Here’s what a strong password looks like—and it’s not what you think

We’re all familiar with those irritating password rules: Use special characters (but not ^ or $)! Use two capital letters! Use at least six letters and numbers (but not in these sequences)!

Given the threats, it’s understandable that sites try to force you to use more complicated passwords. Unfortunately, what many of us do in response is create “systems” that obey the rules while being easy to remember.

Those systems often involve personal information—name of dog, year of birth, exclamation mark at the end: Fido2011! The problem is that hackers can find your dog’s name on Instagram and try every variation you can imagine (Odif2011!) very quickly using software.

The key takeaway for stronger passwords in 2018 is that length and unpredictability are more important than wacky characters and other rules. Here are four tips for creating safer passwords:

• An unexpected four-word phrase—“SampleReductionEastPronounce”—is actually tougher to crack than any random 8-character password. Just don’t use “ILiveinMadison” or “MyDogsNameIsLulu.”
• Add special characters and capital letters, but don’t put them at the beginning or end.¹ And avoid !, by far the most common special character. If you use a four-word phrase, put special characters between words instead of spaces:
  Slide>Marigold>Rice>Easy.
• Check your password’s strength at the Carnegie Mellon password meter^{2, 3}, which analyzes your password against millions of known passwords and offers suggestions for making yours better⁴.
• Lie on security questions. Those personal details—mother’s maiden name, etc.—are frequently required when you reset a lost password. But the answers are often easy for anyone with access to your social media accounts to figure out. Make up fake answers you can remember or store somewhere secure.

Now that you know how to make strong passwords, this article will tell you when to change them. And this article looks at benefits and risks of using a password manager.