Take any password you think is strong and make it stronger.
Seriously. There’s a good chance that what you think is strong isn’t, or it won’t be in the near future.
Unfortunately, many people do the exact opposite, opting for some of the worst passwords you can think of. Don’t do that.
Become a Patron of Ask Leo! and go ad-free!
Make passwords stronger
- Regular reports of the most popular passwords remain very disheartening.
- Length trumps everything.
- Long passwords don’t have to be hard.
- Password managers make long, strong passwords easy to deal with.
- Take the time to replace your weak passwords.
And the most popular password is…
According to NordPass’s Top 200 Most Common Passwords, the top five include:
- 123456
- 123456789
- 12345678
- password
- qwerty123
The rest of the list is more diverse but just as obvious, including passwords like “iloveyou”, “qwerty”, “charlie”, “donald”, and many more horrific choices.
Not only are they simple, easy to guess, and clearly on the list of the very first passwords hackers try, but they also suffer from the greatest sin of all, in my opinion.
They’re short.
Related
Why Is It So Important to Use Different Passwords for Everything?
Using different passwords on different sites is not only good practice, it's necessary to keep your accounts safe. I'll review why, and how best to handle a plethora of passwords.#11788
Length matters most
When it comes to passwords, length trumps everything. For example, let’s take that #1 offender above.
123456
A six-character password. Ugh. But adding a simple pattern to turn it into a 20-character password makes it a pretty reasonable choice.
****** 123456 ******
All I did was add six asterisks before and after, separated by a space on each side. And yes, as simple as that pattern appears to be, it’s a strong password. Much stronger than 123456 and just as easy to remember. (Caveat: it’s a weaker password because I just published it here as an example. Don’t use this exact password; use it as an example of a simple technique to lengthen otherwise poor passwords.)
Today, your goal should be 12 characters at a bare minimum, but preferably something like 16 or more. Using a password manager makes it trivial to use lengthy passwords. Personally, I’ve standardized on 20 character passwords.
Again, length trumps everything.
Long doesn’t have to mean hard
I’ll admit that throwing asterisks before and after a password doesn’t feel secure, even though it is. It just doesn’t feel like we did enough work. 
But to build on perhaps the most quoted XKCD comic of all time — Correct Horse Battery Staple1 — combining unrelated words can be both strong and memorable.
I recently set up an account for a friend and did exactly that. When it came time to generate a password, I looked around my desk, picked three random items I saw, combined them with a fourth item this friend and I had in common, and — poof — a password that was long, strong, and easy to remember.
Here’s a different example using that technique.
SpeakerCoffeeMixerFacebook
That’s a 26-character password. If you need special characters, add spaces, or an exclamation point in what, for you, might be a “standard” location, like at the end or after the first word.
Password managers make it even easier
As easy as that password is to create, and as memorable as it may be, if you have a lot of different passwords (and who doesn’t), it can be difficult to keep ’em all straight. Enter the password manager, which remembers them for you. That way, you only have to remember one password of the long and memorable variety, and the password manager does the rest.
Because I use a password manager (1Password), I don’t bother combining words for most of my passwords. I go all-in and let the secure password generator do the trick. For example, most of my passwords look like this:
xMpba3HxDFvKk73mrAfA
That’s 20 characters of completely random alpha-numeric data. If I need a special character, I’ll throw one in somewhere, making it a 21-character password.
I can’t tell you any of my passwords except the one to my password vault.
Do this
I talk about passwords and password strength a lot because, like it or not, passwords will continue to be an important part of your online and account security for some time. Passkeys will eventually replace them, but that’s going to take a long time. Even when you use two-factor authentication — as you should, if it’s offered — you’re still relying on the strength of your password as your first line of defense.
Review your passwords and replace short ones with something longer and more secure. At least 12, but preferably more like 16 characters or longer.
And if you’re using anything on this list, don’t delay a moment longer. Go change that password now.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Footnotes & References
1: Which I did not have to look up — it’s that memorable.
I use a password manage, KeePass, to manage passwords. For certain logins though, like banks, I add a made up word at the end of the password but I do not store the made up word in KeePass. After KeePass auto-types the username and password I manually add the made up word at the end of the password. Should someone ever crack KeePass they still will not have the complete password. If websites only allow a certain number of attempts I’m not sure where brute force attacks come into play. Perhaps a follow up article could explain.
I fI have a self-made password for say, Home Depot and I change it by generating a new password in RoboForm for How does Home Depot know it’s me? How do I tell Home Depot?
Sign in to the Home Depot account, and change your password there. THEN save that new password to Roboform.
I am curious how you handle passwords that you need to manually enter on platforms that a password manager cannot handle (think logging in to video streaming services on your television)? Let’s see, I have Hulu, Max, Paramount, Peacock, YouTube… oh the list goes on! Having a random 20 character PW for each of those services is (for me, at least) unmanageable! And, it seems, various services often have glitches that require reinstalling or updating the app, which then requires logging in again. Having to use the remote control to enter a lengthy, complex password is inordinately difficult, to say the least.
Thoughts?
Fortunately those are becoming fewer as they start including the ability to login via the web on another device. However I have painfully and slowly entered a full 20 character random password with my TV remote on more than one occasion. It was painful.
In those contexts, I use passphrases. Still tedious to type in with a remote or iPhone or game controller, but much easier than so-called random complex passwords.
Heck, another perfect opportunity to — once again! — recommend what I think should be everyone’s “go-to” reference for learning all about passwords:
“Perfect Passwords: Selection, Protection, Authentication” By: Mark Burnett
https://www.amazon.com/dp/B003VM7GBA
This book is — can you believe it?! — almost twenty years old… and yet it remains relevant to this very day, because the author has grounded his findings and advice in mathematics, which always remains current.
And every once in awhile, he even sneaks in a anecdote or three! Take the one about the author’s 5-year-old son, whose password was:
“ooooooooooooooo”
(Shux, his son liked the letter “o”, and he could count to the minimum password length of 15, so that’s what the lil’ kidlet tyke used, LOL!)
BTW, I took that anecdote from the Amazon review I wrote for this book in — get this! — the year 2009! It wasn’t hard for me to find — it’s literally the very first review on the page! 🙂
Hello Leo,
Thank you for continuing the information flow, I enjoy reading your articles.
I have a credit card at a bank that only allows 8 digit passwords, no more and no less. To set up 2FA I would have to visit a branch, the closest being >200km away. I use Proton Pass, and it flags the password as ‘Vulnerable’, but nothing I can do about it except change banks and close the account. Not good security or customer service for our 5th largest bank.
Hi Leo,
As always, great advice for this important issue.
Like many, if not all, users here, I have hundreds of passwords and now use Proton Pass for storing them.
However, Proton has flagged up quite a few passwords that it considers weak.
Is there a way you can say change all passwords in one go using a password manager and if so how do the sites I use know the password is changed?
Remember, the password is changed ON THE SITE first, and then you save the new password in your password manager.
So while some password managers kinda-sorta know how to make the first part happen, most do not. It ends up being a manual process of visiting each site, changing the password, and then updating the saved password in the password maanager.
This website also provides great information: https://www.grc.com/haystack.htm
“Once an exhaustive password search begins, the most important factor is password length!”
“I can’t tell you any of my passwords except the one to my password vault.”
So what is it? ☺︎
can != will
🙂
Isn’t ≠ easier for the average reader to understand? Not all readers are programmers.