As we live in an increasingly online world, having secure passwords for our online accounts has never been more important. Just in July 2024, nearly 10 billion passwords were leaked in a massive data breach involving the defunct social site RockYou. With cyberattacks happening every year, making sure you have strong and secure passwords is one of the best ways to protect your online data.

But what exactly constitutes a secure password? How do you make sure your password is secure? Are there specific password best practices we need to follow?

In this article, we give you a step-by-step guide on how to create a secure password and some password tips and recommendations you can adopt to protect you and your online accounts.

How secure is my password?

Perhaps the first question on your mind is figuring out how secure your current passwords are. Thankfully, there are a handful of best practices that work as effective guidelines for determining whether a password is secure. In this case, since I don’t know your specific password, I’ll use a common example to showcase the process of grading the strength of a password.

SEE: How an 8-Character Password Could be Cracked in Just a Few Minutes (TechRepublic)

In 2023, Statista found that “123456” was the most commonly used password in the world — being used over 4.5 million times. With this password, let’s take a look to see if it passes some of the essential questions to ask when evaluating a password:

  • Is your password at least 12-16 characters long?
  • Does it use a mix of uppercase and lowercase letters, numbers, and symbols?
  • Can your password be known by other people and not just you?
  • Are you reusing this password for your other accounts?

Clearly, 123456 fails to meet most, if not all, of the questions posed above. It’s only six characters long; it doesn’t have any combinations of numbers, symbols, or letters; and it’s an incredibly common password, being used more than 4.5 million times around the world.

While these tips aren’t the end-all and be-all of password best practices, they are good starting points for determining whether your passwords are secure or not.

Before going further, I want to make an important note. If you’re using a password that’s commonly used by other users, such as 123456, I highly recommend reading through the rest of our article and creating a new one. With common passwords, there’s a high chance that a brute force attack can easily crack your passwords.

With this in mind, here are other common passwords used in 2023, according to the same Statista report:

  • admin
  • 12345678
  • 123456789
  • 1234
  • 12345
  • Password
  • 123

How to create a secure password?

Now that we’ve figured out how to rate a password’s overall security, it’s time to take steps to create our own secure password.

1. Make sure you aren’t recycling old passwords

My first tip is for you to forgo using any of your old passwords or remodifying your previous passwords into new ones. I highly recommend making a unique password for each of your accounts or devices.

This safeguards your accounts from being compromised, especially if a hacker gets a hold of one of your passwords and tries to use it on your other online accounts. If this happens but you followed this tip, the hacker won’t be able to infiltrate more of your personal information.

2. Write a password that’s at least 12-16 characters long

Your new password should at least have 12 characters to ensure security. Having this number of characters makes a password harder to crack, especially against brute force or dictionary attacks.

Amazon requires at least six characters in its password field.
Amazon requires at least six characters in its password field. Image: Luis Millares

While 12 characters is generally the recommended minimum, I don’t think there’s any harm in going for 14 or even 16. In this case, the key is having at least 12 in all the passwords that you use on a frequent basis.

3. Combine uppercase and lowercase numbers, letters, and symbols

Another important password practice is to use a combination of uppercase and lowercase numbers, letters, and symbols in your password. As with my previous recommendation, this makes it more difficult for malicious actors to try and crack your password through trial and error.

If you’re unfamiliar with how these look like, I’ve added a few samples below:

  • afg-jdf!dkx5jaw-VNA
  • zga-PFM*tjh7qaj!qjezga-PFM*tjh7qaj!qje
  • rpg@pqw9cey2ekh6JXZ

While these examples look complicated, they are a significant step-up in terms of security compared to passwords like qwerty or 123456. Having a mix of these characters also helps ward off dictionary attacks, wherein a hacker systematically goes through words in a dictionary or word database to find your password.

NordPass’ password generator.
NordPass’ password generator. Image: Luis Millares

In addition, security tools like password managers have built-in password generators that automatically create, save, and store these passwords for your convenience.

4. Don’t include any personal identifiable information in your passwords

I strongly encourage everyone to never include any personal identifiable information or biographical data in your passwords. What do I mean by this? Things like your birthday or birth year, home address, age, or family name should not be part of your passwords.

While these could help you remember your credentials, it’s simply not worth taking the risk.  Experienced hackers will more than likely use whatever PII you have available in the public, particularly on social media, as part of their hacking strategies.

Let’s say, for example, you have your birthday as your bank account password. If I was a hacker, one of the first things I’d check is if your birthday is publicly displayed on a social media site. If it is, and I gain access to half your bank details, your birthday will be one of the very first things I’ll try.

Once again, this situation can be easily avoided by not having any PII or personal data in any of your passwords or logins.

5. Consider using a passphrase

For users who want an alternative to using jumbled text or for people that aren’t keen on adopting password manager software, I suggest looking into passphrases. Passphrases are a string of random words — often with symbols and characters as well — that serve as a password.

Using groups of unrelated words for your passwords can be a good way to keep your online accounts secure. Since they’re phrases, they also have the added benefit of being longer than your traditional password.

For those curious about how a passphrase might look like, I’ve added a few examples below:

  • illusive-sateen-upset-tiresome
  • Loaf6-behold3-uglify2-bureau5
  • 9betaken-essex8-piano6-lengtheN2

If you’re interested in learning more, we have an in-depth feature on passphrases that takes a look at the advantages and disadvantages of passphrases, as well as how best to utilize them.

6. Never share your passwords with anyone

This might seem obvious, but it bears emphasizing — I strongly recommend that you never share your passwords with anyone, under any circumstances. Always keep your passwords to yourself and never divulge them to others, especially via unprotected channels like SMS, email, or online messaging platforms.

For one, you really can’t tell who you can trust when it comes to sharing passwords. Second, if you share passwords through channels like social media, there’s a good chance that these conversations will be hacked or breached.

7. Use a password manager

Finally, I highly encourage users and businesses to utilize a password manager or password management service. Password managers are software that’s purpose-built to store, organize, and secure your passwords. It accomplishes this by using security measures like encryption, zero-knowledge principles, and multi-factor authentication.

Keeper password manager desktop interface.
Keeper password manager desktop interface. Image: Luis Millares

Personally, I find password managers with password generators to be their most useful feature. Most password managers include them. These generators are a security tool that automatically implements password best practices and creates a secure password in a matter of seconds.

Bitwarden’s built-in password generator.
Bitwarden’s built-in password generator. Image: Luis Millares

With password generators, you can customize how long you want your passwords to be, what characters you want included, or if you want a passphrase instead.

SEE: How Do Password Managers Work and Why Do You Need One? (TechRepublic)

For businesses, password managers are also a perfect way to manage hundreds to thousands of log-in credentials without compromising security.

If you want to learn more about password managers, check out our comprehensive cheat sheet and this list of free options.

Best password managers to choose from

Fortunately, I’ve covered a number of password managers that can help you create secure passwords for you and your business. As a disclaimer, all the ones listed below include a password generator, vault encryption, and unlimited password storage with every subscription.

Our ratingStarting priceEncryptionStandout feature
Bitwarden4.3 out of 5$0.83 per monthAES-CBC 256-bit, PBKDF2 SHA-256, or Argon2idFree version with unlimited password storage; open-source
Keeper4.4 out of 5$2.92 per monthAES 256Powerful business-centric features; team management capabilities
NordPass4.6 out of 5$1.89 per monthXChaCha20Well-designed and intuitive interface; wide range of subscription options

Bitwarden

Bitwarden logo.
Image: Bitwarden

For users who want an open-source password manager, I suggest Bitwarden. Bitwarden has garnered a strong reputation for its top-tier security through its end-to-end encrypted service. It comes with advanced two-factor authentication, password security health reports, and passkey capabilities.

SEE: How to Run a Cybersecurity Risk Assessment in 5 Steps (TechRepublic Premium)

I particularly like its generous free version, allowing for both unlimited password storage and unlimited device support. This is particularly impressive considering most free password managers either implement a password or device limit.

To learn more, read our full Bitwarden review.

Keeper

Keeper logo.
Image: Keeper

For enterprise-level password management, I recommend Keeper. Its enterprise subscription brings an impressive suite of management features such as activity reporting, single sign-on authentication, delegated administration, and Active Directory Sync.

Throughout its other business subscriptions, a highlight feature for me is Keeper’s emphasis on password organization. Specifically, I appreciate Keeper’s emphasis on its folders, subfolders, and shared team folder capabilities. In a business context, being able to share passwords across teams and departments is an underrated value-add.

To learn more, read our full Keeper review.

NordPass

NordPass logo.
Image: NordPass

For less tech-savvy users looking into password management, go for NordPass. To me, NordPass has one of the cleanest and most intuitive interfaces in the password manager space — making it a good pick for beginners or regular users. On top of that, it includes a bevy of security features like a data breach scanner, biometric unlocking, and autosave/autofill capabilities.

A noteworthy NordPass feature for me is its use of the newer XChaCha20 encryption over the more traditional AES-256. According to NordPass, this was done to future-proof their service and reap XChaCha20’s speed benefits.

Subscribe to the Cloud Insider Newsletter

This is your go-to resource for the latest news and tips on the following topics and more, XaaS, AWS, Microsoft Azure, DevOps, virtualization, the hybrid cloud, and cloud security. Delivered Mondays and Wednesdays

Subscribe to the Cloud Insider Newsletter

This is your go-to resource for the latest news and tips on the following topics and more, XaaS, AWS, Microsoft Azure, DevOps, virtualization, the hybrid cloud, and cloud security. Delivered Mondays and Wednesdays