How to Create a Secure Password: The Ultimate Guide

Safe Passwords

Passwords are a ubiquitous part of our digital lives, keeping everything from our social media accounts through to our online banking details safe from cybercriminals.

But exactly how effective is your password at keeping you and your valuable details secure?

The simple fact is that the average eight-character password, even ones containing uppercase and lowercase letters, numbers, and symbols, can be cracked in less than six hours with the right hardware setup.

A recent study by cybersecurity firm BitDefender revealed that around 75% of people use the same password on nearly all of their accounts. Once that password is cracked, the criminals now have access to every facet of your digital world. About time that we start protecting our personal information better. Below you can learn everything about passwords, including how to make ones that will actually protect you!

How Do You Protect Yourself?

Well, the first step is taking action to beef up your password security. The hardware rig used to crack passwords in six hours involved a costly cluster of 25 graphics processing units (GPU) capable of trying 350 billion password guesses per second.

It is very unlikely that your average cybercriminal will be bringing that level of sophistication to their attempts to crack your passwords. Instead, they will be looking to exploit easily guessable, single word passwords. Another tactic is simply trying to trick you into revealing your password.

A good way of remembering basic password security is that passwords are like your underpants. You should change them on a regular basis, you shouldn’t be sharing them, and you shouldn’t be leaving them around for the general public to see.

This might sound really, really obvious, but you’d be surprised how many people don’t even follow those basic rules (for their passwords, we make no comment on their underwear habits). The lack of effort most people put into creating a secure password resulted in Microsoft taking steps in 2016 to blacklist the most obvious passwords, like “password,” “god,” and “guest” in an effort to save people from themselves.

Remember, for 75% of people, if they use “password” for their email, they probably use it for their Facebook account, their LinkedIn, their virtual private networks (VPN), and a whole host of other things most of us don’t want a stranger poking around in.

So how do you create a secure password? In this article, we’ll look at how cybercriminals go about cracking your password and what you can do to make their job as hard as possible. We will explore how to generate a secure password and how to remember it without writing it down anywhere.

How Does a Password Get Hacked?

HackerThis might be a bitter pill to swallow, but most of us just aren’t important enough for hackers to invest a significant amount of time and effort into when it comes to cracking our personal passwords. It’s doubtful that any cybercriminal is going to invest thousands of dollars in building the rig needed to crack a well-built password without knowing there will be some return on their investment.

But that doesn’t mean you are safe!

Hackers have a number of tried and tested, low-effort, methods of obtaining your password without a significant investment. These techniques rely on people reusing passwords, using short and insecure passwords, and not observing the basic principles of internet security. Let’s take a look at some of the more common password cracking techniques and how you can safeguard against them.

Buying Passwords

The buying and selling of passwords through the dark web is a pretty lucrative business for cybercriminals. It usually starts with one group finding their way through a website or organization’s security and accessing the login details of their customers. In 2016, the details of 117 million LinkedIn users were put up for sale by hackers, and similar breaches have seen the details of the users from Twitter, Facebook, and even tech giant Sony, appear on the web.

Obviously, there isn’t much you can do about a website you use getting hacked, but you can take steps to minimize the fallout. Generally, you’ll be informed pretty quickly about the security breach and will be able to change your password for that one site. If you’ve done the sensible thing and not reused passwords, then the problem is solved.

If you are one of the 75% of people that BitDefender found were using shared passwords, you’ll have to start the long and painful process of changing every single one of your passwords and hoping that the hackers don’t get to anything vital before you’ve had the chance.

Brute Force Attack

A brute force attack uses a computer, or more often groups of computers, to systematically try groups of numbers, letters, and symbols in an attempt to guess your password. While there are rigs out there that are very effective at doing this, it’s more likely that hackers are just using a standard desktop with automated software to target people who still think “god” or “1234” are good enough passwords.

Any password under 9-12 characters in length is vulnerable to being cracked by a brute force attack, so if you want to make your password as safe as possible, length is the key. Want to know more about brute force attacks? You can read our full article “What is a Brute Force and How Can You Prevent It?”.

Dictionary Attack

A dictionary attack is very similar to a brute force attack except that instead of using a random combination of symbols, the automated software uses words in common usage as its guesses. The “dictionary” being used by the software can range in complexity from a standard English dictionary to one that includes film quotes, lists of commonly used passwords, or even personal information gathered about you from your social media accounts.

Dictionary attacks tend to be more effective than brute forcing a password for the simple reason that humans like patterns. We tend to make our passwords personalized so they will be easy to remember. A random selection of words, numbers, symbols, with random changes in case, will make it almost impossible for a dictionary attack to guess your password correctly.


Phishing Fishhook with PasswordRather than trying to guess your password, cybercriminals might employ a technique called “phishing” that uses social manipulation to trick you into giving up your password and login details freely.

This technique generally involves the hackers pretending to be a service provider, often a bank or credit card company, and contacting you by phone or email. They will inform you that something widely positive or negative has happened to your account, such as your money being stolen or you being owed a substantial refund. They then ask you to either login using a link provided in an email or give out security information over the phone before they can proceed.

While we are all aware of the clumsy “Nigerian Prince” email scams, the simple fact is that phishing has become a sophisticated and effective way of getting people’s personal details. Communications from cybercriminals have become sufficiently advanced that they are often indistinguishable from the real thing.

The best way to protect yourself from phishing scams is to be vigilant and skeptical. If you receive a suspicious phone call, offer to phone back on the usual number you use to contact that organization. No real company will have a problem with you calling them back. They also won’t ask you for your password, so ignore and delete any email that asks you to follow a link and then log in, no matter how official the email or web page looks.

How to Create a Strong Password

Now that we understand the techniques cybercriminals use to crack or obtain your password, there are steps you can take to create a password that is resistant to those methods.

Make Your Password Longer

Most brute force attacks rely on you having a short password that would not take a computer, running automated software, a significant amount of time to crack. The longer your password is, the less likely it is that a brute force attack will successfully guess it.

Most hackers won’t spend a considerable amount of time trying to guess one password, they are looking for low-hanging fruit and will likely move on if your password is taking too long to guess.

Make it More Complex

The more complex your password is, the less likely it is that any automated system will correctly guess it without spending an unfeasibly large amount of time on it. When creating a password, sprinkle it liberally with upper case letters, lower case letters, numbers, and symbols.

Try to make those additions as random as possible. Simply replacing an “a” with an “@” or adding an exclamation mark at the end of your password is a common technique that hackers will take into consideration when trying to access your accounts.

Make Sure it is Unique

You’d probably be happy to leave a spare key to your house with a trusted friend, but you’re probably not running around town handing one out whenever you buy something, right?

Well, if you are using the same password for every online account you hold, that is almost exactly what you are doing. Effectively handing over the digital keys to your entire online world to whoever guesses that one password. Making sure you have a unique password for each online account may not be convenient, but it is far more secure.

If you are unconvinced, try heading over to the Have I Been Pwned website. Run by security researcher Troy Hunt, the website searches for your email address amongst a list of over 5 billion accounts that have had their passwords stolen or listed online. There is also a function where you can check a potential or existing password to see if it has been listed online.

Change it Regularly

Remember what we said at the beginning of this article? Passwords are like underpants, you need to change them regularly. No system or password is entirely secure, so there is a good chance that at some point your login details for at least one of your accounts will be revealed online. The best way to ensure that your accounts remain secure is to change your passwords on a regular basis. Microsoft recommends that all your account passwords be changed every 72 days.


While a randomly generated string of words, numbers, and symbols might be a very secure password, it certainly isn’t easy to remember. A sufficiently random selection of words, on the other hand, is much easier for the human brain to remember and is just as secure.

Known as diceware because they can be generated by rolling five six-sided dice on a table of random words, using a passphrase results in a password that is long enough to foil a brute force attack and sophisticated enough to stop dictionary attacks.

A randomly generated diceware passphrase might look something like this:


If you are struggling to remember your randomly generated passphrases, you can use a well-known phrase, quote or song lyric and then replace one or more of the words. Ending up with something like:

Showmethepassivism or sayhellotomyoutboardoverlay

Non-random passphrases aren’t as secure as randomly generated ones, but even the most secure password isn’t of much use if you just cannot remember it. For more information on Diceware, paper tables, and a random passphrase generator head over to

How To Record Passwords Securely

Laptop With PasswordIt is entirely possible for you to be able to remember one or two randomly generated passphrases that change on a regular basis, but how many of us only have one or two accounts? A recent study from Microsoft indicated that the average person has between twelve and twenty-five online accounts, while a report from password management firm LastPass noted that the average business employee has 191 passwords to keep track of.

If writing down those passwords, either digitally or on paper, is a big no-no, then how are you supposed to remember that volume of random words that change on a regular basis? One option is to use a password manager.

Password Managers

Password managers create a heavily encrypted master database of all your passwords. This allows you to access them on your computer or carry them around with you on a flash drive. The database is accessed with a single “master password.”

The Pros

The benefit of using a password manager is that it takes a lot of the effort out of making sure your online world stays secure. The most up to date password management software can be set to update your passwords or passphrases on a regular basis. This provides you with a truly random set of passwords without you having to generate them yourself.

The Cons

Password managers are not without their downside, however. While the encryption of your password database does make it virtually impossible to break into, that does not mean it is entirely secure. Opening your database on a computer infected with malware, for instance, could mean your password list is vulnerable, so it’s important you only make use of it on systems that you trust.

Most password management programs do not keep an online backup of your password file for security reasons. This means if you lose or delete your copy then you’ll lose access to your accounts, so it’s best to keep a secure backup somewhere safe.

As your password database has one master password that allows you access, it’s hugely important that it is both secure and changed regularly. If you forget your password, you’ll be permanently locked out of your database.

Final Thoughts

As you can no doubt see from the surveys and research that we’ve quoted in this article, most people do not take the necessary steps to keep their passwords secure. Despite the growing threat of cybercrime, people continue to use short, generic passwords that are easily guessable by automated software.

If all that the hackers end up guessing is your Netflix password, then it’s not the end of the world. However, as we’ve mentioned, around three-quarters of us are happy to use the same password for Netflix as we do for our Paypal or Amazon accounts, putting our financial details at risk. Similarly, when shopping online, do follow some best practices for a safer shopping experience.

At a time when Microsoft has had to ban “password” as a password to save people from themselves, having a strong password keeps your online world far more secure than the vast majority of other people’s. Now that we understand more about how hackers go about cracking passwords, we can take steps to make their job as hard as possible.

A properly secure password is longer than the tradition 8-12 characters, ideally being 16 characters or more. This makes it hugely time-consuming for brute force attacks to guess your password and far more likely that the hackers will move on to someone with a shorter password.

Making your password complicated and random prevents dictionary attacks from guessing it. Even the most comprehensive dictionary can’t account for a truly random selection of letters, numbers, symbols, and cases.

If you are struggling to remember random strings of characters, then a five to eight-word Diceware passphrase might be more your style. You can randomly generate one or simply insert random words into well-known phrases or quotes to help you remember it.

If you are worried about the sheer number of passwords or passphrases you need to remember, then it might be worth investing in a password manager. They take a lot of strain out of staying safe online by providing you with a secure central database of all your passwords. Just don’t forget or delete the master password, or you’ll be spending a boring afternoon resetting all your accounts.

Tech journalist
Tove has been working for VPNoverview since 2017 as a journalist covering cybersecurity and privacy developments. She has broad experience developing rigorous VPN testing procedures and protocols for our VPN review section and has tested dozens of VPNs over the years.