Skip to content

Passwords to Head Off the Hackers

New rules for an old problem: how to create a strong password

En español | Using their own ingenuity and automated programs that target thousands of computers simultaneously, hackers can quickly crack many simple passwords and break into online accounts. And once they sign in as you, they may change the password, locking you out of your own account.

One study finds that a successful hacking attack occurs about every 39 seconds. But in just a few seconds of your own, there are some ways you can strengthen your password for better online security.

12 is the new 8

As cyber crooks hone their skills, the traditional recommendation that passwords contain at least eight characters has changed. Passwords should now be at least 12 characters, say researchers at the Georgia Tech Research Institute. In their tests, they learned that eight-character passwords can be cracked in about two hours, but adding just four additional keystrokes to a password could raise that to a theoretical 17,000 years.

Small tweaks, big results

Longer passwords are a good first step, but even more important is making each character count. And yet one recent survey found that half of 2,500 surveyed computer users never employ symbols such as &, >, # or @ in their passwords. Worse, many still only use lowercase letters or just add numbers at the end of words, such as the foolish and easily hacked "password123."

In one study, a British researcher noted that bolstering an all lowercase eight-character password with a few well-placed symbols, numbers and a combination of upper- and lowercase letters would take commercial hacking software about 200 years to crack.

Steps like these serve to blunt the hackers' software, which works by trying various versions of words in an English dictionary and even combinations of them.

Sometimes it can be easier to recall "harder" passwords. >>


David Selman/Alamy

Easier recall of 'hard' passwords

Of course, the more complicated a password, the harder it is for you to remember it — explaining why you may often quickly change the cryptic passwords initially assigned when you open a new online account. After all, who can remember "iH3k&tR#rS-c"?

You can — by taking some new advice: Choose a sentence, phrase or song that you can easily remember, and add a few keystroke tweaks. The above 12-character password, for example, is a hacker-resistant version of "I have 3 kids and they are really super-cool" (which is true for me, but hackers, take note: I'm not using it as a password).

Your favorite song? "When I'm feeling blue/All I have to do/Is take a look at you" becomes "WiFbAiH2DiTaLaU," with each word's initial letter alternating between lower case and capital. Then "A Groovy Kind of Love" becomes a stronger password.

And while you shouldn't use birthdays or anniversaries as a password — those dates may be available in online public records and used by hackers who specifically target you — those easy-to-remember dates can be tweaked for better protection. If you must rely on your June 10 wedding, for instance, consider including lesser-known info — such as the initials of your maid of honor (Susan Jones) and honeymoon destination (Miami), à la "sj@0610#miaFL."

Of course, this level of complexity may not be for everyone. But give it a try — if you create (and remember) passwords like these, you'll have nearly uncrackable security.

Other old-standby ways to bolster password security:

  • Say no when browsers offer to save your password. Website browsers such as Firefox and Internet Explorer let users save passwords so that they don't have to enter them each time they go to a site, but widely used password-stealing "Trojan" programs know where to look for and how to steal that information. Plus, a saved password can translate to easier hacking if your computer gets stolen.
  • Use different passwords for different accounts. And change them every 90 days or so. Only about one in five computers users employs multiple passwords on different accounts, and many fail to ever change them.
  • Check your password. Whenever you choose a new one, gauge its strength at websites such as Microsoft's Password Checker.

Sid Kirchheimer is the author of
Scam-Proof Your Life, published by AARP Books/Sterling.