As we continue to rely on the internet more, most people have dozens of accounts—for social media, productivity tools, email, and more. Each account needs a username and password to securely give you access. However, if someone guesses or gains access to your username and password, they can easily get into your account and see all your private information.
That’s why it’s so important to be careful with the passwords you choose to use for your online accounts. Today, we’ll go over why having strong, complex passwords is a must for all your accounts. We’ll also cover some best practices to keep in mind when creating passwords for your accounts. I’ll begin by explaining the methods attackers use to guess their targets’ passwords.
How attackers guess passwords
To access your account, attackers usually need your username (or email) and your password. On many platforms, like social media, usernames are public, so attackers don’t have to work hard to find them. This makes your password the main line of defense for keeping your account safe.
The most common way attackers try to guess passwords is through “brute-force attacks.”
In these attacks, hackers try different passwords over and over until they find the correct one for the target user account. In the past, this might have been done manually, but now attackers use advanced software and powerful computers to automate the process, making it much faster. However, the ease of a brute-force attack depends on how complex your password is. Simple passwords are guessed quickly, while complex passwords make brute-force attacks much harder to pull off.
For example, if your password is 8 characters long and only uses lowercase letters, the software only has to try about 208 billion combinations to guess it. With a high-powered GPU, this can take just a few seconds. If your password uses only numbers, the software can guess it even faster because there are only 100 million possible combinations.
What’s interesting is that adding different types of characters to your password makes it much harder for the software to guess. For instance, if you mix numbers with lowercase letters in an 8-character password, it would create 2.8 trillion possible combinations. This would take the software significantly longer to crack.
If you add both uppercase and lowercase letters, along with numbers, the possible combinations rise to 218 trillion, making the password even harder to guess. And if you add special characters too, the number of possible combinations increases to 722 trillion, meaning the time needed to guess your password becomes extremely long, making it far more secure.
Passwords Longer than 8 Characters
Most platforms now require passwords to be at least 8 characters long, and they also recommend using a mix of character types (uppercase, lowercase, numbers, and special symbols). But you can make your account even more secure by choosing a longer password. Security experts suggest using at least 12 characters.
Increasing the length of a password doesn’t make it just a little harder to guess—it makes it exponentially harder. For example, increasing from 8 to 12 characters isn’t just a 50% increase in length; it increases the complexity by over 330,000% (going from 722 trillion combinations to 19.4 quintillion (1.9408409962×10²²) combinations when using a full mix of character types. This kind of password will take the average computer millions of years to guess.
While you can keep adding characters for even greater security, it’s also essential to pick a password you can remember and avoid reusing it across accounts. This is where a password manager can be helpful. A Password Manager stores and organizes complex passwords securely so you can use unique, long passwords for each account without the need to memorize them all.
Let’s Talk Password Managers
If you have dozens or even hundreds of online accounts (like I do), it’s almost impossible to create different complex passwords for all of them and remember them. However, with a password manager, you can store all your passwords in one place, and all you need to remember is the password for your password manager.
The only downside to this approach is that if hackers gain access to your password manager’s password, they will have access to all your passwords. To minimize this risk, it’s best to create a very complex password for your password manager and also ensure you use multi-factor authentication to add an extra layer of security.
So, which password managers do I recommend?
For most people, I recommend using the password manager that is already built into your device’s operating system. For instance, if you mainly use Apple devices like the iPhone and Mac, the Apple Passwords app will work well for you. Google also has a Passwords app for Android, and Microsoft has Credential Manager for Windows.
However, for users who use devices from different ecosystems, a third-party password manager is the way to go. Your experience will be much better, as these apps can be installed on any platform and as browser extensions to automatically fill in passwords when you visit your online accounts.
Third-party password managers also offer extra features like customizable vaults, advanced security tools (such as Travel Mode and Watchtower), seamless password sharing for collaboration, and more. Some of the best third-party password managers include 1Password, Dashlane, NordPass, and others.
Other Passwords Best Practices
In addition to using complex passwords and having different passwords for your accounts, here are some other password management best practices you should follow:
- Avoid using common terms that an attacker can easily guess: Using easily guessed terms, like “password,” your name, or “123456,” makes it simple for attackers to break into your accounts.
- Use multi-factor authentication (MFA) for all platforms that support it: MFA adds an extra layer of security by requiring more than just your password to access your account. This usually involves a second step, like a code sent to your authenticator app or a fingerprint scan, making it much harder for attackers to gain access to your account even if they’re able to guess your password.
- Consider using passkeys for platforms that support them: Passkeys are a newer authentication method that aims to replace traditional passwords soon. With passkeys, you don’t need to remember or type a password; instead, you can use your device’s biometric features like a fingerprint or facial recognition. When you create an account on a platform that supports passkeys, a private key is generated and stored on your device or password manager, while a public key is stored by the website. These keys are compared whenever you want to access your account, eliminating the need for passwords.
