3 ways to create better passwords, ranked from laziest to best
Policygenius content follows strict guidelines for editorial accuracy and integrity. Learn about oureditorial standards
and how we make money.
Just accept it: you’re going to get hacked.
So many of my friends and family just don’t care about their online security. No amount of security breaches are going to convince them to not write their single password on a sticky note on their work computer.
If you’re reading this article and thinking, Do I really have to do all of this? It’s so much work! I’ll just come up with like, one good password and pray that no one comes after me, you need to look in the mirror and repeat this sentence over and over again: I will get hacked.
Seriously. You just need to accept it. There are data breaches all of the time. The IRS got hacked this year. The IRS! THEY LITERALLY HAVE ALL OF YOUR PERSONAL DATA AND THEY GOT HACKED.
Um, sorry. I didn’t mean to freak out. But also, how can you not freak out about this? We even wrote an article about the appropriate level of freak out you should have, depending on the breach.
I get that this can be kind of overwhelming, but it doesn’t have to be. There are so many tools and apps and websites that want to help you through this. So repeat after me: I will get hacked. Here’s how I can minimize the damage.
There are a lot of hilarious stock photos of burglars using or popping out of laptops. To help keep you entertained through this long journey to online protection, we'll intersperse this article with some of our favorites.
The word "hack" is kind of a misnomer, but we’re going to keep using it for two reasons: 1) it’s fun to say and 2) most people think of getting their identity stolen or an account breached as getting hacked, so whatever.
Usually, the only thing you truly control when it comes to your online security is your password, so that’s what we’re going to focus on here. We’re also just going to assume that you’re a normal internet user–not a celebrity or a journalist or an activist or someone who might be the target of an individual attack (though of course, you can always be the target of an individual attack for pretty much any reason–including having a cool Twitter handle!).
When you hear about breaches at big companies, they’re usually one of two things: personal info or passwords. If your personal info was breached, you need to go take care of that. Like, right now. What does it mean when passwords get leaked? It’s complicated, and it depends on how secure the company is. Some companies literally keep their password database in plain text, with no encryption, on their servers. This means anyone who can hack into their servers can read every password as easily as they can read this article.
Even if passwords are encrypted, it’s not that hard to break the encryption and then send that database around the world. Since most people don’t use unique passwords on every site, it then becomes super easy to sign in to pretty much all of their accounts using the username/password combo from whatever site got breached. Notice that at no point in this hack is anyone attacking your accounts directly–the breach happened entirely at that random website. However, if you don’t have unique passwords, you’ve basically let that random site hand over the keys to your life.
Unique passwords aren’t enough, however, because it does not protect a password from being individually targeted. Why would a password be individually targeted? Because attacking one password can give hackers access to a whole host of your accounts. Say, for example, they get into your Gmail account. They can now reset all of your passwords that use that email account, including your bank, credit card, and Seamless accounts. (What? Hackers get hungry.)
There are a few types of attacks hackers can make that target individual passwords. One is a dictionary attack. In this case, a computer just runs common words through the login screen to see if anything works.
Dictionary doesn’t just mean English words, either–dictionary, in this case, really means any commonly spoken or typed word in any language. It also covers common phrases and movie titles and song lyrics. Most dictionary attacks are also really good at figuring out number or symbol substitutions, like 1 for i or @ for a. So don’t assume that’s going to keep your p@ssw0rd s@f3.A hacker could also run a brute force attack. That means a computer literally runs through every combination of letters, numbers, and symbols until it gets it. That’s why having a really long password is important. There’s even a term for it: password entropy. A password with high entropy is unpredictable, meaning it would take a brute force attack centuries to finally crack it. And that would be okay, because you’d probably be dead, and the hacker would probably be dead, too.
The easiest and laziest way to come up with a unique password is just add the name of the site to end of a password "base." For example, let’s say you’re using "PuppyLove" as a base. Your Facebook password would then be PuppyLoveFacebook, your Gmail password would be PuppyLoveGmail, and so on and so forth. While this does, technically get you a unique password at every site, it’s pretty easy for a human being to figure it out. Even if you replace some letters with numbers, like PuppyL0v3F@c3b00k, it wouldn’t take that long for a human or a machine to figure it out.
Another method uses memorable phrases to help humans remember passwords. If you use this method, every time you visit a site and create a new password, you need to think of a memorable phrase (movie quote, song lyric) that reminds you of the site. Then, come up with standard transformation you can use to change the phrase (replacing letters with numbers, replacing spaces with underscores, etc.). With this method, all you have to do is remember the phrase and the transformation and you’re good to go.
For example, with Facebook, you might think of the Cole Porter song "It’s All Right With Me." Take a lyric from that song, "Though your face is charming," and, using your standard transformation of replacing some vowels with symbols, you’ve got "Th0ugh y0ur f@c3 1s ch@rm1ng".
Even if a hacker can crack your standard transformation, they’ll probably find it difficult to figure out your unique memorable phrase for every website. Computers would have to start over from square one with every site.
Both of these types of passwords are still susceptible to dictionary attacks, since some of these phrases are likely to be in a hacker’s dictionary.
There’s another method, put forth by xkcd’s Randall Monroe, that implores users to come up with passwords that strings together four random common words.
The theory behind this idea is simple. It’s incredibly hard for both humans and machines to crack (dictionary attacks will be thrown off by the words having no logical connection, length will make brute force attacks take forever). But you’ll remember because the human mind is built to make sense of randomness. Just don’t use "correcthorsebatterystaple" as your password. It’s probably been added to just about every hacker dictionary in the world.
Fun fact: There was a popular article passed around the web a few years ago saying that passwords like "This is fun" are more secure than gibberish passwords. However, since this became so popular, many common phrases have been added to hacker dictionaries, making these passwords more susceptible to attack. Your best bet is choosing a password that foils dictionary attacks all-together.
At least for now, the best password is a long string of random gibberish. Pulling from the entire alphabet (both uppercase and lowercase), ten numerals, and thirty-three symbols gives you a ridiculously huge amount of options when it comes to creating passwords. (Seriously. The number is so ridiculously huge that even if we spend the time to calculate it, the number would be incomprehensible.) These passwords can only be broken down by brute force attacks, and even those would take years, decades, or centuries to crack it.
But unless you have some crazy situation going on with your brain, you probably can’t remember a single random string of characters, let alone a unique one for every site you visit.
That’s where a password manager comes in.
Password managers are more than just a spreadsheet with all of your passwords. A good password manager keeps your passwords encrypted, lets you sync them between all of your devices, and makes it easy for you to enter them across the web. Many password managers also help you produce random gibberish passwords.
There are a few free options, but usually you’ll end up paying for premium features that make life easier.
If you’re a Mac and iPhone user, you already have a free password manager built into your devices: iCloud keychain. You may already be using it without even realizing it. It’s by far the easiest password manager to deal with if you’re a heavy Safari user on all of your Apple devices, but it leaves you high and dry if you ever want to switch platforms. It also comes with two major caveats: it doesn’t produce particularly strong passwords and it can be hard to access the passwords if you need to enter them somewhere other than Safari.
My password manager of choice is 1Password. I haven’t tried any other password managers except for iCloud keychain, so I can’t speak to how much better or worse 1Password is in comparison to other paid (or free) services. But I really like it: it makes it easy to create and enter passwords on my computer, which are then automatically synced over to my phone and iPad when I need them.
To give you an idea of what it’s like to actually use a password manager in your day to day life, here’s a sample of how I would use 1Password:
I need to create an account at Ticketmaster so I can buy tickets for the New York Cosmos v. Red Bulls match next Wednesday. They have very specific requirements for their passwords, but 1Password let’s me create a password using their specifications. It’s not as secure as it could be, but that’s on Ticketmaster.
I never think about that account again, but it’s still saved in my 1Password database, just in case. My 1Password database syncs over to my phone using iCloud (also available: Dropbox syncing).
On the way to the game, I realize that I forgot to print the tickets. No worries: I can sign into the Ticketmaster account on my phone and pull up the tickets there. 1Password actually has something called an extension, so when I pull up the Ticketmaster site on my phone, I can use the extension to plug in my random, unique password that I never thought I would use again.
All is well.
The best part of this is that if the Ticketmaster password database ever gets stolen I don’t have to worry about it affecting any of my other accounts.
Two-factor authentication (sometimes called two-step authentication) is a really simple idea. Let’s say a hacker gets the password to your bank account. They go and enter it, thinking they now have access to pretty much all of your money. Not so fast, says the bank website. We don’t recognize your browser / computer / location. We’ll need to send a unique code to your email address or phone number. By the way, the code will self-destruct in thirty seconds.
Assuming the hacker doesn’t have access to your email address (you’re using unique passwords, right?) or your physical phone, the attack has been effectively neutralized.
Most banks and credit card companies should offer some kind of two-factor authentication, and if they don’t, switch banks. I’m not kidding. If your bank doesn’t understand the value of two-factor authentication by now, they’re probably ripe for a good hack.
But other sites offer it, too: your Apple ID can be protected by two-factor authentication, as can your Facebook account, your Twitter account, your Google account, your Dropbox account, and more.
Even if these websites don’t force you to use two-factor authentication, you should turn it on. It’s not perfect protection, but it does drastically reduce your risk in the case of a security breach at one of these companies.
Also super important: having two-factor authentication turned on does not mean you can be slack about your password security. You still need secure passwords, and you still need a unique password for every site. Two-factor authentication is another level of security, not the end-all-be-all.
Fun fact: There are also apps that generate unique codes. Google Authenticator is a popular choice, as is Authy. 1Password also allows you to access two-step codes through their app, which is convenient if you already use 1Password.
Some sites have you set up security questions. This is a form of two-step authentication, but it’s not very useful. Let’s say the question is "What college did you graduate from?" For most people, that information is public on their Facebook or LinkedIn profile pages.
If you need to set up security questions, the best thing you can do is to lie. "What college did you graduate from?" "47xaim8smainusna87yr3qun7ndskalnsdjsa." Then, keep that answer in your password manager. It’s not quite as eloquent as coming up with a unique code every thirty-seconds, but it will do in a pinch.
Seriously, it’s going to happen. At some point, you’re going to hear about a major breach at one of your favorite websites. Your password will be out in the open. You may get an email saying someone tried to log on to your Facebook. You’ll still have to do a little damage control–changing some passwords, doubling down on security–but overall, you’ll be safe. Compared to your friends who are on level ten freak out mode, you’ll be sitting pretty, chilling back, maybe even sipping a drink of your choice.
Until someone steals your credit card.
Image: Blondinrikard Fröberg
Get essential money news & money moves with the Easy Money newsletter.
Free in your inbox each Friday.