academy
Security
Security
See all Security articles
Privacy
Privacy
See all Privacy articles
Performance
Performance
See all Performance articles
Select language
Select language
Avast Academy Security Passwords How to Create a Strong Password

How to Create a Strong Password

The best password is a strong password, but you’re not alone if you’re struggling to come up with good password ideas. An uncrackable password keeps hackers out while safeguarding all your accounts and personal data. Learn how to create a strong password with our expert tips and advice, then protect your accounts against leaks with Avast BreachGuard.

Academy-How-to-create-a-strong-password-Hero

How does a password get hacked?

There are many ways a cybercriminal can crack, hack, or otherwise obtain your password. They may use specialized cracking software, ensnare you in a phishing campaign, or scour your social media posts for clues. But often, they’ll simply buy your passwords on the dark web.

Hamburguer menu icon

This article contains:

    Password hacking is a lucrative business, and if you’ve been using the same password for years and on multiple sites, it’s likely to have already been compromised. Hackers will steal user credentials as part of a data breach, compile all the info into a massive list, then sell it to other cybercriminals to use in their own schemes.

    If you’ve been careful enough to keep your passwords off these lists, cybercriminals will have no choice but to try and crack them. Let’s take a look at the password cracking methods they’ll use so that afterwards, you’ll know how to create the strongest and best passwords possible.

    • icon-01Brute force attack

      A brute force attack is when hackers try one password after another until they finally land on yours — using powerful software to automate the task. Brute-force programs are laser-focused on spitting out as many combinations as they can to discover your password as quickly as possible.

      Back in 2012, one hacker demonstrated a 25-GPU cluster capable of generating 350 billion guesses per second, taking just six hours or less to crack any 8-character Windows password comprising uppercase and lowercase letters, numbers, and symbols. With it, he was able to obtain the passwords of over 90% of LinkedIn’s user base.

      Since then, there’s been a significant push toward longer password ideas. Each additional character multiplies the total number of possibilities exponentially. The more characters you use in your password, the more guesses needed for a cracker to uncover it. Passwords of 15 characters or more may take hundreds or thousands of years to crack.

    • icon-02Dictionary attack

      Dictionary attacks are related to brute force attacks, but rather than hitting you with random strings of characters, the attacker generates passwords made from a predefined set of words. If your password is a single word, you’ll quickly fall victim to a dictionary attack.

      If you like using standard words for your passwords, string a few together into a passphrase. Using this technique allows you to create strong password examples that can stump many dictionary attacks. The words in your passphrase must be completely random, or else password cracking software may be able to guess what they are.

    • Passphrases are strong passwords composed of completely random words.Your passphrase should be random, or else password cracking software can guess it.
    • icon-03Phishing

      More subtle cybercriminals may attempt to manipulate you into divulging your password in a sneaky technique known as phishing. Often conducted over email, phishing attacks are communications disguised as though they’re coming from a trusted source, such as a financial institution, well-known website, or even a senior member of your organization. 

      In phishing emails, you’ll be asked to furnish your login credentials on a website custom-built to mimic that of the supposed sender. These attacks use social engineering techniques, and unfortunately many phishing victims have no idea that something’s gone wrong until it’s too late.

      Email isn’t the only phishing vector. Phone calls (and phone spoofing) are still popular, as are text messages and social networks. Many robocalls, especially those regarding credit cards or financial accounts, are actually the opening salvo in a phishing attempt.

    The anatomy of a strong password

    Now that we understand how cracking works, we can create passwords specially designed to resist these techniques. Note that when it comes to phishing, the composition of your password is irrelevant. It’s on you to stay vigilant against phishing attempts.

    With regard to brute force or dictionary attacks, we’ve identified three best practices to give you stronger password ideas. Follow these rules when updating your passwords to enjoy far greater protection against cracking.

    Avoid simple passwords

    Don’t use obvious or typical password ideas. Here’s a short list of password types to avoid:

    • A sequential list of numbers or letters, like “abcde” or “12345.”

    • A password that contains all or part of your username.

    • Any personal info, such as your birthday or the town you grew up in.

    • A string of repeated characters, like “aaaaa” or “0000.”

    • The word “password.” Believe it or not, people still do this.

    Leave personal info out of your password. Thanks to social media, hackers can easily collect basic info about anyone, and they’ll use everything they can find in their cracking attempts.

    Make it brute force-proof

    As explained above, brute force attacks run through one combination of characters after another until finally generating the one you selected as your password. Here’s how to counter this technique with better password ideas:

    • 15 to 20 characters or more. Length is your best defense. Each additional character in your password massively increases its potential combinations, which in turn greatly prolongs the amount of time needed to brute force your password.

    • Use multiple character types. There’s a reason more and more organizations are requiring passwords made with both uppercase and lowercase letters as well as symbols and numbers. When you include all character types, you maximize the amount of possibilities per character, which makes your password harder to crack.

    • Avoid common character substitutions. Hackers program their cracking software to account for typical character swaps, like “0” instead of “O.” “410|\|3” is as easy to crack as “ALONE,” and so 1337ing it up isn’t going to cut it anymore.

    • Go beyond QWERTY. Memorable keyboard paths like qwerty or asdf are no harder to crack than regular words. A password that relies on one of these is far from secure.

    Use passphrases

    You can stump dictionary attacks by taking your passwords further than single, easy-to-guess words. Chain multiple words together to create extra-long passphrases that are highly resistant to both dictionary attacks and standard brute force attempts.

    When creating a passphrase, make sure the words in it have no obvious connection to each other. Password cracking software can guess related words, but random words will stump it.

    An illustration showing the difference between a weak password and a strong passphraseProtect your accounts with strong passphrases.

    The best password methods (and strong password examples)

    At Avast, we know a thing or two about cybersecurity. After years of experience, we know what makes certain passwords harder to crack than others, and we know the best way to create them.

    Below are several of our favorite password creation methods. Use them to stump any hacker who comes your way, whether you’re updating your login credentials online or password-protecting important files and folders on your PC.

    The obscure passphrase method

    This technique takes the passphrase approach and elevates it a few security notches. Outsmart hackers by choosing uncommon words such as proper nouns, historical figures, archaic words, or even words in multiple languages.

    Help yourself remember your new passphrase by building a story out of the words you choose. Think of something you won’t forget, so you won’t have to recover your lost passwords. To make your password even stronger, add characters (other than underscores) between the words. You can also replace letters with characters, but avoid common substitutions.

    Consider the following passphrase: SunTzu-cheesesteak-transistor-Christmas-obrigado. Perhaps the great military strategist Sun Tzu had such a penchant for cheesesteak sandwiches, he received a transistor-powered cheesesteak maker for Christmas — for which he expressed his thanks in Portuguese.

    The sentence method

    Created by cybersecurity expert Bruce Schneier, the sentence method transforms a sentence into a password using a given rule that you create. For example, you might pull the first two letters from each word in your sentence, then string them together for your password.

    Nebraska is hands-down my favorite Bruce Springsteen album” then becomes Neisha-domyfaBrSpal. Note how we’ve made sure to pick a sentence that includes punctuation as well as multiple uppercase letters, just for a little added safety.

    The muscle memory method

    Here, it’s not the content of your password so much as the act of inputting it that makes it highly memorable. Use Avast’s Random Password Generator to create random passwords until you get one that you feel comfortable typing. If it’s one that you can read and memorize with relative ease, that’s even better.

    Using Avast Random Password Generator to create secure passwords

    Once you get a password you like, practice typing it until it becomes routine. Next time you log in, your fingers will already know what to do.

    Now that you’ve got your beautiful, strong new passwords, let’s make sure they stay private.

    Lock down your email

    Your first step is to make sure that your email hasn’t been breached. Use Avast Hack Check to see if any of your passwords have leaked — if they have, you’ll want to change them immediately. If you use your email address to log into these platforms, change your email password as well.

    Using Avast Hack Check to see if your email password has leaked

    Avast BreachGuard scans the dark web to detect your personal data in the event of a leak. Data breaches happen all the time, with the stolen data often put up for sale to other cybercriminals on the black market. If and when BreachGuard detects your data, it'll alert you immediately so you can take action ASAP to change your passwords and secure your accounts.

    Be careful who you trust

    It’s become standard practice for websites to encrypt their users’ passwords, so that even if hackers manage to breach their databases, they’ll still need to decrypt the stolen information in order to use it. Any website still storing passwords as plain text has no business operating on today’s internet.

    The same goes for the use of HTTPS. Don’t input any login credentials or sensitive personal information into a website that’s still using plain old HTTP. If you must create an account at a site using HTTP, do so with a unique password — one that you aren’t using anywhere else.

    Two-factor authentication

    Now standard as a security practice, two-factor authentication (2FA) and its expanded cousin multi-factor authentication (MFA) add additional layers of protection to your login. Should a hacker obtain your password, they’ll still need to overcome at least one more obstacle before gaining entry. 

    Common authentication measures include codes sent via SMS, a mobile authentication app, a fingerprint or face scan, or a physical token. But since hackers can spoof or intercept text messages, as evidenced by a  2018 Reddit hack, we don’t recommend text messages as your 2FA method of choice.

    Security keys and the FIDO alliance

    Physical security keys are among the most secure MFA methods. They’re available in USB, NFC and Bluetooth versions, granting access only to the bearer of the key. In this way, they’re much more secure than SMS verification — so long as you don’t lose your key.

    The FIDO Alliance is a group dedicated to MFA verification and standardization. Use FIDO-approved services such as Google, PayPal, and Amazon for high-degree authentication and protection.

    Password security tips

    Include these password security best practices into your daily routine to upgrade your login security:

    • Use a VPN while on unsecured Wi-Fi networks, such as free public Wi-Fi at an airport or in a cafe. Using a VPN will prevent any eavesdroppers from intercepting your login credentials.

    • Don’t communicate your password in plain text. Never email or text anyone your password.

    • Choose hard-to-guess security questions when creating new accounts. There’s a lot of information about you on the internet. When selecting security-verification questions, don’t pick options that have easily-searchable answers.

    • Change your passwords regularly. Even if a hacker manages to get their hands on your credentials, they won’t be able to use them if you’ve updated your password since then.

    • Don’t store passwords in your browser. Should someone get ahold of your device, you’ll have left the door wide open for them. Any passwords saved in your browser are potential points of entry — and always use a secure browser.

    • Use a strong antivirus program. If the worst happens, and a hacker obtains your password, the best antivirus software will keep you protected against intrusions and malware.

    • Use a password manager. If you’re creating unique passwords for every account, you can store them safely with a trustworthy password manager. Securely store your passwords while protecting your devices and personal data with the built-in password manager in Avast’s premium security software.

    By following the advice listed above, you’ll make yourself a much tougher target for any would-be cybercriminal. Always protect yourself and your information behind strong, unique, and hard-to-crack passwords.

    Protect your accounts with Avast BreachGuard

    Even the strongest passwords can’t help you if one of your accounts is compromised in a data breach. Cybercriminals often post stolen data for sale on the dark web — but Avast BreachGuard continually scans the internet to detect your data if and when it’s exposed after a leak.

    Keep your accounts safe with strong, unique, and hard-to-crack passwords — then keep them even safer with Avast BreachGuard. 

    Keep your passwords private with Avast Secure Browser for Android

    FREE INSTALL

    Keep your passwords private with Avast Secure Browser for iOS

    FREE INSTALL