Main Content Start

Best Practices for Creating Stronger Passwords

September 30, 2016

The modern-day challenge with passwords:

Creating and keeping track of more than just a few active passwords is no easy task—especially since the average person today has about 27 different online accounts1 and needs to access many of them throughout a typical day. So what do most people do? They use the same, simple password over and over again.

The problem is, hackers love this. If they can get ahold of just one password, they can access your entire life. Bank accounts, credit cards, cell phone pictures and videos, health records, computer files and email accounts all become an open book that thieves can use against you. That’s why a smart password strategy is crucial to keeping your info safe.

What You
Should Know

Most people make their passwords too easy to crack.

What You
Can Do

Make your passwords at least 10 characters long, using numbers, symbols and UPPER and lowercase letters.

Woman looking at computer monitor to illustrate creating stronger passwords

How to create strong passwords

Do’s and don’ts:

  • Use at least 10 characters (15 is preferable)
  • Include UPPER and lowercase letters
  • Incorporate numbers and special characters such as %, &, # and $
  • Avoid simple words, proper names or personal data, such as your children’s birthdays, your personal or work addresses, or telephone numbers
  • Don’t use the same password over and over
  • Don’t write your passwords down where others can see
36.3% of people forget a password once a week.1

Base them around a phrase

Penn State recommends using the “pseudo-random” method: base your password around an easy-to-remember phrase (such as a favorite book, song, limerick or speech). For example, “Four score and seven years ago our fathers brought …” can become “4scanse,” or “I love to play badminton” could become “ILuv2PlayB@dm1nt()n.”

How To Manage Your Passwords

Use Password Managers

If you have a large number of passwords to keep track of, it might be tempting to keep them all in one document somewhere, but any written list could fall in the wrong hands. Here are two more secure methods:

  • Use your browser’s internal password manager to store and auto-fill passwords at login, essentially remembering them for you.
  • Use one of many commercial password managers you simply install as a browser plugin that effectively manages all your passwords with one master password. Conduct your own research to see if one is right for you.

Change passwords regularly

Most experts recommend changing passwords every 90 days. However, never re-use old passwords, as they might already be compromised. If a password is, or even may be compromised, make sure to change it immediately.

Set a reminder to update your passwords.

18% of people have regretted sharing a password with a family member or friend.1

Keep passwords safe and private

Keep your passwords as secret as possible. Don’t share them with anyone unless absolutely necessary. If you do have to send someone your password, make sure you know who they are and that the connection is secure—specifically using only websites that have a “https:” url, not just “http:” (the “s” literally stands for “secure”). Texting a password is also considered secure (as long as you know the recipient well).

Use dedicated-device passwords

For certain devices you use frequently (your cell phone, personal laptop) use a dedicated password that you don’t use for anything else. That way, even if one password is compromised, your other devices will still be secure.

Use “set-and-forget” passwords

For websites you only visit occasionally, use the “set-and-forget” method: simply create a unique password just for the current session, intending to forget it. When the time comes to log in again, just use the website’s “password reset” feature to create a new password for each new session.

Avoid Phishing scams

Do not provide personal information of any kind based on any suspicious-looking emails. This is likely a scam called “phishing” (more on this here). Voice verify that the request is legitimate by calling the company or person requesting the information.

Skip to footer