How can I make stronger passwords?

Updated:July 2016

How can I make stronger passwords?

Passwords are the weak link in protecting your digital information, whether it's online or sitting on your computer. Here's how to deal with it.


  1. What you're doing wrong
  2. Test your password-making abilities
  3. Methods of creating stronger passwords
  4. Methods of storing and using your passwords

What you're doing wrong

First, the bad news. Let's start with some of the main things people get wrong. Think about your own passwords. Do you:

  • Use the same password on multiple accounts?
  • Use short passwords?
  • Use common words that could be in the dictionary or popular names, locations or pop-culture references?
  • Use a name or or personally significant word?
  • Use typical, pattern-based substitutions: replacing an 'e' with '3' or 'i' with '1', etc.?
If one or more of the above applies to your password use, then you're getting it wrong. It's okay, almost everyone is, and by using this page, you're on the verge of getting it right! Passwords are these ubiquitous things in our lives that are are more difficult to create and manage than we assume. What follows is how to accomplish both tasks.


Test your password-making abilities

You probably already know more than you think your do about making decent passwords. These links are some ways to find out. Don't use your actual passwords(!), but maybe think of others that might be kind of similar, or try to think of one that would be difficult to crack.
  The above sites estimate how long it would take software to guess your password. They aren't foolproof, but will give you a general idea. These sites will do not take into account other ways a hacker would try to get your password, such as through social engineering efforts or malware attacks. They focus on brute force attacks, and you'll find that the more complicated and longer you make passwords, the more difficult it becomes to guess them. Creating complex, but memorable passwords is a real challenge, though, because hacking relies on patterns, and the human brain loves a pattern.


Methods of creating stronger passwords

This is actually a topic of some debate amongst security experts, and as methods of attacking passwords evolve, so do the counter-measures. What is common among the leading methods is that you need to think in phrases, not words, and then alter that "pass phrase" in some unconventional ways. Use punctuation, brackets, and other things on your keyboard alongside the letters and numbers.

The XKCD method is one frequently shared around the internet (likely helped by being in the form of a short cartoon), and focuses on long, obscure but memorable pass phrases.


Bruce Schneier's method involves taking a memorable, personal phrase and then distilling that into a code in just a few steps. You unlock the password, mentally, by recalling the phrase. Using this method, something like "Ltime@go-inag~faaa!" can be recalled by thinking of the phrase "Long time ago in a galaxy not far away at all."

The Person-Action-Object (PAO) method (PDF link) was developed by Carnegie Mellon University computer scientists. To use PAO, you create a mental picture that cements your pass phrase in your memory. To summarise Lifehacker's explanation of it: Think of a person, an action and a place, and maybe a few other things: Beyonce, driving, Mount Rushmore, Jello mold. These are then combined into a sentence to be used as a pass phrase: "Beyonce driving a Jello mold at Mount Rushmore."

Edward Snowden's method was circulated online via an interview the NSA whistleblower had with Last Week Tonight host John Oliver. It's not very cumbersome, and involves selecting a memorable or amusing but random phrase, and peppering it with an assortment of punctuation and other keyboard characters.

The Diceware method, explained by technologist Micah Lee, can create incredibly hard-to-hack passwords, but put some time aside for it. This method takes human decision making (often seen as a weak point) out of the equation. Instead, it uses the randomness of a few roles of some six-sided dice to generate a pass phrase. For this to work, you need to download a copy of the Diceware word list (PDF document) and find some dice. Roll the dice four times and look up your word. Repeat this process at least four times, or more if you want a longer pass phrase.

Use a password generator. Last, and maybe or maybe not least, use some software. Password managers are discussed below, but these tools can also create extremely strong passwords, though they're not so good at memorable ones. But with a password manager, they don't need to be memorable.

No method is bullet-proof, and each has their upsides and downsides. Go with the one that makes most sense to you. Any of them are going to create stronger passwords than what you've probably been using.

Methods of storing and using your passwords

So now you've created your incredibly strong, invincible pass phrase. You now need to adopt some practices, and possibly a couple of tools, to keep it — and your digital stuff — safe. Here are some ways to do it:

You still can't use your new strong passwords for everything. You do need different passwords for all your accounts. If a hacker gets one password, the next step is to try it out on all your other accounts.

Consider using a password manager. KeePass is a good, open source option for Windows and Linux. For Apple, there's pwSafe. Apple's own keychain has some similar capabilities, but it has mixed reviews. There are other cloud-based encrypted solutions as well, such as Lastpass. Use your incredibly strong, memorable pass phrase for a password manager, and you won't need to remember the others, and can make them as long and as complicated as you like.

Don't let your browser remember your passwords. Browsers have incredibly weak password storage security. Someone hacking your computer — or anyone who has direct access to it — can easily uncover all the passwords stored in your browser's history, and it's a common first port of call for an attacker.

Adopt good practices to avoid being hacked. If your computer is compromised, then it won't matter how sturdy your passwords may be. Attacks can come in many forms, but for a start, see our resources on avoiding malware and preventing social engineering attacks.

Don't keep your passwords in public places. This would include lists sitting around your desk, in an unencrypted file on your computer's desktop, in your handbag, and so forth. If you do keep an electronic document listing passwords, make sure that it's encrypted! This is essentially a manual way of creating a password manager. Use your long pass phrase to encrypt the document. Find out more about file encryption in our resource.

Use 2-factor authentication whenever possible. This helps protect your accounts in the event that your password does become compromised, and will report to you when and if that happens.

Limit the amount of attempts to log in on your accounts. Some internet services offer this. A few may require it. Basically, this let's a user make only a limited number of mistakes (or guesses) before the account becomes locked and the account holder is notified.
Created: August 2015

Help us be a better resource!

Give us feedback about this page. What was helpful here, or what could be included to make it more useful?

Create a comment
Create a Comment
  • Security code
News letter sign up