Links on Android Authority may earn us a commission. Learn more.
How to create a strong password
When you create an online account with potentially valuable data inside, there is always going to be people immediately trying to break into it. That’s just the way of the world. So you need to go to extraordinary lengths to make sure that the account is impossible, or at the very least extremely difficult, to breach. In other words, you need a good password. Here’s our guide on how to create a strong password.
The general rules to create a good password include not using obvious easy-to-crack words, not reusing old passwords, and not making your recovery questions obvious. Instead, add foreign words, special characters, make the password as long as possible, and use a password manager.
JUMP TO KEY SECTIONS
Don’t use obvious words in your password
There are a lot of lazy people who use easy-to-crack passwords such as:
The list above are ones you should avoid like the plague. You should also not use the following to create a strong password :
- Your first name, last name, or any variation of the two.
- The name of your spouse or partner.
- The name(s) of your child/children.
- Names of pets.
- Where you were born, or where you live.
In other words, don’t use any word or words which people would immediately think of when they think of you.
Use special characters in your password
The next big no-no in password security is using common dictionary words. This enables a determined hacker to brute-force their way into your account by using software that goes through the dictionary, trying different words until they strike lucky.
However, you can mitigate this risk somewhat. First put multiple different unrelated words together to form a really big word. So instead of dog as your password (which is pretty weak), instead have dogbicyclehousecowsofachocolate. Then, to make it even more secure, add special characters. These include @ ; $ % & / ! ” # *_< >. Also include uppercase characters. Add one at each end of your password and maybe one in the middle. So dogbicyclehousecowsofachocolate suddenly becomes @doGbicycleHouse$cowsofaChocolate@
It’s obviously not a 100% uncrackable password, but it’s much more secure than simply “dog.”
Add a foreign word or two in your password
One little trick is to add words from your native language, as well as words from a foreign language together. If anybody is trying to figure out your password, they wouldn’t have any idea that you have added a word from some ancient pre-Roman Germanic tribe, along with a curse word from a witch.
Buy yourself a foreign dictionary or a foreign translated novel. Then throw in some special characters, and soon nobody will be able to figure out @peas_beans@schnickschnack!.
Don’t use a password that has been used before
It’s only human to be lazy sometimes and think “this password has been fine for the other account, so no need to make a new one for this account. I’ll just use the same one.” But this is most definitely not a good idea.
For one, if there is a data breach at a company, and your password details are compromised, a hacker could take those details and try them at other sites too. If you’ve used the same email and password at each site, well you’ve just made a bad problem a thousand times worse.
By using one unique password per website, you minimize the damage done if a data breach occurs in one place. The password won’t work anywhere else.
Don’t make obvious replies to your account recovery questions
When US politician Sarah Palin’s Yahoo account was hacked in 2008, the hacker managed to reset her password by looking up biographical data to answer her password recovery questions. Recovery questions are still a good way to reset your password, but again, if somebody knows you, or if you have perhaps a Wikipedia page, the questions can be easily answered by someone else.
This is where you make up your own replies, ones that nobody will ever be able to figure out. You obviously need to remember them though. Maybe in an encrypted file?
- Where were you born? In a hospital.
- Where did you first live? In a house on a street.
- Who was your first teacher? Some old lady with bad breath.
- Where did you go on your first date? Paradise.
- What was your first car? One with four wheels and doors.
- What was your first job? Earning money.
- What time of the day were you born? I wasn’t looking at a clock. I was a bit busy.
- What’s your grandmother’s first name? Granny.
You get the idea. Don’t actually answer the question. Instead, give a literal reply that nobody else would ever think of.
Use a password manager to remember your passwords
As you start to make your passwords more complex, and therefore harder to remember, you need to start using a password manager. Once you start adding uppercase letters and special characters to your passwords, you either need a password manager or an extraordinary photographic memory.
In the past, we’ve looked at different password managers for Android, and we’ve also compared two big names in the password manager industry. There are also open-source alternatives, such as KeePass. But whichever one you eventually decide to use, you definitely need to use one.
Apart from them being very secure, a password manager also has a random password generator built-in. This means you don’t have to sit there figuring out individual passwords for each online account. Simply tell the generator what characters you want in the password, click the button, and watch a new password being churned out for you. The password manager will store the new password for you at the same time. You really don’t have to do much except remember the master password to access the password vault.
You can also save passwords in your internet browser. But of course, anybody with access to your browser will be able to log into your accounts.
Other strong password tips
Here’s a few other tips on how to create a strong password.
You can make a strong password a hundred times stronger by using two-factor authentication. For those who are not familiar with 2FA, it is basically a second password to your account. Except this six-digit password is randomly generated every thirty seconds by the website itself. You would need an authenticator app to access these one-time codes or a recovery code if you don’t have access to the authenticator app. If you lose both, you’re potentially locked out of your account. So you need to be extremely careful.
You can also have 2FA codes sent to your phone as a SMS. But that is very insecure. If someone has managed to clone your phone’s SIM card, they can intercept the SMS messages and grab the 2FA code. An authenticator app, on the other hand, stays on your phone, and cannot be accessed by anyone other than the person with physical access to the device.
Don’t share your passwords (especially your Wi-Fi password)
One of the biggest ways to have your password cracked is by sharing those passwords with other people. There’s obviously nothing wrong with sharing your Netflix password with your spouse, sibling, parent, or other trusted family. But you shouldn’t be giving out your Wi-Fi password out to a complete stranger. Or sharing a sensitive password with a boyfriend or girlfriend that you don’t know too well yet.
As well as the potential data theft from these cracked accounts, you are also putting yourself in legal jeopardy if someone uses your Wi-Fi password to commit an online crime using your network.
Use a VPN when using a free public Wi-Fi hotspot
If you’re in Starbucks getting your latte, you may be tempted to jump onto their free Wi-Fi to check your email or your online banking. But free Wi-Fi hotspots are terrible in terms of security. There’s a more than likely chance there’s someone on the premises monitoring the network for usernames and passwords.
You can stop this dead in its tracks by not using free Wi-Fi hotspots. But if you really have to use one, install a Virtual Private Network (VPN). This will redirect your internet traffic to another server in either the country you’re in, or overseas. Avoid using a free VPN service and pay the few bucks a month for a paid service. They’re more reliable and will give you more peace-of-mind. Here’s some VPN recommendations.
Change your passwords regularly
Creating a strong password is not a “set it and forget it” process. You need to change your password on a regular basis, say every three months at the most. If there has been a data breach at a company you use, frequently changing the password will stop any unauthorized person fr0m accessing your account.
Some websites, such as Mailerlite, will tell you to change your password every 90 days. They will pop up a password change window when you log in. For the rest, you would need to set a reminder on your phone or in your calendar to get it done until it becomes a habit.
Set up a guest profile on your browser
Finally, if you have any nosy friends and family, or maybe a roommate that borrows your device, it may be good password security policy to set up a guest profile on your internet browser. Then, when they want to use your computer or phone to check something online, tell them to use the guest account.
This will cut them off from your saved passwords and other sensitive online data such as your credit card number. Setting up a guest profile is extremely easy. On Google Chrome, for example, you just need to click your profile picture at the top and click Guest in the drop-down menu. Other browsers are more or less the same.
Read more: How to show hidden passwords in any browser
The actual passwords are password-protected, but the password auto-complete function on websites is not.
Yes, you can create a primary password to protect the database. However, password auto-complete is not password-protected.
Yes. You can also use Touch ID and Face ID (if your device supports it.) However, password auto-complete is not password-protected.
Two-factor authentication is a second security layer to your online account, consisting of a six-digit number. This number can be accessed on an authenticator app on your phone, or via a SMS sent to your phone.
A virtual private network is a network of international servers managed by a company. You can use these servers, often for a nominal monthly fee, to redirect your internet activity, so it remains private. VPN companies don’t log your internet visits, making them even more secure.