Tips for Creating Secure Passwords


This pro tip comes to you from Chris C. who agrees that 1234 is not the best password ever created. It might work on your luggage but when it comes to your online security, you might need something a little more complicated. Here's is the first part of Chris' password tip.

1. Several uncomplicated words beat a short complex password

For example, "Twl4x9hm" appears to be a strong password, but it would only take an average desktop computer 15 hours to crack. p@ssw0rD is a bad password too, because crackers do these types of common letter substitution in a dictionary attack as well. It's not really any stronger than using one uncomplicated dictionary word. That password would only take about 14 seconds to crack. In addition to being insecure, both of those passwords are hard to remember and hard to type in.

If you use a password that has multiple words separated by spaces, like the first 5 words from the middle of your favorite song, the password is significantly harder to crack, and very easy for you to remember. For example: "but we are all on common ground" would take about 14 decillion years to crack, and it's from a song I know and will remember easily. It's also easy to type because it's natural language. It's a win-win! Most password fields accept space characters, but even if they don't, "butwearealloncommonground" is still quite secure because of its length and because it's made up of multiple words.

Is your password secure enough? Try your password and see how long it will take to crack here:****

2. Three easy ways to find out if the website you are interacting with is not properly protecting your password

  1. If you've just finished signing up for the site and they email you your username and password. This means they haven't encrypted your password, and they've sent it to you over an unsecured medium (email).
  2. If you go through the "I forgot my password" password recovery steps, and the site emails your password to you rather than resetting your password.

If you notice either of these happen, reset your password to something unique that you have not used elsewhere, so that none of your other accounts are in danger if this site is broken in to.

  1. If the URL is not secure, you should see a lock icon beside the URL of the site. If "unlocked" the site does not have an SSL secure certificate.

3. Use unique passwords for everything that matters

It doesn't matter how secure your password is, you can't depend on a service to protect it properly. Pretend one of your favourite social media sites was broken into, and your extremely secure password was successfully cracked due to a fault in programming. Assume you used the same password for the email account you used to sign up for that social media site. If you've used that email account to sign up for other services, the attackers can now easily gain control of not only the first social media site, but also the email account used to sign up for it, and any services where you've used that email/password combination. Since you used this email account to sign up for services, they can reset the password on that service even if they don't have it because they control the email account.

If you use a unique password for the email address, you have a slight chance of being able to use that email address to reset the passwords on those services and regain control. If you use a unique password for every service, then the damage is limited only to the social media site that got broken in to. The major downside to that, and the biggest reason people don't do this, is it's hard to remember unique passwords for every service you use. Password saving services like the award winning LastPass can make that a non-issue.

HubSpot partner logo