Skip to main content

Six tips to bombproof your password

secure passwords headerMajor password breaches are so common they’re becoming like storms and traffic jams: One day you hear about tens of thousands of Twitter users compromised or several million at LinkedIn, the next it might be upwards of 50 million at Evernote or LivingSocial.

But despite their fallibility, passwords won’t be replaced any time soon. Two-factor authentication technologies using our mobile devices and even biometrics can help keep us secure, but so far none are foolproof, and precious few are even convenient.

How can we make our passwords more hack-resistant and manage all the passwords we need?

Entropy is your new best friend

Most attackers don’t break passwords by going to Gmail or Facebook and making guesses; that’s slow, and most services block access after a few failed attempts. However, if attackers steal account data through a security hole, they can make thousands, millions, or even billions of guesses per second offline using their own computers. If that sounds outlandish, consider that Stricture Consulting Group last year showed off a small computer cluster made from off-the-shelf components that could test as many as 350 billion passwords per second. Some password-cracking operations harness hundreds (or thousands) of computers via botnets or legitimate cloud-computing platforms, while others just use everyday PCs. They’re fast too.

The quality of a password doesn’t matter if a service stores your password as plain text and an attacker steals it. (Don’t laugh: it happens.) If passwords are encrypted, however, size and randomness are two factors that determine a password’s strength or entropy — basically, a measure of the possible combinations a password can have.

“The higher the entropy, the longer it will take, on average, for a brute-force attack to succeed,” noted Joe Kissel, author of the ebook Take Control of Your Passwords. So, all things being equal, you want a high-entropy password.”

The benefit of a password’s size is obvious: More characters means more possible combinations. The benefit of randomness is less subtle. A password like YesThisIsMyGreatNewRandomPassphrase wins points for size — 36 characters! — but loses points for randomness, since it’s just upper- and lower-case letters. (It’s also less random because it’s in English: Attackers try to take advantage of common letter patterns.)

Something like *5FRRcr62{d~OkP!{AKaxzevQZb6L{~S1F~b would be more secure — it’s both big and highly random. Unfortunately, it’s almost impossible for most people to remember…but it’s easy for a computer to remember.

Ways to make strong, memorable passwords

There’s no magic formula for making passwords both very strong and easy to remember. However, here are some ideas:

Size matters — In statistical terms, memorable passwords aren’t very random, but you can make them stronger with sheer size. These days, I consider 14 to 15 characters a minimum for a random password. For a password based on words or phrases, a realistic minimum might be 20 characters. When in doubt, go big.

Use combined terms — Grouping a three to five unrelated words together can be a great basis for a long password. Something like TurquoiseGullGrapeDiner creates a sizable password (23 characters) but only requires you remember four things.

Use groups of symbols and numbers — The example above won’t work if a system requires numbers or symbols. However, if you accent it with a small group of special characters, like (3*^, it can be used almost anywhere as TurquoiseGullGrape(3*^Diner. Here’s the trick: Come up with two or three sequences of symbols and numbers like that, then re-use them to both add entropy to your longer passwords and meet password requirements. Just consider symbols carefully: diacriticals and symbols (like €, ™ þ «) might be easy on a computer keyboard, but on phones even shifting between upper and lower case can be annoying.

Avoid 1337 speak — Don’t use common symbol substitutions like @ for a, 3 for E, 5 for S, [) for D, etc. Those are some of the first things password crackers attempt — and remember they can attempt millions (or billions) of combinations per second.

Improve entropy with random passwords — Several services like and will generate random passwords of any length, with options to avoid similar-looking characters (like 1 and I). These are hard to remember, but if you use a password management system (see below) you might not care.

Never reuse passwords — It’s tempting to make a single strong password and use it everywhere. Don’t do it. When attackers steal passwords, they often get information like names, email addresses, billing details, and even security questions or password hints along with them. If attackers crack your password on one service they can quickly try the same password with your name or email address on other services. If you never reuse passwords, damage from a cracked password is already contained.

Managing passwords

Making a strong password for every service means most of us will be swimming in passwords—and we’ll never remember them all.

… An ounce of prevention — say, 16 random characters — can be worth a pound of cure.

Password management programs like 1Password, RoboForm, Clipperz, and LastPass are possible solutions. Each have their pros and cons, but the basic idea is similar: They remember your passwords and try to automatically log you into sites and services once you enter a master password or PIN code. Some have features like random password generators and support for USB keys. Users only need to remember a single master password for day-to-day stuff, and the programs are just as proficient at storing long, incomprehensible passwords (like Qz!~WEpmm[z|5!6UYa#xPJ#e) as brain-dead passwords you should never use (like “password”).

The password managers above (and others) are available for most desktop and mobile operating systems, and can synchronize passwords between phones, tablets, and computers (1Password relies on Dropbox, for instance). That’s tremendously handy if you create a website password on your PC, then need it later on your iPad.

“If you’re going to use a password manager, it makes sense to pick something that will sync securely across all your devices,” noted Kissel. “Usually syncing involves the cloud, although some sync directly over Wi-Fi. As long as the data is encrypted, which it always is, cloud-based syncing isn’t riskier, but it is more convenient because your devices don’t have to be on the same network.”

Trusting password managers can have drawbacks. For instance, LastPass stores everything in the cloud, which is great until you don’t have Internet access or the service goes down. Similarly, a software incompatibility could make your passwords inaccessible — maybe on just one device, but maybe everywhere.

The upshot is that you will almost certainly need to memorize a handful of passwords. The most likely candidates are:

  • Your computers and devices
  • Your password manager
  • Critical online services (like email, Google account, Apple ID)
  • Online banking
  • Sync services (like Dropbox)
  • Social media

Not all of these apply to everyone. Most people will only need to memorize four or five passwords. Almost everything else can be trusted to a password manager.

Finally, consider recording your most important passwords on paper in a safe place. That’s not a notepad next to your keyboard, but perhaps a safety deposit box or an obscure location in your home (like, inside a CD of Aerosmith’s Greatest Hits). The list isn’t so much for you, but for anyone you might need to access your devices or accounts in an emergency.

Better safe than sorry

These steps may seem like overkill. Why would an attacker care about your Pinterest account or Facebook page or email? Unless someone wants to besmirch your online reputation, they probably don’t. However, even our seemingly innocuous accounts can be stepping stones to PayPal, Amazon, iTunes, credit cards, bank accounts, and identity theft — and those are precisely what serious attackers want. With so much of our day-to-day lives now online and password breaches becoming so commonplace, an ounce of prevention — say, 16 random characters — can be worth a pound of cure.

Editors' Recommendations

Geoff Duncan
Former Digital Trends Contributor
Geoff Duncan writes, programs, edits, plays music, and delights in making software misbehave. He's probably the only member…
No, 1Password wasn’t hacked – here’s what really happened
A person using the 1Password password manager on a laptop while sat on a couch.

Password managers have been struggling with security breaches in recent months, with LastPass suffering a particularly bad hack as a notable example. So when 1Password users got an alert last week saying their Secret Keys and passwords had been changed without their knowledge, they were understandably panicked. Luckily, all was not what it seemed.

That’s because AgileBits, the company behind 1Password, has just explained exactly what went wrong during that event. And while it wasn’t as bad as everyone first thought, it still doesn’t paint AgileBits in a particularly good light.

Read more
AI can probably crack your password in seconds
password manager lifestyle image

We can now add easily cracking passwords in a matter of seconds to the list of things that AI can do.

Cybersecurity firm Home Security Heroes recently published a study uncovering how AI tools analyze passwords and then use that data to crack the most common passwords used on the web.

Read more
Linus Tech Tips restored after crypto scam hack
linus tech tips offline after cryptoscam youtube sad

Multiple YouTube channels under the Linus Media Group (LMG) brand have been restored after being hijacked by crypto scammers. The main Linus Tech Tip YouTube channel, which has amassed over 15 million subscribers, went offline on Thursday, as did the TechQuickie and TechLinked channels. It appears all three were impacted by the same hackers.

The channels stayed live briefly early Thursday morning, promoting bogus livestreams that included pre-recorded footage of tech personalities like Elon Musk and Jack Dorsey talking about cryptocurrency. The streams redirect to websites embedded with cryptocurrency scams.

Read more