With the new year here, it’s a good time for a refresher on how to make strong passwords and help keep them safe. With phishing still on the rise, ever-present social media hacks, and general security breaches and unsavory shenanigans, it’s just a good idea, and one of our top 10 tech to-dos. In fact, put this one first on your list.
I even have gotten some older relatives to do it over the past few years, and that was no small feat. So now it’s your turn!
Updated for 2023
Related: Phone trick: How to lock and password-protect notes in your Notes app.
How to make strong passwords and protect them:
Simple tips. You can do this!
Familiar words and phrases are good for life, but bad for passwords. Words like kids’ names, pet names, or a husband’s birthday may be easy for you to remember, but we now know this is kind of like handing over your information to a hacker wrapped up in a bow.
And I’d like to add that while I’m always the first to complain about websites that won’t allow you to create a password they deem “weak,” they’re doing it for your own good. And theirs. If you enter a password that’s not hitting the “strong” requirements, go back and rework it until that thing is green as a shamrock.
Here’s how to get there:
1. Create a strong password by stringing together a random series of words
Completely random letter and number sequences are better than your birthday, but it turns out they’re actually easier for hackers to crack than our recommendation; many spam bots are programmed to spit out random letters and numbers just like that, so 8V6kWxRz may not be the tough password you would think it is.
Instead, create a strong password by using a completely random series of words, each separated by punctuation marks (more on that below).
Bonus Tip: If it’s a password you need to remember yourself because you use it a lot, try a string of common words that only have meaning to you, like your favorite ice cream flavor, college nickname and favorite shoe designer all put together.
2. Strong passwords include a number, a capital letter, and a punctuation mark
If you’re separating words, get those caps and numbers and punctuation marks in there!
sick-cashew-february is good, but S1ck-cAshew-FEbru4ry* is even better.
Alternatively you can make a password from a sentence you can remember like say, We love vanilla Oreos! and then tweak it so only you will know what it means. For example: U&IloveVn0r30s! (See what I did there?)
Note that some sites won’t let you use certain, lesser used punctuation marks in passwords, like ^ or { but that’s okay — because all of your passwords should be different right? So if you have a thing for ∂, well… you may have to adjust your expectations.
3. Make your passwords at least 8 characters long.
That string of words makes it easy to hit that 8 character limit! Sometimes I find I even have passwords that are too long for a certain website. So I just trim off a few of the last letters and there you go — strong password, right length.
4. Don’t use any version of your name, birthday, social security number, or address in your password
If your birthday is December 11, 1980, you do not want a password like December111980. Or 11December80. Even if you change it up like D3cember111980. That’s playing with fire, and it’s just not worth it. Or w0rth it.
5. Make sure every single password is different and distinctive. Password vault apps are a massive help.
Experts recommend using different passwords everywhere — and yes, of course that’s a hassle! The hassle is the point! Enter, password vaults.I totally fell in love with the 1Password app a few years back and recommend it to eeeeeeveryone. (Note that they’re now an affiliate but we’ve recommended them here for years.) The whole point is…you don’t have to remember all your passwords; just the one you use to get into the 1Password vault in the first place.
It also is terrific for families, since you can connect a family of 5 for less than the price of a coffee each month, and give your kids access to say, that Netflix password they ask for every darn time. .
If you’d like other password vault options, our team members and readers are fans of the LastPass Password Manager, mSecure, and Norton Password Manager I’ve also heard about BitWarden and DashLane but know less about them personally. Take advantage of the free trial periods and see if it works for you. (But really, I can’t say enough good things about 1Password, above.) Whichever one works for you, it’s worth every penny.
Here’s what a good password manager does:
– Auto-generates different passwords for every single login
– Protects all of your passwords in a super-encrypted cloud vault
– Auto fills passwords so you don’t have to remember any but the one to get you into the vault in the first place
– Synchs across all your devices — desktop, iOS, Android, smart watch, even borrowed computers.
– Encrypts other data, like secure notes so you can jot down essential medical, financial or family info of all kinds and know that’s safe too.
Also, it works as an authenticator app so you can activate 2FA (two-factor authentication) of your identity in a way that’s safer than a temporary code that’s texted to you. In fact, the social network formerly known as Twitter won’t even allow you to receive authentication messages by text anymore unless you pay for the service.
6. Change your passwords the second you learn of a breach
One thing I like about 1Password — and I know LastPass does this as well — is that it alerts me to security breaches of any site where I have a login. I learned at the end of 2020 that there had been breaches that year on Canva, Evite, Chatbooks, and a few other sites including…Facebook. I don’t visit those sites every day so if it wasn’t front page news, I wouldn’t have known for a while.
If you learn of a breach, change your password ASAP! And because you’re already using a distinctive password on each site (right?) you don’t have to go change it on multiple sites.
7. Be sure your partner or a trusted loved one has access to your passwords.
I cannot express this strongly enough: please be sure that your partner, spouse, or trusted emergency contact of choice has access to your passwords. You can’t imagine the hassle of trying to get access to essential accounts or even a cell phone when someone is in the hospital or has passed away unexpectedly — I’ve been there and you don’t want to be.
Give your partner or best friend or parent access to your device by adding additional fingerprints to your Touch ID — or have them save your main login to your password vault in their own vault in case, heaven forbid, they need access.
Related: Tackle these 10 simple tech to-dos to start the year safer, cleaner, and more organized
You might also write it down in a safe place and let that person know where to find it in case of emergency.
Now to be clear, some security experts suggest that you never to write down your passwords, but there are anecdotal accounts of people getting locked out of their LastPass or 1Password accounts. (Though a passkey should help with that, provided you don’t lose those too.) So I think you’re better off keeping that single password somewhere like a locked notes app page, on a password-protected PDF that your emergency contact can access. Or even so you can, should you go all fuzzy one day and blank on your main password. It can happen!
You can also record your vault password manually, say in a password log book that’s well hidden or a private note somewhere — I’ve yet to hear of hackers making their way into the sketchbook in your desk drawer. Just be sure that password is not attached to your login ID or the website itself.
Everyone should be using a Password Manager these days. I use RoboForm though, and I like that it’s made in the US. My husband has used and trusted it for years and I just signed on now too. It’s a life-changer!
—-
Thanks Rebecca! -Eds
Thoughts on Apple’s password management? I love that they offer a password option when setting up on a new site, and that the iOS stores all of the passwords!
Hi Kat! I use keychain for Mac/iOS as well, but not for everything. Overall I find that 1PW is far more robust and safer — the secret key encryption protects your data off your devices as well and I don’t know that any other pw apps have that. I also use it as an authentication app vs getting text codes (for example, Xitter no longer lets you use text for 2FA unless you pay). I like the 1PW functionality also, like shared pws for family/colleagues, encrypted notes, notes that are only shareable for a set amount of time (hours, days), and the security breach alerts about hacks and compromised passwords, plus a security check on the strength of your passwords across your whole account.
So…overall, for protecting really really important accounts, I feel more confident with a separate encrypted app that’s not tied to my operating system. But I do trust Apple overall!