Creating strong passwords: your 2024 guide on how to set up passwords that will keep you safe

In what’s now a year-end tradition, NordPass has recently published its list of the 200 most used passwords. As always, there’s good news and there’s bad news. The good news is that last year’s top choice, “password,” has been dethroned and now “only” holds seventh place. The bad news is… pretty much everything else.

For the fourth time since the study was first released in 2019, “123456” came out as the most popular password worldwide, followed by “admin,” “12345678,” and “123456789.” On a lighter note, a round of applause is also due to the nearly 1,400 UK users whose idea of creating strong passwords was to show off their team pride, opting for some true headscratchers like “liverpool,” “arsenal,” and “chelsea.”

Why is this glaring lack of hard-to-crack passwords such a problem? How to create strong passwords that are both memorable and can stand up to a potential cyberattack? What are the most common mistakes people make when trying to come up with a difficult password? This is what we’ll look into this week, as well as key tips and tools for strong password creation with examples.

Phishing, data leakage, and more: top IT security risks posed by poor password hygiene

In an era of rapid digital transformation, strong passwords often serve as the first line of defense against cybersecurity threats. They’re also a hot commodity among cybercriminals, with 18% of the most common items for sale on the dark web including online accounts, emails, and passwords, NordVPN concluded based on 22,000 listings. In fact, Verizon says, 86% of all web app attacks use stolen credentials for initial access.

One of the key reasons behind this trend might be that sophisticated hacking techniques are becoming more commonplace. Hackers increasingly have access to algorithms that can crack simple passwords in a matter of seconds. Complex passwords containing a minimum of 12 characters, however, can significantly slow down or even deter these hacking attempts.

A 2023 study found that an 8-character password, even if it’s complex, could be figured out in just five minutes using the latest graphics processing and AI technology. An 18-character password consisting of nothing but numbers would require six days to crack. A password of the same length and with only lowercase letters in it would take 481,000 years to work out.

Also, let’s not forget that businesses often hold not just their own sensitive data, but also that of their customers. If a breach occurs, the company’s profitability and reputation might not be the only thing put on the line – so can be the personal and financial security of countless individuals. Add the hefty fines of non-compliance with data protection laws to the mix, and it’s easy to see how far-reaching the consequences of one poorly chosen password can be.

What makes a password strong? Definition and key characteristics

In essence, a secure password is a unique string of characters that’s hard to guess. It should be at least 12 characters long and include a mix of uppercase and lowercase letters, numbers, and symbols. However, it shouldn’t contain obvious personal information or common words.

How to make a good password that passes security checks? Make sure that:

• it’s at least 12 characters long, but the longer the better (see above);
• it combines lowercase and uppercase letters, numbers and special characters;
• it doesn’t contain any personal information, such as name or date of birth;
• it’s not used to log in to any of your other personal or work accounts; and
• it doesn’t include common keyboard paths, such as “qwerty” or “asdfgh.”

How to create a secure password? Tips and best practices with examples

Need inspiration to create a password that’s easy to remember but near-impossible to crack? Follow our step-by-step guide on how to choose a strong password.

1. Length matters - Start with a minimum of 12 characters. The longer your password, the harder it is for a hacker to crack it. Better yet, instead of using a password like “BowWow”, consider a lengthier passphrase such as “BowWowLovesBones”.
2. Mix it up - Use a variety of characters – uppercase and lowercase letters, numbers, and symbols to make your password even more secure. For example, you can change the above string to “BowWowLovesBone$2020”.
3. Avoid obvious choices - Never use personally identifiable information, such as your name, birthday, or pet name. Cybercriminals can often find these details online and use it to work out your password. Be creative and choose something unexpected.
4. Steer clear of common words - Stay clear of dictionary words, as there are programs that can quickly run through common words and phrases. For example, you can replace “loves” with a less used synonym and choose “BowWowAdore$Bone$2020.”
5. Include shortcut codes and acronyms - Use shortcut codes and acronyms related to a phrase or sentence that you can easily remember. For example, you can transform “BowWowAdore$Bone$2020” into something along the lines of “BWA$B$2()2().”
6. Pull up a password generator - Still no luck? LastPass, Avast, NordPass, and several other password managers offer freely available online tools for generating passwords of varying length, makeup, and complexity, including easy-to-say and easy-to-read options.

Mistakes you don’t want to make when creating a strong password – with examples

Now that we’ve covered some of the best ways to create a password, let’s have a look at some of the worst ones.

1. Reusing passwords - Reusing the same password across multiple platforms is a rookie mistake. And can be a costly one at that: according to LastPass, employees reuse passwords an average of 13 times, leaving all associated accounts, work or private, vulnerable if one is compromised.
2. Keeping passwords short - People often choose shorter passwords because they’re easier to remember. That might be true, but they’re also more susceptible to brute-force attacks. Aim for a password length of at least 12 characters. For your most important accounts, like online banking, go for 14 or 16.
3. Using personal information - Never use personally identifiable information such as the name of your spouse, kids – or your favorite soccer team – as passwords. This information can be easily figured out by hackers (or anyone with access to social media, for that matter), making your accounts an easy target.
4. Missing out on two-factor authentication - Two-factor authentication requires users to provide two distinct forms of identification to access a website or application, which many see as an unnecessary hassle. However, this extra layer of security can significantly decrease the possibility of password compromise.
5. Not changing passwords regularly - Having the same password for years is risky. Regularly updating your passwords not only makes it more difficult for cybercriminals to gain access to your accounts, but it also limits the amount of time they can spend in it, along with the amount of damage they can cause.

Strong, unique passwords: why they’re a business imperative in the digital age

Due to the potential risks and consequences associated with security breaches, no company can afford to ignore the importance of securing passwords. Weak or compromised credentials can serve as an easy entry point for cybercriminals, giving them access to sensitive company data from financial information through customer records to trade secrets. The theft or misuse of such data can result in significant financial loss and reputational damage.

With ever-tightening regulations around data protection, a breach could also lead to hefty fines and legal consequences. For example, under the California Consumer Privacy Act (CCPA), penalties of up to $7,500 per intentional violation might be imposed. On top of that, if a data breach leads to consumers exercising the private right of action granted under the CCPA, they might be awarded $100-$750 statutory damages or actual damages, whichever is greater.

Not to mention the potential havoc a data breach can wreak on companies’ business operations. A cyberattack can cause prolonged system downtime and service unavailability, halting critical activities and resulting in a loss of productivity and revenue. Cleaning up after a security incident also diverts resources away from core business operations, which can negatively impact a company’s growth and market competitiveness for years to come.

Finally, securing passwords is essential for maintaining trust with customers and business partners. After all, if a company can’t keep its own data safe, why would any of their stakeholders have faith in its ability to protect theirs? Such a loss of trust can have lingering effects long after operations are restored. In the finance, retail and healthcare space, for example, up to a third of consumers will stop doing business with a company after a breach.

How Tresorit keeps your data – and passwords – safe and reduces the risk of compromise

An end-to-end encrypted document productivity and digital trust platform, Tresorit uses zero-knowledge protocol to encrypt and keep your data safe. Zero-knowledge encryption is a method that makes it impossible even for your service provider to know anything about your encryption key or the data you’re processing or storing on its servers. Everything you have or do there, including your password, gets encrypted before it reaches our servers without the encryption key ever being revealed to us. Even better, your data is protected by zero-knowledge encryption no matter where you decide to access it.

Tresorit also allows users to turn on two-factor authentication (2FA) as an added layer of security to their accounts and systems. By requiring a secondary method of verification, 2FA significantly reduces the risk of unauthorized access, even if passwords are stolen or hacked. To enable the feature, head to your Profile page using Web Access, then go to security. Click “Enable” and follow the instructions. Once two-factor authentication is activated, every time you sign in, you will be asked to enter a randomly generated verification code sent to you via text, email, phone call, or a verification app.