Javascript is not enabled.

Javascript must be enabled to use this site. Please enable Javascript in your browser and try again.

Skip to content
Content starts here


Leaving Website

You are now leaving and going to a website that is not operated by AARP. A different privacy policy and terms of service will apply.

5 Ways to Build Better Passwords

Be creative, change them regularly and store them safely

spinner image the word password in blue with green icons next to it

You can protect yourself from data breaches, hackers and scammers in loads of ways. But always use three basic tenets for the passwords that multiply with every site you visit.

• Don’t share them.

• Change them often.

• Don’t leave them lying around.

Beyond the basics, the real key to building and managing your passwords entails layers of security, a real pain point for those not so tech savvy.

spinner image Image Alt Attribute

AARP Membership— $12 for your first year when you sign up for Automatic Renewal

Get instant access to members-only products and hundreds of discounts, a free second membership, and a subscription to AARP the Magazine.

Join Now

If you’re used to writing down passwords on sticky notes, you’re not alone. About a third of people say they put their passwords on a piece of paper; 2 in 5 say they memorize them, according to a November 2022 online survey from nonprofit

A little more than 1 in 5 use the same few passwords for all their online activity, a huge mistake. If an app or website suffers a data breach, cybercriminals have access to all or a good portion of your accounts.

So, consider this a refresher on how to create a strong, secure password by building up its complexity to reduce the odds of your data or devices being compromised.

On occasion, you might share your password with a friend or relative so they can log into your video streaming service or check your email while you're on vacation. According to The Zebra, an Austin, Texas-based insurance comparison site, 79 percent of Americans say they share passwords with those outside the home, yet only 13 percent are concerned about identity theft.

1. Be random, not predictable

If you don’t want to use password manager apps, which generate complicated passwords to log into online accounts, you have plenty of other ways to create unique and secure passwords, and store your information safely. Only about 1 in 5 people do, according to the survey.

Think of your password as the exact opposite of a game of Scrabble. Don’t use words in the dictionary.

Avoid names of your kids or pets. Steer clear of dates such as your birthday or anniversary, which are tempting to use in personal identification numbers that unlock your smartphone or allow you to gain access to an automated teller machine.

Cybercriminals crack weak passwords easily by purchasing sets of common passwords on the dark web. They sometimes get clues by looking at your social media posts or phishing for information from you through bogus emails.

In 2022, the most common password out of more than 15 billion retrieved from publicly leaked data breaches was 123456, according to a analysis. No. 2 was 123456789, followed by qwerty and password.

2. Don’t repeat yourself

As you’re thinking about a password to use, don’t repeat letters or numbers to make it longer. Password may be a weak password, but so is paaaassword. Sequential numbers and letters, such as qwerty, have the same problem.

Of course, never use the same passwords for all or really any of your online activity. Two-thirds of Americans in an Ipsos poll of 4,000 people conducted in April 2022 reported reusing passwords for different accounts.

If a site or app is breached, fraudsters will try it for other accounts. If they gain access, you’ll have more than one data security problem.

3. Acquaint yourself with special characters

When producing a password on your own, make sure it has at least eight characters, according to the National Institute of Standards and Technology. But that’s a low bar for hackers to crack.

At least 12 characters is better; 20 characters is even better. NIST, the federal agency that creates guidelines for cybersecurity, now wants websites to accommodate as many as 64 characters.

You don’t have to limit yourself to lowercase and uppercase letters and numerals. You can use punctuation marks and other symbols such as: & (ampersand), * (asterisk), @ (at sign), [ (open bracket), ] (close bracket), ^ (caret), $ (dollar sign), = (equal sign), < (less than), > (greater than), + (plus), / (slash), \ (backslash) and ~ (tilde). Some can work as replacements for letters.

Technology & Wireless

Consumer Cellular

5% off monthly fees and 30% off accessories

See more Technology & Wireless offers >

Not all websites accept all special characters. But they often tell you which ones you can use.

4. Ditch a password for a passphrase

As you create longer passwords, a passphrase can be easier to remember than a bunch of random, mixed characters.

A passphrase should be a sequence of at least four mixed words without spaces and be something meaningful to you, such as myc@tFx#1! — which loosely translates to my cat Felix is No. 1.

Some people create a passphrase by using association techniques. Scan a room in your home and create a passphrase that uses words to describe what you see, such as Window, Chair, Mug, Picture which becomes W1ndowCh@irMugPic+ure.

NIST is now recommending longer passphrases even if they don’t have the complexity of special characters. Length is more important. So smashing a sentence together — or having sites allow spaces between — is a good option if it helps you remember.

Have fun with it, but be sure to store it safely. And always be aware of your surroundings in public when entering passwords, passphrases or PINs.

5. Consider a passkey

In some cases, you could go without any password or username at all. A passkey verifies an app or website user through biometrics such as a fingerprint or facial recognition, a PIN or a pattern created by swiping.

The method uses two keys, one that resides on the app or website and the other through the device accessing it. Apple syncs its passkeys through its iCloud Keychain to allow a user access on any of their Apple devices. Google also is rolling out passkeys through its Chrome browser and Android phones, synced to Google Password Manager.

Although Microsoft hasn’t fully adopted the passkey method yet, it offers account users passwordless login access to Outlook and OneDrive using the Microsoft Authenticator app, which works in tandem with two-factor authentication, such as a mobile phone you’ve logged into with your face, fingerprint or PIN.

Some websites will help you

If you try to make your password too simple, you may find websites increasingly rejecting your choice. A data breach for you also has consequences for them.

The government is suggesting that sites reject dictionary words; passwords from previous breaches; repetitive or sequential characters; and words such as a user’s name, a username, a website’s name or any derivatives of them.

How to store passwords safely

Rather than writing passwords on a sticky note, which others can find — especially risky in a public place like an office — you can keep a list of passwords on your computer in a spreadsheet, Word processing document or a notes app. But you must make sure you encrypt, another word for lock, the file with a master password or passphrase in case someone gains access to your computer, phone or tablet.

On a Windows PC with Windows 11, open your Microsoft Word document, then click File | Info | Protect Document | Encrypt with Password. You then can create a password for your information.

spinner image membership-card-w-shadow-192x134

Join AARP today for $16 per year. Get instant access to members-only products and hundreds of discounts, a free second membership, and a subscription to AARP The Magazine.

On a Mac, with the document open, select Review in the menu on top of the document | Protect | Protect Document. You have the option to set a password to open the document, modify the document and even to make changes in it.

If you would rather manually write down your passwords, be aware that it's generally not recommended. Even in a locked journal, these things can be easily stolen or opened.

Passwords should be changed regularly

Cybersecurity experts remain divided on how often you need to change passwords. Many, like San Jose, California-based security software company McAfee, suggest changing your password every three months. But if you find out your account was compromised, change your password immediately.

Today's web browsers also can alert you to a password being matched to a leak on the dark web. It will advise you to change it but do so only if this notification comes from a reputable source, like Google Chrome, Microsoft Edge or your cybersecurity software.

If you don’t have it already, install reputable anti-malware software, short for “malicious software,” to protect you from ransomwarespyware, Trojan horses, viruses and worms. That’s one subscription that you’ll need to renew for the life of your device.

NIST says making minor changes to an old password isn't helpful either. Attackers can apply these same minor tweaks to gain access to your accounts.

Changing passwords may be tedious, but it's a good idea. Put it in your calendar as a reminder every few months, say every 60 or 90 days, and remain vigilant.

The same goes for automatically updating your software, including operating systems and antivirus software, so you don’t have to remember to do so later. Take the time to set updates for your hardware, too, such as a wireless router and printer.

Multifactor authentication adds protection

You can make it much harder for cybercriminals to access your online accounts by adding a second layer of defense.  

Multifactor authentication, also known as two-factor authentication, adds a layer of security on top of your password or biometric solution with a one-time code that’s typically sent to your mobile phone. This way, you can rest assured that your online banking and shopping is doubly secure — using something you know, your password, with something in your possession, your smartphone.

Even with multifactor authentication, continue to make it a habit to change your password regularly.

Another option is to use a VPN, or private virtual network, that connects to a secure, encrypted server, keeping you anonymous and safe, even if you’re accessing public Wi-Fi. VPN access uses two-factor authentication with a sign-in and digital code.

It never hurts to be prepared

We all hate to think about it, but our demise awaits. After years of online activity, our digital footprints become our legacy of sorts.

Another reason to get your accounts organized and your passwords secure is that it will help your loved ones deal with your affairs when necessary.

Some websites and password manager apps let you identify a digital beneficiary to carry out your wishes and access your accounts. The key is to let that person know in advance, so they’re prepared to follow your wishes and can access your digital vault.

Discover AARP Members Only Access

Join AARP to Continue

Already a Member?