard place, and then it’ll be too late.