How to create a good password 2023

We may earn a small fee from the companies mentioned in this post.

Almost every online service such as eBay, Hotmail, Facebook & Amazon require a static username and password as verification of your authenticity. 

Whilst other techniques continue to be developed, including multi-factor security that can offer greater security (discussed later), the humble password is still widely accepted across the world due to its simplistic approach and familiarity.

It is therefore imperative you know how to create a good password.

What does a good password look like? Well, it can be described as the minimum complexity to ensure it is as difficult as possible for any potential cybercriminal to crack it.

This article contains useful and constantly updated information that will help you understand the importance of using a strong password. It will show you how to develop a simple process to protect your online data.

If you wish to skip this information and jump to the ‘9 easy steps to create a good (secure) password’ – Click here

What is considered a secure password? To answer this question, you need to understand a little about how computers process a password and how the passwords are stored. When you type in a password, your computer verifies the specific characters you entered matches an internal list stored within the computer.

The process isn’t as simple as that described as it uses an encryption algorithm called a HASH to match what you type in plain text, to what is stored on the computer but the principle of checking what you enter on a keyboard against a known code is correct.

A computer will store a list of valid usernames and associated passwords for that system either locally or through a second computer system. This information is located within a database that can be referenced each time you log in that particular computer system.

As no computer system can be considered 100% secure, it is realistic to consider any computer can be hacked and therefore expose your username and passwords to cybercriminals.

To reduce this risk computers are designed to encrypt your passwords, so if a hacker gains unauthorised access to a computer and copies your credentials (username & password), the hacker will need to decrypt each password before they can compromise your account.

The complexity of a password can determine how long it takes a cybercriminal to decrypt or ‘crack’ an encrypted password. There are numerous methods used by cybercriminals to do this and it is important to have a basic understanding of these techniques, as they can help you chose an effective password that can make it difficult to ‘crack’.

Let’s imagine that one of your online email accounts such as Gmail has been compromised and your email address, which is stored unencrypted, copied along with its corresponding password that has been encrypted.

The cybercriminal will attempt to decrypt your password outside of the compromised Gmail computers, usually their own purpose build very powerful computers that can focus considerable processing power to decrypt your password as quick as possible.

Unlike your Gmail login, your compromised (copied) password won’t lock-out after 5 wrong attempts. The password lockout feature is embedded within the online application, not your password.

The cybercriminal therefore has unlimited attempts to crack your password. They will probably start with a ‘Dictionary attack’. This uses an extensive dictionary database of common passwords based on various languages and permutations.

The English language for example contains a vast number of words, the Oxford English Dictionary has more than 273,000 words, with around 171,476 in common use.

However, modern computing power using dedicated number crunching processors (developed for computer gaming purposes), are commonly used by cybercriminals as they can process up to 20 billion different passwords every second, using a pre-constructed dictionary list of words.

Dictionary Password Attack

Dictionary password attack methods leverage a vast array of dictionary words and permutations, these can include first character uppercase and numbers at the end of the password, usually in date format. If you think back to my cyber security seminars, I discussed common passwords that can be easily cracked as they contain common dictionary-based names, these include: Oliver2003$ or James2020!

To overcome dictionary attacks, The National Cyber Security Centre amongst others have advocated the use of three random dictionary words to create a strong password, as this is considered harder to crack.

However, whilst it is true that a 3-word dictionary password can be considered more complex, and therefore theoretically more time consuming to break, there are flaws within this approach.

As mentioned previously there are 171,476 currently used words within the English language, however an average English native speaker knows approximately 20,000 words, with a university educated person knowing around 40,000 words.

Therefore, using the advice issued by the National Cyber Security Centre to incorporate 3 random words to construct a password, this would produce around 5,000,000, 000,000,000 – or 5,000 trillion different combinations of 3-word passwords. This is based on the 171,476 known words within the Oxford English dictionary.

Whilst this sounds a huge number for any cybercriminal to successfully attack, remember a modern powerful gaming computer can process up to 20 billion passwords a second. It would therefore theoretically take a suitably equipped computer as little as 4 days to crack a 3-word password.

In reality however, a 3-word password based on the most common 20,000 words known by an average person being attacked by the same computer could theoretically crack the password in less than an hour using a suitably constructed dictionary list.

The calculations above are based on single case letters. Using an uppercase letter for the first character of each dictionary word unfortunately makes little difference as the attack method assumes each word of the 3-word password is uppercase, which has no noticeable impact as it can predict this.

To make things more difficult for the cybercriminal you may wish to insert some random numbers and special characters into your password, but again these can be predicted by an enhanced dictionary attack method.

You may also replace some characters such as 0 (zero) for an ‘O’ or ‘3’ for an ‘e’. Modern password cracking software is aware of these tricks and has incorporated this into its attack process with little delay to the time it takes to compromise your password.

As a rule, try to avoid adding dates at the end of your password as these can easily be predicted. When a cybercriminal attempts to crack your password, they will use tools that are designed to reduce the work of the password cracking process with dramatic effect.

For example, a cybercriminal will assume that your password’s first letter will be uppercase and the rest lowercase as this is easier for an average person to remember. The cybercriminal will also assume any numbers will be semi-predictable and be at the end of the password.

What do I mean by semi-predictable? – Well, a date, usually within the past 80 years, but more likely to be in the last 20 years as this would represent the birthday of a child, or a pet. The date may also be a well-known one, like the year West Ham won the World Cup for England in 1966. Steer away from known dates as these will be incorporated within hacking tools when attacking your passwords.

You may also be required to add a special character to increase the complexity of a password. This is generally a very good idea but not if it’s at the end of the password and always: ‘!’ or a ‘$’. This action is expected and will be incorporated into the cracking software.

Create a strong password examples

It is important you understand how to create a good password. For example, the password: BannanaWednesdayDog2009! – Can be considered strong but can be hacked within an acceptable timeframe. The first 3 words start with an upper-case character, this is followed by a recent date and an easy guessable special character. Using the same characters, a more complex version maybe:  bAnnAna&wEDesdaydOg8520

However, constructing these types of complex combinations can be incredibly difficult to remember as the brain is not designed to compute in this way.

Pass-Phrase Passwords

You may also consider a pass-phrase, which is based on a sentence or statement. I have advised many people to use this technique over the years with great effect. For example: FortuneFavoursTheBrave , HeWhoDaresWins or OutOfThePark.

Unfortunately using a well-known passphrase can now be considered little better than using a dictionary based password as cracking software has a vast database of common phrases that can be used against an encrypted password. In some cases passphrases can be compromised quicker than using three random dictionary words described earlier.

Password Manager – Vault

To effectively defend against a dictionary or a passphrase attack it is important to create a strong password, therefore forcing the attacker to use a brute force attack method as this can be very time consuming and potentially impractical.

A brute force attack attempts every possible permutation of every feasible character set when attacking an encrypted password. This method is by far the most difficult, time consuming and processor hungry way to attack your password and is usually the last resort for a cybercriminal.

The best passwords are those that are truly random in nature and cannot be guessed as they don’t conform to any language in any dictionary or phrase.

Unfortunately, truly effective complex random passwords are very difficult to remember which can be frustrating when you forget them. The easiest and most efficient way to remember these passwords is through the use of a password manager.

It is therefore important you consider using a good password generator, or password manager. A password manager or vault can create a randomly generated strong password, that is then encrypted and securely stored within the password manager application. Deploying a password manager removes the need to remember passwords so they ‘can’ be very complex and near impossible for cybercriminals to decrypt.

A password manager can provide access to your online accounts effortlessly, without ever remembering the underlying password for any of your accounts. It can also ensure you do not use the same password across multiple accounts, which represents one of the biggest online cyber security risks.

Consider the table below which uses current computing power to estimate how long it will take to crack a truly random non-dictionary or passphrase password.

For more information, please see 7 Best Password Managers article that evaluates the best marketing leading Password Manager on the market in 2023 / 24.

Multi-Factor Security

When accessing more sensitive systems, such as online banking or remotely connecting to work desktops, it is highly recommended you use some form of Two-Factor Authentication (2FA).

Incorporating 2FA means that even if your password is compromised, a cybercriminal still can’t access your online account without your secondary authentication method, which can be a one-time code that changes every 30 seconds.

There are 5 common factors when authenticating to a computer system:

1.     Something you know – Username, password

2.     Something you have – A device that produces a random passcode via a mobile phone or security device

3.     Something you are – Biometric (fingerprint, Iris or face recognition)

4.     Where you are – Geo-Location data

5.     Behaviour – Human behaviour patterns

Incorporating any two of more of these factors (multi-factor) is considered more secure than using a single factor method, such as username and password. Whenever possible you should consider using multi-factor security to access your most important online accounts.

Is your password Secure? – Jon Cosson YouTube channel

9 easy steps to create a good password

By following these easy to adopt methods you will significantly reduce the risk of your online accounts being hacked and your data compromised.

1. Do not use dictionary words as passwords

As an example, don’t use names of places such as London, NewYork or Paris etc. Do not use car names (Mercedes or Ferrari), or any item that would be listed within in dictionary

2. Do not use dates within your password

Avoid using guessable dates, such as the birthday or a child, a pet or a memorable date in history such as 1066, 1966, 1767, 1666, or recent years such as 1950 – 2023.

3. Do not use sequential number or letters within your password

Numbers such as 123456, 123 or even 78910 can easily be guessed by attackers or auto build into automated password cracking software. Using sequential letters should also be avoided such as abcdef, zxcvb or qwerty (the last two examples being found on your keyboard).

4. Use combinations of unrelated words into your password (or passphrase)

As a general rule the longer your password is and the more complex, the harder it is to crack by a hacker. Whilst it is true you shouldn’t use dictionary words, combining 3 or more dictionary words is good practice, as long as you include random numbers and special characters. This makes it much easier to create and remember whilst difficult for hackers to attack due to the sheer number of combinations of 3 random words.

For example: TelevisionDoctorFootball226699£$ is considered a strong password.

5. Use at least 12 characters in your passwords

The longer (and more complex) your password is the harder will be to crack, its as simple as that. Refer to the table that denotes the average time to break a password shown earlier in this article.

6. Do not reuse your password across multiple online accounts

One of the reasons so many accounts are hacked is due to individuals using the same password across multiple accounts. It is highly likely one of your accounts will get compromised at some point in the future. Hackers will often use compromised credentials across multiple online platforms as they know people use the same password multiple times. Never use the same password across multiple accounts, if you struggle remembering numerous passwords use a password manager (vault) to simplify things.

7. Never disclose your password to anyone

Absolutely never disclose your password to anyone. Remember banks, financial institutions or online businesses will never ask for your password. If they do it is highly likely that are fraudsters, however convincing they sound.

8. Use a Password Manager (Vault)

As mentioned previously it is difficult to remember numerous passwords. Using an industry recognised password manager (or vault) across all your devices will significantly reduce the risk of your online account being compromised.

There are numerous good quality Password Manager available – Click here to read my review of the best Password Managers

9. Use Multi-Factor (2-Factor) wherever possible

As mentioned previously deploying Multi-Factor can significantly reduce the risk of your account being hacked . Multi-Factor is something you know, have, are, or your location or how you login. Using 2 of these methods, usually something you know (password) and have (one-time code on your smart phone), can enhance your online security posture considerably.

Conclusion – How to create a good password

Whilst most people understand how to create a password, many fail to grasp the need to create a strong password, that is not used across different accounts.

Creating a good password is essential to protect your online accounts and personal data. A strong password should be at least 12 characters long, contain upper and lowercase letters, numbers, and symbols. It is also important not to use single dictionary words that can be easily cracked with hacking tools.

Avoid using information that can be easily guessed or obtained from public records such as birthdates, addresses, pet names, etc. It’s important to use different passwords for each of your online accounts so that if one account is compromised, the others remain secure.

Finally, make sure to change your passwords periodically to ensure maximum security. The use of Multi-Factor will provide an elevated level of security that makes it much more difficult to compromise.

Useful External Reference Sites

1. National Cyber Security Centre (NCSC)
   • Website: https://www.ncsc.gov.uk
   • Why it’s useful: The NCSC provides direct advice and support for the public and private sector in how to avoid computer security threats. Their guidance on password creation and management is grounded in the latest research and best practices.
2. Action Fraud
   • Website: https://www.actionfraud.police.uk
   • Why it’s useful: As the UK’s national reporting centre for fraud and cybercrime, Action Fraud offers advice on how to protect yourself online, including tips on creating strong passwords to prevent fraud.
3. Get Safe Online
   • Website: https://www.getsafeonline.org
   • Why it’s useful: This is a public / private sector partnership supported by the UK Government. It provides information on how to protect yourself, your computers, and mobiles device against fraud, identity theft, viruses, and many other problems encountered online, including advice on passwords.
4. Cyber Aware (formerly Cyber Streetwise)
   • Website: https://www.cyberaware.gov.uk
   • Why it’s useful: Cyber Aware is a government-backed campaign that offers advice on how to stay secure online, including creating strong passwords and protecting your devices.
5. Ofcom
   • Website: https://www.ofcom.org.uk
   • Why it’s useful: As the UK’s communications regulator, Ofcom offers guidance on securing your online presence, including the importance of strong passwords to protect your personal information.
6. Information Commissioner’s Office (ICO)
   • Website: https://ico.org.uk
   • Why it’s useful: The ICO is the UK’s independent authority set up to uphold information rights. Their site provides resources on data protection and has advice on creating secure passwords to help protect personal data.
7. Citizens Advice
   • Website: https://www.citizensadvice.org.uk
   • Why it’s useful: Citizens Advice offers practical, reliable information to help you solve your problems, including how to create strong passwords and keep your online accounts secure.
8. Which?
   • Website: https://www.which.co.uk
   • Why it’s useful: Which? provides consumer advice and product reviews. Their guides often include how to secure your online accounts with strong passwords as part of broader cybersecurity advice.
9. Money Advice Service
   • Website: https://www.moneyadviceservice.org.uk
   • Why it’s useful: While their primary focus is on financial advice, they also provide guidance on how to protect your financial information online, including the use of strong, secure passwords.
10. UK Safer Internet Centre
    • Website: https://www.saferinternet.org.uk
    • Why it’s useful: The UK Safer Internet Centre provides tips, advice, and resources to help people use technology safely and responsibly, including advice on password security.

Jon Cosson

Website | + posts

With over three decades of experience in the heart of London’s financial sector, I have dedicated my career to the pursuit of robust cybersecurity practices and IT leadership. As a Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Chief Information Security Officer (C|CISO), Certified Ethical Hacker (CEH), and Computer Hacking Forensic Investigator (CHFI), I bring a wealth of knowledge and expertise to the table.

My journey in the field of cybersecurity has not only been about personal growth but also about sharing my insights with others. As an international speaker, I have had the privilege of addressing audiences worldwide, discussing the importance of cybersecurity in today’s digital age. My passion for knowledge sharing extends to my work as an author and blogger, where I delve into the complexities of cybersecurity, offering practical advice and thought leadership.

In my role as a CISO and Head of IT, I have overseen the development and implementation of comprehensive information security and IT strategies. My focus has always been on creating resilient systems capable of withstanding the evolving landscape of cyber threats.

My Master’s degree in Cybersecurity has provided a solid academic foundation, which, when combined with my practical experience, allows me to approach cybersecurity from a holistic perspective.

I am always open to connecting with other professionals in the field, sharing knowledge, and exploring new opportunities. Let’s secure the digital world together.

• Jon Cosson

  https://joncosson.com/author/jon-cossongmail-com

  QR Code Scams: How to Protect Yourself!
• Jon Cosson

  https://joncosson.com/author/jon-cossongmail-com

  LinkedIn Scams: A Guide to Spotting Fake Accounts
• Jon Cosson

  https://joncosson.com/author/jon-cossongmail-com

  Unmasking Phone Scams: How to Spot and Avoid Them
• Jon Cosson

  https://joncosson.com/author/jon-cossongmail-com

  Beware of Renew Driving Licence Scams: How to Avoid Online Fraud