How to create strong passwords you can remember

While cyber criminals are good at what they do, poor password hygiene — having a few simple passwords that open all your online accounts — makes their job even easier.
Close-Up Of Padlocks On Railing
A strong password is long (at least 12 characters), complex (upper- and lower-case letters, symbols and numbers) and random.Rosley Majid / EyeEm / Getty Images
Get the Better newsletter.
SUBSCRIBE
By Herb Weisbaum

Let’s be honest, passwords are a pain. We all know that good ones protect us from hackers, but it’s a real challenge to create and remember strong passwords for all our online accounts.

To deal with “password fatigue,” we create a few simple passwords, use them on multiple accounts and hope nothing bad happens.

“We all want what’s simple and easy, but that’s not good with passwords,” said Morgan Slain, CEO of SplashData, an online security company specializing in password protection. “Using a simple password over and over again is dangerous because it creates a cascading risk for all of your online accounts.”

SplashData evaluates millions of leaked passwords each year to create its annual list of worst passwords. The latest report reveals the same predictable, easy-to-guess passwords that are simple to crack top the 2018 List of Worst 100 Passwords:

  • 123456
  • Password
  • 123456789
  • 12345678
  • 12345

Other lousy passwords include: 1111, admin, 123123, iloveyou, welcome and 123abc. SplashData estimates that almost 10 percent of computer users in North America and Western Europe have used at least one of the 25 worst passwords on this year’s list.

Password reuse is the ultimate no-no

While cyber criminals are good at what they do, poor password hygiene — having a few simple passwords that open all your online accounts — makes their job even easier.

By using the same password or simple variations (i.e., admin1, admin 2, admin 3) for numerous accounts, you become vulnerable to what’s called “credential stuffing” — a cyberattack that uses stolen credentials from one site to gain unauthorized access to other sites.

“This is not rocket science,” said Brett Johnson, a notorious cyber thief (U.S. Most Wanted List 2006) who turned his life around after getting out of prison and is now a digital security consultant.

Get the better newsletter.

“If you use the exact same password, which most people do, and I can get that password through a phishing attack or data breach. That gives me the log-in information for your bank account, your credit card account, and all your other accounts with that same password,” Johnson told NBC News BETTER.

Reuse the same password on multiple accounts and your exposure grows with each new breach. For example, if your Starwood password was compromised in the mega-breach announced by Marriott International in November, and you’ve used the same password for other accounts, all of them are now vulnerable — even if you change your Starwood password.

Criminals will use automated programs to try these stolen passwords on other accounts used by those breach victims.

The best way to create a strong password

A strong password is long (at least 12 characters), complex (upper- and lower-case letters, symbols and numbers) and random. It should not contain any personal information, such as your name, birthday, pet’s name, Social Security number or anything else that can be found on social media.

The latest advice, according to ConnectSafely.org, is to use a “pass phrase” that’s 20 characters long and contains random words, numbers and symbols. For example: YellowChocolate#56CadillacFi$h.

Digital security experts contacted by NBC News BETTER all agree: The best way to manage your passwords is to use a password manager, which generates, securely stores and provides easy access to all your passwords. Create a long, random and unique password for each of your online accounts.

The password manager encrypts this information and stores it in a digital vault that is instantly available on all your digital platforms. You are the only one with the key to unlock it. This way, there’s just one password to remember — so make sure it’s super-strong.

Top-rated password managers cost between $15 and $60 a year. But there are plenty of reliable free versions available, including SplashID, LastPass, Dashlane, RoboForm, KeePass Password Safe and Sticky Password.

Unless required by the website, you don’t need to constantly change your passwords. Experts have found that constantly updating passwords encourages people to use simple ones or recycle old ones.

“In the event of a breach, or maybe you feel like your account has been compromised, that’s when we should change our passwords,” said Paige Hanson, chief of identity education at Norton Lifelock.

Two-factor authentication: The next line of defense

Strong passwords are the first step in securing your digital life. But even the best passwords can be compromised. You may get fooled by a phishing email scam and accidentally give your passwords away, or they could be stolen in a breach. That’s why security experts recommend two-factor authentication (2FA).

“No matter how strong a password is, if you use it anywhere, chances are that in a matter of time, the bad guys will have it,” said Nick Bilogorskiy, cybersecurity strategist with Juniper Networks. “So, do not rely on passwords alone. Your password is the first factor, the first step to log-in, but you need to have multiple steps. By adding an additional factor for logging in, you're increasing your online security by more than 10 times.”

For most of us, outside the workplace, 2FA means getting a text, call or email that requires us to do something to verify our identity. The assumption is a crook won’t answer your home phone, have your mobile device or be on your computer. (This is not foolproof, a criminal could have compromised one of your devices or accounts, but for most of us, 2FA by phone, text or email is a big step forward in security.) Software and hardware tokens, available on some sites, add another layer of security.

Some websites require 2FA, some make it available, while others don’t offer it. Making things even more complicated, every site calls it something different. It’s “two-factor authentication” on Facebook, “log-in confirmation” on Twitter and “2-step verification” on Google. The non-profit website twofactorauth.org makes it easy to find out if a website uses 2FA.

“You have to keep in mind who is after you these days,” warned Juniper Networks’ Bilogorskiy. “You are under attack by bad guys, corporations and state actors who are using malicious programs to constantly scan the internet, looking for victims. You need good security hygiene to reduce your vulnerability.”

Want more tips like these? NBC News BETTER is obsessed with finding easier, healthier and smarter ways to live. Sign up for our newsletter and follow us on Facebook, Twitter and Instagram.