Home / Insights / 65 Password Security Tips: How To Create and Secure Accounts
Security 26 min read

65 Password Security Tips: How To Create and Secure Accounts

From generating strong passwords to using a password manager many security experts, business owners, and vendors contributed their very best ideas and practical advice for our giant list of password security tips.

From a favorite online bookstore to Facebook and webmail services, we create a lot of online accounts. According to a 2016 poll by Intel Security, the average person has 27 discrete online logins. Add to this number, offline codes and we’re virtually swimming in usernames, passwords and PINs.

How to Create a Secure Password

Despite security breaches and warning screens when signing up for new services, it’s easy to be slack about creating secure passwords. Several common and less secure practices include duplicating passwords between accounts, sharing passwords and using common information that’s easy for a malicious person (or software) to crack.

“Passwords should never be reused. Recent breaches at Yahoo, LinkedIn, and Twitter exposed millions of users’ passwords to the public and for sale on the dark web,” wrote Ajit Sancheti, CEO and co-founder of Preempt. “When your information is leaked from one website or service, a user can endure widespread exposure if they reuse passwords for multiple accounts. What’s more, passwords are often stolen without user knowledge. In many cases, individuals are unaware that they have been using exposed passwords for years. It’s not worth the risk.”

Sancheti, along with many other security experts, business owners, and vendors contributed their very best ideas and practical advice for this giant list of password security tips. From generating strong passwords to using a password manager, this list offers good ideas for everyone.

Password Security Checklist

Scroll through the list of tips below or use this handy checklist to jump to a specific topic related to password and account security:

secure-password-tip

How to Create a Secure Password (and what to avoid)

Make passwords complex and impersonal. Leverage both upper and lowercase letters, symbols and numbers where applicable. Create random passwords that can’t be guessed based on general knowledge others may have about you.

Stanko Tomic, head of engineering, RoboForm at Siber Systems

Avoid dictionary terms. Dictionary cracks guess passwords using lists of common passwords and then move to the whole dictionary. This is typically much faster than a brute force attack because there are far fewer options.

Darren Guccione, CEO and co-founder, Keeper Security, Inc.

Think of a phrase from a song, slogan or jingle. Take the first character from each word as your password. Try to use 12-14 characters. Add a number and/or punctuation character to complete it.

Greg Kelley, EnCE, DFCP, Vestige, Ltd

If you choose to use a password manager, you are effectively creating a single point of failure for your personal security. If someone figures out your password to that, they can then access all your other passwords. To best secure your password manager, use a long password. It doesn’t have to be complex, but it should be 18+ characters. For example, BlueHouseGreenYardWhiteFenceGoodNeighbors

Adam Peterson, CEO, VipeCloud

1. Good passwords are long, at least 12 characters.
2. Good passwords have nothing to do with you, your children, or pets.
3. Passwords should never be reused.
4. Change your passwords regularly.
5. Symbols and numbers make passwords harder to crack.
6. Don’t share your passwords with anyone.
7. Two common ways to create secure passwords:
a. Think of a phrase then select the first or last letter of each word in the phrase to use as your password. Throw in some digits too.
b. Pick three or four random words and paste them together with numbers in between.

Dr. Phil Polstra, Professor of Mathematical and Digital Sciences, Bloomsburg University of Pennsylvania

Use Complex Passwords: Your password should be at least 10 characters and contain2 lower case letters, 2 upper case letters, 2 numeric characters and 2 special characters. An easy way to do this is to use your name and replace parts of it with related symbols and numbers. For example, Jacob Smith might use J@cobSmith44!

Robert Douglas, president, PlanetMagpie

password-tips

Accounts often require security questions as an extra precaution. However, if you answer with easy-to-access information, like the name of your high school, hackers can just check your social media accounts for this information. Consider using a fake answer or the wrong answer when completing these questions.

Sage Singleton, tech and safety specialist, SafeWise

Do not use a word from the dictionary. Multiple words strung together is fine, but not a single word.

Greg Kelley, EnCE, DFCP, Vestige, Ltd

Use a password of something familiar to you with possibly a numbering system to assist you with innumerable accounts. Here is an example and of course the words all run together and you should always use upper and lower case letters: 1@ greatest security professional ever#2 or $3 Kansas city Royals are world series champs 4%. These passwords are unusually long, but should be easily remembered by anyone using their own life and likes. Again, remember to use upper and lower case letters and possibly substitute ! for 1 and such.

Robert D. Sollars, independent speaker, author, and consultant

  1. Steer clear of password reuse across multiple sites.
  2. Use special characters and case-sensitivity in your passwords.
  3. Adopt a password manager to allow for extremely complex passwords.
  4. Enable two-factor authentication where you can; common consumer platforms like Google, Facebook and iCloud already provide two-factor authentication options to end users.

Keith Graham, chief technology officer, SecureAuth

Passwords should be at least 9 characters. The latest information is that passwords under 9 characters can be broken within hours. The algorithms are sophisticated enough to do this with passwords of 8 characters or less. Use all the characters, numbers, and special characters. Also passwords are case sensitive so to make a really strong password, make sure to include both upper and lower case alpha characters, numbers, and special characters. The goal is to increase the odds against guessing and algorithmic scanners are really good at guessing. It has been discussed that passwords with full words may be more secure than randomly generated passwords, i.e., 4zIlikecheese34 may stump scanners. Scanners usually just run random combinations and may not put to use actual words.

Justin Lavelle, chief communications officer, BeenVerified

As with all security initiatives, it ultimately comes down to the human. We’re not wired well to remember: sjkUJE49GDd4!^)jp*dn. So, people tend to fall back to simple passwords that are easily remembered: myfamily1. Unfortunately simple also means easily guessed. A best practice for those who will rely on simple passwords is to make an effort to merge in complexity: MyF@m!ly1. Still easily remembered, but with increased complexity allowing increased security.

Justin Davis, director of enterprise sales, CenturyLink

Every year, millions of passwords are stolen. These are made public by researchers, in order of popularity. Hackers see this list. If you don’t want to get hacked, then avoid using the following types of passwords:

  • 123456 (avoid ANY numerical sequence)
  • qwerty (avoid ANY letter sequence)
  • 123456789 (long sequences are just as bad as shorter ones)
  • Football (hackers know that tons of passwords are a name of a popular sport)
  • abc123 (combining different keyboard sequences doesn’t toughen up the password)
  • 111111 (how lazy can you be?)
  • 1qaz2wsx (vertical sequences are vulnerable too)
  • master, princess, starwars (give me a break)
  • passw0rd (wow, so creative!)

Don’t even bother with names of animals, countries, cities, famous music bands or people names. Even combining these won’t help, such as EmilyParis. If any component of the password can be found in a dictionary, change it.

Robert Siciliano, CEO, IDTheftSecurity.com

create-secure-passwords

A slight tweak that will make your passwords so much harder to crack is to put the hashtag and number in the middle of the password, rather than in the start or end. So magicpineapple#88 becomes magic#88pineapple. Instead of #2014sarahspassword, try sarahs#2014password. Remember, most password cracks are done by automation, not hand, and moving the hashtag + number into the middle significantly decreases their chances of finding a match.

Hubert Southall, associate creative director, SapientRazorfish Miami

Don’t use easy to guess passwords such as 123456 or password which are often the most used passwords. And don’t base your password on a dictionary word or your family members or pets.

Bill Ho, CEO, Biscom

Don’t use 20 different characters with no logical connection to you or anyone else as you will not remember this. Don’t use the name of the company or your dog’s name. Rather, choose terms that would be arbitrary to anyone else but have meaning to you (e.g. your favorite fruit next to your favorite author) combined with numbers and an ASCII character or two.

Charles Lee Mudd, Jr., principal attorney, Mudd Law

Use a Password Manager

Recommended reading: Webopedia’s password manager definition.

Consider using a password manager one that creates strong, unique passwords for you. For example, Avast Passwords automatically imports passwords stored in your browser and when you need to create a new password, all you do is click a button and a secure password is automatically generated and stored.

Tony Anscombe, senior security evangelist, Avast

Use a password manager. You are more likely to keep each app or website password unique, reducing the likelihood of hackers gaining total access to your online identity through duplicated passwords.

Stanko Tomic, head of engineering, RoboForm at Siber Systems

Use strong passwords or a password manager and digital vault. The average person has 19 passwords to remember but one in three passwords are not strong enough. When creating an online password make sure it is at least 8 characters in length with a mixture of upper and lower case letters, numbers and symbols. Utilizing multiple passwords (and recycling the same ones) makes it nearly impossible to keep them all straight when you’re shopping on Amazon, Target, Macys.com and more. It’s a better idea to use a password manager that gives you one master password to remember and uses military grade encryption to ensure any data inside the digital vault remains secure at all times. Password managers alleviate the headache of managing too many passwords and will make your life easier.

Darren Guccione, CEO and co-founder, Keeper Security, Inc.

Use a password manager on your phone and have it randomly generate your passwords. Use a combination of words (for example, seawas1angrymyfriend!) to make easier to remember and use two-factor authentication on your email and social media accounts.

Mark Wilcox, VP business development, ICSynergy International, LP

To secure your passwords, first select one of the numerous reputable password manager programs available in the app stores. Once you decide which app you’re going to use, think of a strong password to get into the app, and do not store/write/share it with anyone. We all must have at least one password we commit to memory. Going forward, that one, strong, committed to memory password will be the gateway for access to all your other passwords.

Bob Herman, co-founder & president, IT Tropolis

Get an online password app and set it up to automatically create, save and fill out passwords. Some good recommendations are LastPass, KeyPass or Dashlane.

David Cox, CEO & founder, LiquidVPN

Don’t write your password down on a notepad near your computer. If you must write it down, store it in a safe location. Consider using a password manager instead.

Sage Singleton, tech and safety specialist, SafeWise

Use password managers like TeamsID or Dashlane. Password managers will help you keep your business safe from hacks and attacks that establishes a security culture in your business. A good password manager will save you time from emailing and asking teammates about passwords while encrypting your passwords and keeping you up to date about any potential breaches.

Danny Garcia, marketing operations manger, Stacklist

password-security-advice

Use unique passwords for each subscribed service, and utilize a local encrypted password management tool such as KeePassX to keep track of these passwords.

Alex Heid, chief research officer, SecurityScorecard

As someone who has to keep track of my own logins and those of our numerous clients, using a password manager (I use Dashlane) is the best way to go. I don’t have to keep a long list of various logins and a password manager can also help you create and save unique, secure passwords. A password manager can make your online life so much easier and more secure!

David Deering, owner, Touch Point Digital Marketing Agency

Look for a password manager that has many layers of authentication to secure your passwords/logins. A good tool will encrypt the passwords and offer a “verify” login before using any of the saved logins in a browser. This is a great feature for mobile devices or laptops which could easily get lost or stolen. Also, choose a password manager that automatically creates random passwords for you and saves automatically. This will ensure that you don’t fall into the trap of setting the same password for all sites you visit which is a major security risk.

Rob Boirun, CEO, The Reviewster Network

The best practice is to use a password generator to create a strong password. It creates a strong password easily containing everything needed, such as uppercase letters, lowercase letters, numbers, and symbols. As it’s created radomly, it’s related to nothing and very hard to remember. That means it’s also very difficult for people to guess or crack.

William Swift, managing editor, OhMattress

Now that you have a different password for every site and they are complex how are you going to remember them all? A password manager will not only store all the passwords but offer other tools like ensuring you are not using the passwords on the same sites, password generation, and making updates when you change a password. Many also offer password sharing, browser integration and work on Windows and Mac and also mobile phones. Lastpass, KeePass and Dashlane are some of the more popular ones.

Eric Harrison, owner, Eric’s Computer Services

Create strong passwords by using a mnemonic to remember them. For instance, a password for a clothes shopping site could be Mysizeis08, which is a related full sentence but difficult to crack.

Sanjay Deo, president and founder, 24By7Security, Inc.

password-security-tip

Look for a password manager that stores and auto-fills passwords, creates unique, military-strength passwords for each login, stores important documents and files (passports, credit card numbers, etc.) in an encrypted vault and utilizes zero-knowledge architecture. Zero-knowledge architecture means the encryption and decryption of your passwords happens on the device level so the user is the only person that has full control over their data.

Darren Guccione, CEO and co-founder, Keeper Security, Inc.

Anyone that goes online knows their identity can be stolen. Ways to prevent this can be things like: try not to reuse passwords, P@ssword123 is not a password. Its best to change passwords every 30-60 days. Make the passwords difficult for example use numbers, letters (both capital and lower case, and symbols. Do not use words that are easy to guess. Your birthday or anniversary is also not a great password. There are many software applications that can be used that will create and maintain difficult passwords for each login.

Charles Johnston, digital ninja, HeartWired Technical Solutions

Use Unique Passwords: Don’t Duplicate!

Don’t use the same passwords for multiple sites. The reason for this is that if a website is compromised, attackers may be able to use the user IDs and passwords they steal to unlock valuable information on other sites or services. Using the same password for many products and services is like giving thieves a skeleton key to unlock your personal information across the web. Unique passwords make it difficult for bad guys to hurt you more than once.

Brian Smith, CTO, Hushmail

2016 was another massive year for data breaches and weak passwords represent the greatest security risk to consumers today. 63 percent of data breaches are due to weak passwords and policies. Furthermore, 60 percent of people use the same password for everything. When a password is stolen by a cyber criminal they cross check that password with all of your other logins giving them possible access to your banking, email or shopping websites. Ensuring your passwords are unique for every login will help deter this possibility. It’s a fact the stronger your password, the better you’re protected against hackers.

Darren Guccione, CEO and co-founder, Keeper Security, Inc. Keeper Security, Inc.

Don’t use the same password on multiple sites. In the event one of your passwords is leaked, you limit any potential damage to only one site.

Stanko Tomic, head of engineering, RoboForm at Siber Systems

Use a different password for every website. Companies hate to admit when they were hacked. If the hacker gets your login credentials you can almost guarantee that those credentials will be tested on high value web sites and will eventually find their way into the wordlists and rainbow tables of whoever buys them.

David Cox, CEO & founder, LiquidVPN

Do not use the same password on more than one site. Even low risk websites gets comprised with logins and password gets leaked (posted online). The first thing the bad guys are going to do is try it on other sites, and try to find out what other accounts you have and try it there. Using a password on multiple sites is hands down one of the worst moves you can make. To check if you have had any pass passwords leaked a popular site to check is haveibeenpwned.com. Some of the major ones compromised were Yahoo!, Adobe, LinkedIn, MySpace and DropBox.

Eric Harrison, owner, Eric’s Computer Services

Password Security

For a password to be secure, it needs to be long (at least 12 characters are required to defeat automated cracking tools) and contain a combination of letters (both upper- and lower-case), numbers and symbols. It also needs to be completely unique if the same password is used for every account then when one is broken, all of them are broken. Combined with the point above, a password manager is an excellent tool that can assist with the generation and storing of multiple complex sets of login credentials.

Lee Munson, security researcher, Comparitech.com

Tips for Changing and Sharing Passwords

Change all your passwords quarterly. It is an easy, proactive measure you can take to protect your accounts. Breaches are typically disclosed months or years after credentials are stolen and sold, so changing your passwords every quarter ensures that even if your account credentials are stolen without your knowledge, your information is only useful to hackers for a limited time.

Joe Siegrist, general manager and VP, LastPass

Keep passwords in a secure place and change them often. Don’t use the same password for every account and create strong, unique passwords. Hackers are extremely tech-savvy and can crack weak passwords (like your maiden name, birth date or anniversary) and access your information easily.

Sage Singleton, tech and safety specialist, SafeWise

If your personal accounts have been hijacked, immediately change the password for each account that has been compromised. Next, contact the provider where your information was stored. Ask them to review your account activity. If you think your identity’s been stolen, visit the following websites. They both have resources to help you recover from identity theft & protect yourself in the future: FTC page on Helping Victims of Identity Theft and Identity Theft Resource Center.

Robert Douglas, president, PlanetMagpie

Don’t share passwords under any circumstance: You may find it harmless to share your passwords with friends and family, or vendors that you work with. However, opening accessibility to other users increases the threat potential dramatically. When sharing passwords with those who may lack security awareness, it no longer becomes a matter of who you trust, but whether or not they can spot risks and evade them before it is too late. When passwords are shared, one individual’s risk becomes everyone’s problem.

Ajit Sancheti, CEO and co-founder of Preempt

For enhanced security, always choose strong passwords which include numbers, symbols, and a mix of capital and lower-case letters. Don t choose a password that is too short or can easily be guessed. It is also recommended to frequently change or rotate passwords.

Julian Weinberger, director of systems engineering, CISSP, NCP

Use passwords, use strategic passwords, change passwords, and change passwords often. Make it part of your routine to change your password on a regular basis, which could mean monthly or quarterly.

Charles Lee Mudd, junior principal attorney, Mudd Law

You definitely want to change your password if you suspect or know of a breach but it is good practice to change them regularly even if you think they are still secure. Don’t use one password for all accounts. It is best practice to have a strong password for each account you have. This prevents a breach of all your accounts in the event that one of your passwords is breached.

Justin Lavelle, chief communications officer, BeenVerified

Third-Party Apps, Websites and Wi-Fi Password Security

Accounts are compromised all the time not through passwords but through access granted from compromised social media apps (like when you used Facebook to register with a new site and then forget about it for years). To see which apps have access to your social media account:

Facebook > Settings> Apps (Show All)
Twitter > Profile > Settings and Privacy > Apps
Google > https://myaccount.google.com/secureaccount

Mike Catania, chief technology officer, PromotionCode

Despite a reasonable degree of awareness to potential threats, a 2016 Mavenir survey found that 42 percent of subscribers increase their exposure to mobile cyber crime risk by not paying attention to app permissions. In fact, 22 percent of subscribers don’t implement any rules when they decide to grant apps permission to access other features or data on their phone. Subscribers must only download apps they trust, adopt download precautions and double check whether or not the applications they download have access to their phone or personal data and accounts.

Mark Windle, marketing strategy director, Mavenir Network Security Solutions

Make sure the website you’re visiting has an SSL Certificate. This is a protocol that ensures secure communication between your browser and the website you re connected to. Any information that s exchanged on a secure site is encrypted. You can identify a secure site by looking at the URL bar – it will say “https” at the beginning. Avoid making purchases on sites that don’t have this feature, and you decrease your chances of having information stolen.

Brady Keller, digital manager, Atlantic.Net

When using free Wi-Fi, be sure to utilize a personal firewall and VPN to reduce lurking cyber threats and ensure the connection to remote networks and applications is encrypted and secure.

Julian Weinberger, director of systems engineering, CISSP, NCP

Do not give third-party apps permission to access your online accounts, for example, apps that want to glean data from your Twitter, Facebook, LinkedIn, and Google accounts. The permissions that third-party apps seek from the primary accounts are invasive and can create exploits. Some third-party apps are read-only, while the read-write ones can easily serve as avenues through which hackers are able to commandeer the primary account.

George Avetisov, CEO, HYPR

Using multi-factor authentication helps prevent hackers from getting access to your account even if they are able to crack your password. Also, use a VPN to encrypt your data, including user ID and password sent, while connected to a public Wi-Fi network.

Sanjay Deo, president and founder, 24By7Security, Inc.

Web-browser-passwords-store

Enable security alerts on your financial accounts. Be sure to set up auto security alerts on your bank cards that notify you have any purchase. You will get a notification to your phone or email detailing purchases. This is an easy way to keep track of your spending and be notified immediately if something is wrong.

Sage Singleton, tech and safety specialist, SafeWise

Saving Passwords in Your Browser

Do not store passwords in your browser. While it might seem convenient, your browser does not have enough security to keep your passwords and accounts safe from breaches.

Joe Siegrist, general manager and VP, LastPass

On top of using long, strong passwords that mix letters, numbers, special characters and capital letters, be sure to avoid using the same password across different accounts. Additionally, be aware of storing passwords on your browser most browsers offer to store your passwords, and on the surface it seems like a convenient way to keep them handy. But the problem is, when you store passwords in your browser, they are stored on your device along with the information necessary to decrypt them, which makes them easy to hack.

Tony Anscombe, senior security evangelist, Avast

Avoid giving your desktop web browser permission to automatically keep you logged into frequently-used accounts. The ease of letting your browser automatically log you in fails to outweigh the security cost of doing so. Loss of your laptop or someone sitting at your workstation gives them the ability to misrepresent you and even lock you out of needed accounts. At the least, set a short-term automatic screen lock to ensure that if you have auto-login enabled for some accounts, you mitigate the risk of threats caused by a lost device.

George Avetisov, CEO, HYPR

Use Two-Factor Authentication (2FA)

Go beyond username and password wherever possible and activate two-factor authentication on your online accounts. Two-factor authentication can come in many forms; SMS, push-apps, biometrics and most importantly, hardware security keys. Security keys offer an easy and secure way to log in when static passwords are being hacked at scale you can use them now with web sites such as Google, Dropbox, Facebook, and many more. And as security keys are completely out-of-band, they are the most secure form of authentication and not vulnerable to phishing or man-in-the-middle attacks.

Ronnie Manning, director public relations, Yubico

TeleSign Password Infographic
Image Source: Protect Yourself With More Than a Password Infographic, TeleSign

If you plan on making purchases online, it’s important to have certain security measures in place to avoid having your financial information stolen. Two-factor authentication is a viable security method designed to make the process of logging in a bit more sophisticated. Instead of only needing a user name and password to access your accounts, you should include an additional factor. When enabled, you would be sent a unique pin code to a separate device, usually by way of text message or email any time you try logging in from an unrecognized device. There are many ways to configure this, but the end result is more secure data.

Brady Keller, digital manager, Atlantic.Net

TeleSign research shows that 47 percent of consumers use a password that hasn t been changed in five or more years and 73 percent of accounts use duplicate passwords. This means that once hackers have your user name and password from one account, it s a quick step to accessing all the accounts you use those credentials for. Two-factor authentication, which combines your password with a second factor, such as your mobile phone, offers an additional layer of protection beyond your password. Opting to turn on 2FA significantly decreases the risk of a hacker accessing your online accounts.

Ryan Disraeli, co-founder, TeleSign

If you have a smart phone with NFC, get a 2FA device with NFC and install an authenticator app on your phone and desktop. You can tap the device to your phone to unlock passwords or plug it into your desktops USB port.

David Cox, CEO & founder, LiquidVPN

Enabling two-factor authentication provides far more security (and thus peace of mind) than a password alone. The odds are that you have your mobile phone on you anyway, so the level of inconvenience is extremely low for a huge return in keeping the bad guys out. 2FA, as its popularly referred, essentially confirms you by requesting a PIN verification from your mobile device if someone attempts to log in from an unrecognized machine.

Mike Catania, chief technology officer, PromotionCode

Enable two-step verification. Two-step verification is a feature many online services offer. It employs a two-stage process to authenticate your identity on new devices. It’s helpful, since passwords can be stolen. Two-step verification makes it much harder for non-authorized parties to access your account. To get in, they would need to have access to your phone or alternate email address, in addition to your user ID and password. It s an added layer of security that has been shown to be quite effective in mitigating digital fraud.

Brian Smith, CTO, Hushmail

As our mobile devices continue to serve as an extension of ourselves — two-step authentication is key. Add complexity and length, and use upper and lower case characters, numbers, and symbols if allowed.

Bill Ho, CEO, Biscom

Enable two-factor authentication where available, this makes it more difficult for an attacker to access an account even when a password has been compromised.

Alex Heid, chief research officer, SecurityScorecard

Enable 2FA across all online accounts that support it. When selecting from the 2FA tools to help secure your online accounts, avoid SMS codes (texts or soft tokens) sent to your mobile device. SMS codes have shown to be vulnerable to intercept, and therefore, they are far less secure than TOTP offerings such as Google Authenticator.

George Avetisov, CEO, HYPR

Two-factor authentication and they ability to regain accounts is the last important piece . Two-factor authentication can help keep bad guys out, even if they have your password. 2FA adds an extra layer of security to your account. You sign in with something you know (your password) and something you have (a code texted to your phone). Not every site will have two-factor authentication but Gmail, Facebook, Twitter, Ally Bank, and Chase do. Here is a list of some 2FA sites. Also all sites you should have security questions that you know, but are not easy to guess. Also all your accounts should be tied to recovery email addresses.

Eric Harrison, owner, Eric’s Computer Services

This article was originally published on March 27, 2017

Was this Article helpful? Yes No
Thank you for your feedback. 0% 0%