9 Password Best Practices for a Safe Online Experience

“But which type of password would be considered secure, after all?”

If you’re wondering that, and also want to learn how to create strong passwords and how to protect passwords, we’ve got you covered with this in-depth guide.

How Dangerous Are Low-Security Passwords?

Simply put, extremely. Low-security passwords are very easy to crack, with some cracking tools being able to break them in seconds or even milliseconds. Cybercriminals can pretty much get access to tons of your financial and personal information if you hide it behind a weak password.

Which Type of Password Would Be Considered Secure?

To best answer that question, here’s a list of the type of passwords that would normally be considered unsafe:

• Your birth date
• Your physical address
• The name of your parents, friends, siblings, or pets
• Your name
• Obvious passwords like “password” or “123456789”

The kind of password that would be considered very secure is the one that follows the password guidelines we’ll discuss in the next section.

9 Password Best Practices to Keep Your Data Secure

We’ll be going over a list of short password best practices you should always keep in mind if you want to create a password that won’t ever be cracked.

Before we start, we should mention that to compare the strength of some of the passwords we’ll be offering as examples, we’re going to be using this online tool that estimates password cracking times.

1. Don’t Make Your Password a Dictionary Word

Having a dictionary word as your password makes it much easier to remember. However, it also makes it very likely to fall prey to dictionary attacks. If you’re not sure what a dictionary attack is, it’s when a cybercriminal attempts to use a short list of words (pet names, popular names, TV and movie characters, etc.) to crack a password they’re confident contains a dictionary word.

Of course, hackers could also use actual dictionaries to do the cracking. They wouldn’t even need to type in the words manually since they could just write a script to do it for them.

We recommend just coming up with a password that isn’t an actual word. The more complex and bizarre-sounding it is, the better.

And no, combining dictionary words isn’t guaranteed to make your password stronger. For example, “chairchair” might be a 10-character password, but it’d only take a hacker 3 months to crack it.

2. Make Your Password Long

Short passwords are easy to remember, true, but they’re very easy to crack as well. It’d might take only a minute for an experienced cybercriminal to crack a simple five-character password. If you go up to eight-characters (the standard NIST recommendation), the time is increased to one decade.

Ideally, you should have a password that’s longer than eight characters, though – we recommend going over 15 if possible.

If for some reason you need to stick to a short password, do it only on a website that allows space characters. If you insert one every letter/symbol/number in a five-character password, you increase the cracking time from one minute to four decades.

3. Mix Letters, Numbers, and Special Characters/Symbols

Mixing up letters, numbers, and symbols makes your password much harder to crack. If you were to use a password that only consists of letters or numbers, for example, cracking tools would have a much easier time breaking it.

After all, a password like “3&*Gjk2#” is much harder to guess or brute-force than a password like “fhujflto”. If we use the same tool we linked above, we’ll see that the second password can be cracked in around three hours, while the first password can be cracked in approximately one decade.

4. Mix Up Uppercase and Lowercase Letters

Don’t be afraid to add lowercase and uppercase letters at random intervals. It might be more inconvenient when typing in the password with a keyboard or on a mobile device, but it makes your password more secure.

Don’t believe us? Let’s take the following passwords: “sdfghjkl” and “SdFgHjKl”. A cracking tool would need around three hours to break the first password, and one month to crack the second one. Obviously, the second one could use some improvements to make it more powerful, but the example still shows that mixing up uppercase and lowercase letters is a good idea.

5. Don’t Use Obvious Substitutions

No, using “h0u$3” as a password instead of “house” doesn’t make it very strong. In fact, it’d just take one minute for it to be cracked.

As a general rule of thumb, you should avoid substituting letters with look-alike numbers because it won’t take long for a cracking tool to catch on to what you’re doing.

6. Reverse Some Words (Or All of Them)

If you must insist on using dictionary words as passwords, at the very least you should reverse them. For instance, instead of “dinosaur” which can be cracked in less than a second, you could try “ruasonid”. Of course, that’s not enough since it’d still take a cracking tool five hours to break that password.

So, you should use multiple reversed words together. Typing the whole password will be quite a hassle, but the security will make up for it. For the best results, mix up symbols, numbers, and uppercase and lowercase letters.

7. Make Your Password an Acronym for a Phrase

If you don’t feel like randomly mashing your keyboard to come up with a password, try thinking of a memorable phrase – preferably something you used to do quite often. For example, let’s take the phrase “I used to spend my summers in Italy when I was 5.”

To make a password from that, just take the first letter of every word. You’d be left with “IutsmsiIwIw5.”

Not bad, right? It’d allegedly take six millenia or more to break it. But you can make it even stronger to combat future password cracking techniques. Add one or two space characters, symbols, or numbers, and you’re left with an even more secure password.

8. Use Spaces When Possible

Not all websites will allow you to include space characters in your passwords. But if they do, go ahead and add a few. It makes your password longer, so the more space characters you include, the harder it would be for a hacker or password cracking tool to break it.

You can add a space character after every letter, number, or symbol if you want, but it’s generally enough to just add a few every few letters/symbols/numbers.

Adding as few as two space characters in a password like “dinosaur” (so that it’s “din osa ur”) would increase the time it takes to crack it from under one second to five centuries, so don’t underestimate this tip.

9. Consider Using a Password Generator

If you have multiple accounts, and creating a password for each one of them is too much work, you can always try using a password generator instead. It will create a secure password on the spot for you, so it saves you a lot of time.

Just make sure you use password generators from reliable companies. The last thing you want is to use some shady generator that some hacker set up to get access to your accounts.

Here’s a list of generators you can safely try out:

• 1Password’s Generator
• Norton’s Password Generator
• LastPass Password Generator
• Strong Password Generator
• MSD Services Password Generator
• SafePassword

How to Protect Passwords

Having a powerful password is a great start, but it’s not enough to keep your data safe. You also need to protect your own passwords from malware, human error, and hackers. Here are some tips to help you do just that:

1. Don’t Use the Same Password for All Accounts

Around 59% of online users re-use the same password for multiple services and platforms. It’s convenient, sure, but it’s also highly risky. Why? Well, imagine your passwords ever gets compromised somehow. If that happens, every single one of your accounts will be at the mercy of hackers.

For example, let’s say you use the same password for your Facebook account as the one you use for your PayPal account. If a cybercriminal ever compromises your Facebook password, they’ll get instant access to the money you have on PayPal.

As “inconvenient” as it might seem, try to use a separate password for every one of your online accounts. You don’t really need to come up with completely different passwords, but at least make sure all passwords different enough from each other so that hackers wouldn’t be able to guess the rest if they would compromise one.

2. Use Security Software and Keep It Up-to-Date

An antivirus/antimalware program is a must if you want to safely surf the web nowadays – especially since such software can keep your device safe from malware infections (like spyware and keyloggers) that can steal your passwords.

Just make sure to run regular scans (especially after you download new files), always keep web protection turned on, and keep the antivirus/antimalware program up-to-date. If you skip out on a single update, you might miss out on vital tweaks and files that help the software spot and fight back against new types of viruses/malware.

There are plenty of antivirus/antimalware software providers to choose from, but our recommendations are Malwarebytes and ESET.

3. Use a VPN When Accessing Public WiFi (Or At All Times)

Public WiFi might be convenient, but it’s very risky too. Many public networks don’t use any encryption, making it very easy for cybercriminals (or pretty much anyone) to eavesdrop on your online communications. Basically, that means that if you enter your password on a website while using public WiFi, there’s a chance somebody can see it.

So, you should always use a VPN (Virtual Private Network) when using a public WiFi network. The service will use encryption to secure all your Internet traffic, ensuring nobody can monitor it to steal your passwords.

The only alternative to that is using your data plan. Of course, you can’t really use it 24/7 (unless you can afford to), and connecting your laptop or computer to your mobile hotspot at home isn’t too convenient.

“Why would I do that when I can just use my own WiFi that’s secure?”

Well, the problem with current WiFi networks is that their WPA2 security isn’t enough to fully protect your data and online traffic. Why? Because WPA2 is actually vulnerable to the KRACK attack – a cyber attack which can break it. And it’s still going to take a while until WPA3 becomes the norm, so using a VPN whenever you go online is one of the best ways to protect your passwords.

4. Don’t Keep Your Password(s) on Your Device

It can be tempting to just have a Word file on your computer with a list of all the passwords you use because of how convenient it is. But if you do that, you’ll be putting those passwords (and the data they protect) in danger.

Why? Well, if a hacker ever were to gain access to your device (by using malware, for example), they would be able to quickly access said file, and steal all your passwords.

It’s better to just keep your passwords off your device. Ideally, you should use a notebook or so, and write the passwords down there. When you’re done, make sure to store it somewhere safely in your home (even a safe would do).

If that sounds like too much hassle, then you should consider our next tip.

5. Use a Reliable Password Management Tool

When it comes to password management best practices, a password management platform is a must. Basically, it’s an online service that stores and manages all your passwords. They will be properly encrypted, and you will just need one master password to access them.

Definitely much simpler than carrying a whole list of passwords around with you.

Password managers are pretty simple to use, and they can come in the form of online or cloud services, desktop applications, and even portable formats. They’re pretty much the best place to store passwords without having to get an expensive safe.

Here is a list of the best password management services:

• Bitwarden
• LessPass
• KeePass / KeePassXC
• Master Password
• PSONO
• Password Safe

6. Use Multifactor Authentication

A lot of online services nowadays allow you to use some form of multifactor authentication (the most usual one is two-factor authentication) to secure your accounts. Simply put, it’s an extra step you take when you log in. After typing in the password, you have to also enter a code you’re sent by text message or that’s generated by an authenticator app on your phone.

We highly recommend turning on two-factor authentication (or any other type of multifactor authentication) on all your accounts. It’s not a type of password security best practices since it’s not a feature that protects your password directly, but it is an excellent way to protect your accounts and data if your password ever gets compromised somehow.

7. Use Biometrics If Possible

If you’re not familiar with the idea of biometrics, it basically refers to technology that allows you to log into your device by scanning your fingerprint instead of or alongside using a password. A lot of laptops, tablets, and mobile devices have started offering support for biometrics, so you should consider using it when logging in.

Ideally, you should rely on biometrics when you’re in really crowded places or traveling abroad, so that you don’t accidentally expose your password in those situations.

8. Never Share Your Password

You’d think this is common sense, but yet approximately 95% of people actually share up to six of their passwords with other people – friends, family, or work colleagues.

“Well what’s the harm in that? You’re sharing passwords with people you trust.”

That’s true, and we’re not saying your fiance or best friend is going to use your password to empty your bank and PayPal accounts. However, they might be careless (we’re only human, after all), and accidentally type in your password on a phishing website, a public computer, or a malware-infected device.

If something like that happens, your passwords are as good as gone, and so is all your account data.

So, no matter how bummed out your friends and family are going to be when you refuse to share your passwords with them, it’s still a better alternative to having your financial and personal information stolen because of a simple mistake.

Encourage the people who ask you to share your passwords to register an account (especially if there’s a free trial). Only share passwords for accounts that are really disposable, or you don’t plan on using anymore at all (and don’t share a password that you might use for other accounts – even though you shouldn’t do that like we already said.).

9. Change Your Passwords on a Regular Basis

Only 35% of people never change their passwords nowadays, so at least the numbers are better than a few years ago. That still means a lot of people don’t properly secure their passwords, though.

Yes, we know that changing your passwords regularly – on top of having a separate password for each account – can be really tiring. However, it’s an extra security step that further ensures your data will be safe.

Now, you don’t need to change your passwords every day or week. Once a month should be okay, or once every two-three months at the very least. And you don’t need to come up with new passwords from scratch every time – sometimes it’s enough to just tweak your existing ones a bit.

Of course, there are moments when you absolutely need to change your passwords, and come up with new ones from scratch, such as:

• After a service you use has reported a data breach.
• After you used a public computer.
• When you give someone else access to your account.
• When there is evidence of unauthorized access to any of your accounts.
• When a malware/virus infection is detected on your device.

10. Avoid Phishing Emails and Messages

Phishing involves cybercriminals and scammers trying to trick you into revealing sensitive personal, financial, and company information. They will normally send emails or messages that look like they’re being sent by a real organization, business, or person, which will ask you to disclose private or company data.

Said emails and messages might also contain malicious links that take you to phishing websites which steal your passwords, or malware-infected attachments that install keyloggers on your device.

The key to keeping your passwords safe from phishing is to ignore any phishing messages, and never click on links or download attachments found within those messages. If you do happen to end up on a phishing website, never type in your real password – just gibberish.

Password Best Practices – The Bottom Line

So, which type of password would be considered secure? Well, definitely one that follows most of these password guidelines:

• Is more than eight characters long (ideally over 15).
• Contains letters, numbers, symbols, and space characters.
• Mixes up both lowercase and uppercase letters.
• Works as an acronym for a phrase (“WwttN10ya” for “We went to the Netherlands 10 years ago.”
• Doesn’t contains dictionary words. If it does, it contains words that are reversed.
• Doesn’t contain obvious substitutions (“0” instead of “o”).
• Is generated with a secure, reliable password generator.

Besides coming up with a strong password, you also need to keep it safe. The best ways to do that is using a VPN when you’re online, using antivirus/antimalware programs, using a different password for each account, changing passwords frequently, and using decent password management platforms – just to name a few tips.