How to create a strong password (and keep away the hackers!)

Passwords – they’re something that we all need, as well as something that we’ve all struggled with creating, remembering and forgetting. They're just as important as ever, and when done correctly, can still be the last fortress of internet security. But what makes a strong password? And why is having a strong password so important? 

Recent research revealed that 10,000 of the most common passwords allowed access to 98% of all accounts. Further to this, 1 in 5 of us rely on passwords that are over a decade old. 

As such, I wanted to take this opportunity to ask this: when was the last time you considered whether your password practice is at an optimum level? Personally, I use World Password Day – which takes place on the first Thursday in May each year – as my own reminder to update and refresh my most important passwords.  

Getting your ingredients right 

First, let’s ask ourselves what the ingredients for a good password are. Using something memorable? The use of letters, numbers and special characters, such as “&”, “!” or “*”? 

It's unlikely that anyone is using “Password1” for anything they want to keep secure, but the problem with passwords is that we’ve been conditioned to adopt poor practice when it comes to choosing them. While we accept that “Password1” is weak, “P@ssword!” may feel like a much stronger alternative – but the reality is, it isn’t! 

Much of this issue stems from our perceptions of cyber security and the mental images that we might conjure up around cyber hacks. Many of us will picture a hoodie-wearing hacker in a dark room trying to get into our accounts by typing “password”, “password1” “password2”, “password3”, continuing a single attempt at a time.  

Choosing something like “P@ssword!” feels safer, as we think we’ve made it harder to guess for this lone individual hacker by using special characters instead of just letters and numbers. This is what we’ve been taught, after all – to make sure we use at least one number and one special character. So why isn’t this best practice? 

The importance of keeping it memorable 

Rather than a hacker in a dark room, I’d say that a far more accurate image for us to consider when it comes to cyber hacks is a giant supercomputer which can go through billions of attempts per second – as this is very much the reality. Even freely available tools can undertake a simple attack to cycle through thousands of attempts per second. 

But when we read information like this, our instinct is to go to the opposite end of the scale and create passwords that are perceived to be extra strong – such as “Z$yZe9SPt;pf”. While this is indeed much harder for a computer to guess, our password is now really difficult for us to remember!  

When we’re forced to create passwords like this, or into using random password generators which conjure up similar strings of nonsensical characters, it increases the likelihood of us needing to write it down in order to remember it – which is also poor practice from a security perspective.  

My recipe for a strong, secure password 

So, what’s the solution? I always find that a lack of entropy (that is, a lack of predictability) is a helpful concept here. 

Choosing three words that have no real business being together can work well – for example, I might choose “glasses”, “microphone” and “fan” and combine these into a phrase (“glassesmicrophonefan”). All three are items that I can see when sitting at my desk, making them easy enough for me to remember without having to write them down. 

Now, let’s capitalise each word for a little extra nudge and add a question mark on the end – we arrive at “GlassesMicrophoneFan?”. We can then use what is known as a password checker to test strength and resilience, by estimating how long any given password will take to crack (which I highly recommend doing!) 

For “GlassesMicrophoneFan?”, the checker indicates that it would take 23 years to crack – this is in stark comparison to the 0 seconds that it reportedly would take to crack “P@ssword!”. 

Where possible, I also recommend using 2-step verification (also known as multi-factor authentication) to provide a further layer of security to your accounts. This might be in the form of using your fingerprint to verify your identity on a mobile phone app, or using a separate email account to receive a one-time code that must be entered to gain access. 

My recipe for how to create a strong password is as follows: 

• Make it random but memorable, and therefore strong and resilient 
• Add special characters (but don’t go overboard!) 
• Use a password checker to test its strength 
• Use 2-step verification or MFA where possible 
• If you haven’t done so in a while – update your passwords! 

To read the latest features from our digital sector experts and learn more about the qualifications we offer in this area, visit our Digital homepage.