Skip to main content

10 ways to make your passwords secure

Fingers on keyboard
Don't make it easy for hackers
Audio player loading…

Weak passwords are a huge security risk to a business, as the only thing there to prevent hackers accessing many online services. To minimise the chances of hackers accessing your online accounts it's vital to choose a strong password - particularly if the accounts contain confidential information.

As a rule of thumb, a weak password is short and uses eight or fewer lower case letters. A strong password is at least eleven characters long, and contains upper and lower case letters, numbers, and special characters like * or &.

To get an idea of the difference in security, let's assume a hacker gang with a fast computer can make 100 billion attempts per second to guess your password. Here's how long it might take:

  • A short password made up of six random lower case letters - a fraction of a second
  • A long password made up of 11 random lower case letters - 11 hours
  • A long password made up of 11 random lower and upper case letters - two and a half years
  • A long password made up of 11 random lower and upper case letters, numbers and special characters - 500 years

Best methods

Bearing that in mind, here are 10 tips for choosing and using secure passwords.

1. Don't use personal information as a password. Many people use the name of a pet or child, but if a hacker knows you - or can find out this information from a source like Facebook - it will likely be their first guess.

2. Don't use common passwords - security company Sophos provides a list of 50 popular ones that hackers are bound to try. The most common ones include "123456", "password", and "qwerty".

3. Don't use any single word or pair of words that appear in the dictionary. That's because hackers can use software that can test every word in a dictionary in very short amount of time . And don't be fooled that common substitutions, such as a "5" for an "s" (e.g. pa55word), make a difference - hackers and their software are wise to this.

4. Do use a long password. 11 or 12 characters is probably sufficient, although the SANS Institute, a security research organisation, recommends at least 15.

5. Use a password drawn from a pool of as many characters as possible to protect the most sensitive accounts. That means using at least one upper case letter, lower case letter, digit and special character (although not all websites allow special characters.)

6. One way to create a long password that's easy to remember is to use a whole phrase as a password - something like "WhoDaresWins". Another is to use the first letters of the words in a longer phrase - perhaps capitalising every other letter. For example "God save our gracious queen long live our noble queen" would produce " GsOgQlLoNq ".

7. The longer and more complex your passwords, all else being equal, the better. So you can make them more secure by choosing a simple sequence of three or four characters, like "B52" or "M&S" and adding them to the end of all your passwords, e.g. WhoDaresWinsB52 and GsOgQlLoNqB52.

8. Changing passwords regularly can make them difficult to remember but it's sensible to change them occasionally. An easy way to do this is to add the year to the beginning or end of your passwords - e.g. WhoDaresWinsB522013 and GsOgQlLoNqB522013 - and update them annually. This has the advantage of adding length and complexity, and it's also easy to remember how old the password is.

9. If you have too many passwords to remember them all easily, consider using a password manager program such as LastPass (opens in new tab) or RoboForm. These encrypt and store your passwords securely, and enter them automatically when you supply one master password - which you still have to remember.

10. To get an idea of how much security a given password provides, check it at Gibson Research's tester. But remember, if your computer is infected with a keylogger then a hacker could still get hold of any password you type in, no matter how secure. For that reason it is important to use different passwords for different sites.