How to create strong passwords

We've all been forced to create a new password before we've gotten used to the current one. It's common practice for businesses, websites, and organizations to require you to change your password every 90 days (or sooner). This can lead to an ever common trend of creating passwords with a few characters or numbers changed/added.

Unfortunately, this is not as secure as you would think. If you have a particular pattern for creating passwords, then would-be hackers can pick up on those patterns and try combination after combination to access your account more easily than if you created a brand new, complex password from scratch. But the flip side of this issue is that complex passwords are extremely difficult to remember. Not only do hackers have trouble trying to figure out your passwords, but so do you!

So how can we make secure passwords that are easy to remember, but also difficult to crack? Luckily there is a widespread solution to this problem: passphrases.

What is a passphrase? A passphrase is a unique and secure string of words that serves as a better alternative to a password. But that definition doesn't truly illustrate what a passphrase looks like, or even why it's better and easier to remember than a password.

Consider the following:

Both of these are considered strong passwords. But which of them is easier to remember? Which one is easier to type? Which of them is actually secure? The password has simple character replacements and is indeed strong (according to password strength checkers), but it has a few things wrong with it.

First, it's very difficult to remember. Attempting to type this password, you can see there are a couple letters that are swapped. Was the "u" replaced with a "v"? Did I make the "o" a zero? Was the first or the second "C" a parenthesis? Did I put an exclamation at the end or was it a number?

Second, when all the character swaps are undone, it's a string of words we all know slammed together: BrunsCoNC. Everyone knows this is where we work, so it's not too far of a leap to try any passwords related to Brunswick county first before moving on to others.

Third, it's inconvenient to type on a keyboard. While this doesn't directly relate to password security, passwords that are difficult to type can be a deterrent to using them at all.

The passphrase on the other hand checks all the boxes that the password misses. But I can hear you saying it now, how is the passphrase more secure than the password? It's three easy words, no special characters (that you know of), and no numbers, so what about that is secure? Let's break it down by the points I listed for the password.

Unlike the password, it's easy to remember. There are no tricky characters to get around, and they are all familiar words. They are also words that do not commonly follow or precede each other. And it is simple to type out. I'd argue that after a couple days of typing the passphrase above, anyone could easily enter it faster than they can type the complex password above, and it's nearly 3x longer!

The best part, and probably the most misunderstood aspect of passphrases in general, is that it's also using a special character: a space! Spaces in passwords have long been a taboo subject, but long gone are the days that password fields bar you from using them (with some minor exceptions). Nowadays, if you aren't using spaces, you're missing out on an additional aspect of creating secure passwords, and of course even more secure passphrases.

Additionally, passphrases can be made even more secure, and still not as complex with some simple additions. For instance, if a website requires that you have numbers and special characters, along with capitalized letters, you could do the following:

Both of the above passphrases are extremely secure, easy to remember, and simple to type out. Nothing about any part of it relates to one another and it checks all the boxes on needing a special character, number, and capitalized letter. They are so secure that it would take a computer roughly 3 hundred quadrillion years to crack. You can verify this (and any other password) by typing them in at https://www.security.org/how-secure-is-my-password/ to see their security strength.

To sum up what I've discussed here, having a strong password passphrase requires very little in terms of complexity, but can reward you with ease of use and peace of mind. Make sure to use spaces between whole words (as long as they're unrelated) in your passphrase. And of course, don't tell anyone your passwords or how you come up with your unique passwords.

If you're interested in learning more about passphrases, I encourage you to do your own research, and also check out this great comic by XKCD on password strength. I also highly recommend using a tool such as a password manager to help remember your passwords and keep them in a secure location.