How to create strong passwords

With the blogs in this series I want to reach not only my typical audience, security professionals, but especially less security aware people to help them improve their personal security. If you think the content is helpful for people you know, share it with them!

What do you think most people do when they need to create a password that must meet the following requirements?

They try to get the damn password created as quickly as possible and fulfill the requirements. "P@ssw0rd" does so. It has a capital letter, 1 number (I replaced the letter o with the number 0) and a special character.

There are a lot of sites that will even show you that this is a strong password. As an example I entered "P@ssw0rd" on a site where you can test the strength of your passwords.

This is a terrible password, a score of 68% for this password is just ridiculous. And that's where the problem lies. Besides giving you a hard time to create a password some websites even give people a false sense of security. You shouldn't trust on password strength meters as they don't take certain factors into account.

What are weak passwords and why do they form a risk?

Imagine you have just created an account for a site with password "P@ssw0rd". This password fulfilled all the the requirements and on the site was a password strength meter that showed your password was strong.

If you're an average computer user who is not aware about security, how on earth would you know that this is a terrible password and what the possible impact is? And let's be 100% clear, I'm not blaming anyone here. I write this to help you understand what weak passwords and their inherent risks are and to give you some tips to create strong passwords. Even on sites with crazy password requirements.

Ok, so why is "P@ssw0rd" a weak password?

Because criminals know that people use this kind of passwords. Companies get hacked and the databases containing your personal information, including usernames and passwords, get stolen and heavily distributed on the internet. It's exactly this information that is not factored in the most password strength meters.

If you want to have some fun, you can check some passwords on Have I Been Pwned to see if they have been leaked online.

The password "P@ssw0rd" is leaked 52,579 times

DISCLAIMER: don't do this with your own passwords. As inspiration you can use some passwords from this list for instance.

These lists of stolen passwords are actively used by criminals to try to gain access to your accounts. And they're not using the passwords in isolation, they will try to gain access to other websites in an automated way by using stolen username and password combinations. That's why it's important to use a different password for every website or app.

If you want to understand the impact of hacks and account takeovers a bit better I recommend you to read this and this post.

So we need passwords that are not known to be leaked yet and a different password for every account. What else?

Well, your passwords have to be long enough. Currently 12 to 14 characters as a minimum is reasonable. I won't go into the details here, but this length will make it for most websites (that store your password in a cryptograhically strong way) very hard for the criminals to retrieve your password.

Not only leaked passwords or passwords that are too short form a potential risk. Using the name of your pet in combination with your high school or your date of birth together with the name of your daughter are not a good idea either, even not when you put a number behind it. Also don't use the name of the company for which you are registering the account in your password.

Attackers have huge lists of words they can combine in every possible way and will try these common patterns first. That's why passwords should be random.

How you can create strong passwords

Ok so far I have only told you how not so good passwords look. Let's see now how we can create passwords that are random, unique and long enough.

You could randomly combine a number of words. Like in the screenshot you can use 4 words that have nothing to do with the site for which you register and combine them. You can add a number and special character, for instance at the end, to fulfill the password requirements.

Credits to The AntiSocial Engineer for providing me this slide from their security training material.

If you have many accounts it might be not so easy to remember different passwords consisting of random words.

Another approach I personally like is using passphrases. Using a phrase as password has a few advantages. Phrases are typically long enough, they contain special characters (spaces, punctuation), and they're easier to remember.

Let's say you need to create an account on the website of a sandwich bar before you can order online. A good password would be something like:

I love mayonnaise!

It's 18 characters long, it's random, and it has several special characters. Let's say the site also requires a number. You could do like this:

I love m4yonnaise and salad!

I even made it a 28 characters long password which is very easy to remember. Make sure though not to use well known phrases like for instance movie quotes or expressions.

When you're able to remember all the different passwords for your accounts that's perfect. No one can steal what's in your mind. But if it's too hard to remember them, just write them down in a book. The risk that your accounts get hacked is much higher if you (re)use weak passwords than when you write them down. Make sure to put the book in a drawer at home and don't leave it unattended when not at home.

If you don't want to do the hard work yourself you can use a password manager. Password managers are software tools that can generate passwords that look like this.

Password managers not only let you create truly random passwords, they also save them for you such that you don't have to remember them. If you want to know more about how to choose a password manager read this article.


Don't (re)use weak passwords. I gave you some ways to create strong and thus unique passwords for your accounts. Pick the one that suits you best and start changing those weak passwords now. Good luck and stay tuned for more actionable security tips tomorrow!

John Opdenakker

John Opdenakker

Blogger | #Infosec | #AppSec | Security awareness | Occasional Public Speaker | Cycling | Running | Enjoying life