Your IP: Unknown · Your Status: Unprotected Protected

Blog How-To

Top tips for creating strong passwords

Aug 04, 2017 · 4 min read

Top tips for creating strong passwords

When creating an account on any website, you run into an inevitable password dilemma: provide a weak but memorable password or a strong password that would be difficult to remember.

Following the guidelines and rules mentioned in this article will help you overcome this dilemma and create a strong and secure password. These tips have been successfully tried and tested by many Internet users, and we strongly recommend you to do the same.

Two essential password rules

The following two rules give you the bare minimum for creating an adequate password:

  1. Password length. Use passwords that contain at least 10 characters. The more characters the password has, the longer it takes for a hacker to crack it.
  1. Password complexity. The password should include at least one character from each of the four following groups:
  • Upper case letters
  • Lower case letters
  • Special characters
  • Numbers

Simply following these two rules would be a vast improvement and instantly make your passwords much stronger. This is especially important for online banking and other financially sensitive websites.

Guidelines for creating tough passwords

  • Follow Rules 1 and 2. As mentioned above, the length and complexity are the two key bases for creating a tough password.
  • Use password managers. Long passwords are difficult to remember, especially when you have a different one for each website or service. You can use popular password managers like Dashlane 4 or LastPass 4.0 to help you organize your various login details.
  • Create Mnemonics. If tools for managing passwords are not your thing, create memorable phrases instead, making sure they relate to the website or service you’ll use them for. For instance, if you sign up for a VPN service to avoid the risk of cybercrime on public Wifi networks, you could create a sentence like “I like to use NordVPN to protect my money” and use it as a mnemonic for the password “Il2uNV2pm$$$”. It includes all four types of characters, is complex, moderately long and easy to remember.
  • Use Passphrases (the Diceware method). Although using dictionary words is not advisable (see the tips for avoiding weak passwords below), creating a combination of 6-7 random words is a good method to protect your account. Randomness is the key, though. The human brain is extremely bad at stringing together truly random words, so the Diceware website provides a list of numbered words. You roll a traditional game dice, and the numbers that come up choose the words for you. A combination like “right zebra fashion ultramarine football work” is extremely difficult to guess because of its length and randomness, but fairly easy to remember.

Avoiding weak passwords

None of the following should ever be included in your passwords, even as one of several components.

  • The username of a part of the username;
  • Names of friends, family members, pets and especially your own name;
  • Personal information about your family members or yourself. That includes the general information that may be obtained very easily, such as phone number, birth date, street name, license plate number, house/apartment number, etc.;
  • A sequence of consecutive letters, numbers or keyboard keys, such as “qwerty”, “12345”, “abcde”, etc.;
  • A dictionary word or a combination of words, such as “blackdog”;
  • Obvious substitutions, such as “blackd0g”;
  • Any of the mentioned above in reverse;
  • Blank password.

Password common sense

All of the following is common knowledge but people still tend to ignore it, so it’s worth repeating:

  • Create a unique password every time. When you change a password for any of your accounts, it should not be identical to any of the previous passwords. Likewise, do not use incremental passphrases when changing it, such as “VPNpassword1” to “VPNpassword12” to “VPNpassword123”, etc.
  • Change the passwords for all your existing accounts at least once every 6 months. Since passwords have a fixed length, a brute-force attack to crack a password will always be successful given enough processing power and time. Therefore, it is highly recommended to change passwords regularly. Schedule your calendar to remind you to change your passwords every 6 months.
  • Do not write down your passwords. Creating a strong password and writing it on a piece of paper is as bad as choosing an easy-to-remember password and keeping it in your head. Several surveys on the subject have found that many people write down their passwords and keep the notes next to their computers. Some think that keeping the note under the mousepad is secure enough. You should never do that. If you need to carry your password along with you, use one of the password manager tools and run it from the USB stick.
  • Do not share your password with anyone. That includes your family and friends. Instead, share security tips with your elderly relatives because they belong to one of the most vulnerable groups of internet users.
  • Do not set the same password on different websites. It is very attractive to create the same or very similar passwords for all the banking sites, social network websites, email clients, etc. Avoid the temptation and create unique passwords for each account.
  • Do not type your password when someone is behind and looking over your shoulder. This is especially important if you type slowly and search the keyboard for the letters, because it makes it very easy for someone to figure out the password.
  • Never send an email with your password included in the text. Sometimes hackers send emails pretending to be a customer support agent and asking for your username and password. Legitimate organizations or websites never ask for your username and password via email.
  • In case your password gets compromised, change it immediately. Even if you only suspect that someone might have stolen your password, change it right away. Every minute counts.
  • Do not use the “Remember the password” browser option without setting a master password. If you do not set a master password in a browser, anyone using it will be able to see the stored password in plain text. In addition, be careful with this option and always select “Not Now” if you are using the device that does not belong to you.

Do not type your password on a device belonging to someone else. It is especially important for banking websites. It is a common practice for hackers to log all keystrokes, which will capture your password.


Christina Craig
Christina Craig successVerified author

Christina is a community manager and the heart, the voice and the soul of NordVPN. She is always up for a conversation with our community of users and blog readers.

Subscribe to NordVPN blog