10 Tips for Choosing a Safe Password

Choosing a password is easy, choosing a password that is safe is a different story. Follow these 10 tips for choosing a safe password to safeguard all of your accounts from fraud.

1. Choose a password with mixed-case letters, numbers and symbols (example: !, $, #, %).
2. Choose a password that is NOT related to anything that has special meaning to you, ie: your pets name, birthday, address, family members names, etc.
3. Use a different password for every account that you have. This one is tough, I know, but it will definitely come in handy if one of your accounts get compromised. Multiple passwords will ensure that your other accounts remain safe.
4. Change your passwords frequently (every 3 months or so) and when you change your password, don’t choose a new one that is similar to the old one.
5. Don’t use a word that is found in the dictionary.
6. Make your password 8 characters or longer.
7. Use a virtual keyboard when entering passwords. A virtual keyboard won’t let a keylogger program capture your keystrokes.
8. Use a string of words.
9. Pick a word that you can type quickly and easily remember without having to look it up.
10. Make sure you can easily remember it! Yesterday, I changed my email password, and twenty minutes later I had already forgotten it. I had to go through 10 steps to recover my account (my recovery email was old and outdated, so that didn’t help me either). Not very fun. So, save yourself the headaches and use a password manager to securely store all of your passwords. Also, keep your account information up-to-date. So, if you do forget your password, it’s just a click away to a different email address.

What are your top tips for choosing a safe password? Add yours below!

19 Comments.
  1. An hard to remember password might be easy for the computer. Check out this site to challenge the conventional wisdom: http://xkcd.com/936/

  2. Chris

    obligatory xkcd: http://xkcd.com/936/

  3. Tom

    4. It is counter-productive to change your password regularly if there isn’t reason to think it’s been compromised. Doing so makes it much more likely you’re going to have to write it down on paper or in some electronic message to yourself.

    Having different passwords is a good idea, and makes it even less necessary to change it frequently. So have a strong, hard to guess password you can remember and change it when you have reason to think it’s been compromised.

    7. This is only true for a hardware key logger placed on the keyboard itself. Software key loggers see virtual keyboards just as they do physical ones.

    10. DO NOT USE REAL ANSWERS TO SECURITY QUESTIONS. That’s what allowed Sarah Palin’s Hotmail account to be hacked. I add a nonsense word onto the answer so no one can guess it.

  4. benoit

    Recent research shows that most password encryption techniques are harder to crack with 3 dictionary words totalling over 10 caracters with mixed case than a complex password of 8 caracters or less.

    This is one decision where size realy matters!

  5. Another Tim

    Someone explain to me how even an average password (not one of the top 10 most common words used for passwords) could be hacked. If the site where I try to login will disable the account after 3 or 5 incorrect tries, how would it make a difference if the password was “paragraph” or p$Mnx*RT!g? Your odds of guessing even that normal word are extremely unlikely.

  6. Ondrej

    Generating passwords as hashes generated by a combination of domain name and a master password:

    http://supergenpass.com/

    you do not need a password secure store, just remember one master password and use it to generate passwords to different sites.

  7. sean

    Total agree with Tom on point 4. I have never heard a good justification for frequently changing you secure password

  8. Joaquim

    Ok, So… it shoul use letters, numbers and symbols (1), so I’m sure it doesn’t exist in any dictionary (5), but it must be a string of words – the ones that are not in dictionaries? (8), and yet shoul be easy to remember… now I’m confused!

  9. Edson

    Thumbs up to TOM!!! Yes, Tom, I agree 300% with your remarks! I also do your recommendations and use the same password until the the I would feel it has been compromised (what has never happened to me!).
    About the passwords, a trick that I use is:
    I have a master password that I mix up with the name of every entity or website I make a password for. I.e.: You can pick a master pw like BANANA and mix it up in a manner that you remember as putting it with the first and last letter off the website name as msn.com would generate mBANANAn and sure add some symbols to it but you must have a pattern to make it easier to remember and, SURE, don’t use BANANA or any easy word to find or it defeats the purpose.
    the trick of non-sense answer to the security questions it is great, effective and simple. I have used for years and really had no problems with it. Thumbs up again, Tom!
    If you guys have any other new or clever and simple tricks, please, share with everybody else to make this world a little safer!
    Good luck.

  10. andy

    Good points Tom! I use a master keyboard pattern: Such as a “Pong” bouncing ball starting with the first letter of what ever the password is for.
    My “algorithm” tweaks are:
    1. start off going up and to the right,
    2. first ‘bounce’ off the ceiling is shift (special character)
    3. first ‘bounce’ off the floor is SHIFT (uppercase).
    4. second bounce off the ceiling is a number
    5. always 10 characters long

    Example(for “goodpass.com”): gy&ujMko0p

    Define your own ‘tweaks’ and tailor your keyboard pattern.

    I have a friend who simply substitutes ! for i, 0 for o, 1 for l, and 5 for s in the plain text for a password.

  11. Stoney

    @Ondrej

    I would avoid something like supergenpass. The problem comes when you want to change your password for one site. That entails that you change your master password. But that would change all of your passwords. Or you’ll have to remember different master passwords, and for which sites you use which password.

    I suggest using a program like KeePass: http://keepass.info/

  12. Concerned Citizen

    Then don’t you think you could at least enable HTTPS on your site? What good are passwords since anyone looking at the communication can easily extract your userid and password? Use SSL for goodness sake!

    Really, I’m shocked no-ip doesn’t enable SSL on the web site!

  13. Kos

    Hah, when I saw that in a newsletter, I stormed to spread the XKCD wisdom, but I was late 🙂

    So let me show some simple numbers:
    a) 10 chars base-64 (mixed-case, digits, 2 symbols) vs brute force
    b) 5 words from most common 5000 english words vs dictionary attack

    We assume that the attacker knows the “type” of the password and attacks accordingly. Entropy is:
    a) 64^10 ~= 10^18
    b) 5000^5 ~= 10^18
    Why complicate?

  14. Click login link at top, instead of the login box at the top for the secure login. We also disable logins after 4 failed attempts to combat brute force attacks.

  15. Jay

    I use a program called LastPass, it creates secure 16 character passwords and remembers them for me, I only have to remember the master password which isn’t anything to do with me or anything I’m interested in. It also has a security check, I like it and it’s free, I also use it for customers passwords for our hosting packages.

  16. Bob Denny

    The recommendations are impossible. 3. Use a different password for each account, 9. Make the password easy to remember. My password keeper file has over 200 entries. Now add 4. Change all passwords every three months. So I log into 200 services/sites and change my password every twelve weeks? No.

  17. SD

    For “normal” passwords I use a base password of combined words that are easy to remember with regular character replacements like 1 for l and 3 for e with part of the name for the service I am loggin onto at a fixed position in the password.
    That way it’s changed for each service/site and still “impossible” to brute force.

    For higher security logins I use a couple of lines from songs like “J0hnnyUs3dT0W0rk0nTh3D0cksUn10nW3nt0nStr1k3HesD0wn0nH1sLuck”

    Good luck bruteforcing or dictionary attack something like that.

  18. Octavio M

    I use LockNote program (executable) to store my passwords, encryption is a text file, and put the application and password, can be very complicated and difficult-case and numbers, when I access the site I open the program and to not typing the password simply select, copy and paste. (www.steganos.com)

  19. Paul Piescik

    I use Password Manager Deluxe which stores my passwords in an encrypted database.

    Besides that, I use the longest password allowed with the biggest mix of upper- and lower-case letters, numbers and special symbols allowed, created by the PMD random generator.

    I also use it to generate my username where I can. For the best instance, my bank account has a 31-character random username and a 19-character random password, and the bank uses SSL (or they wouldn’t be my bank).

Comments have been disabled.