To create a strong password, choose one that is long, complex, contains multiple types of characters, and hasn’t been used for any other service or device. Passwords are the locks on your doors that protect your sensitive data. A strong password can give you good protection, while a weak one will not.
Lax cybersecurity practices, like using identical passwords on multiple sites or leaving devices without passwords, can cause security breaches and lead to identity theft or doxxing. For example, a breach at an online retailer or doctor’s office might allow a cybercriminal to get into your bank account with the same credentials. “Passwords have always been a weak link in the security chain, and criminals won’t hesitate to exploit that weakness,” the internet firm Akamai says in a 2021 report.
In this guide, we explain how hackers crack passwords and provide tips for creating strong passwords that will protect your sensitive information and help you stay safe and secure online.
How do Hackers Crack Passwords?
Criminals steal passwords with a variety of techniques, including hacking into your desktop or laptop computer, or your internet-connected devices like security systems, security cameras, refrigerators, washers, and dryers. Hackers also can purchase credentials on the dark web or trick you into revealing a password in a phishing attack. Here are some other ways that hackers can crack passwords.
Strong passwords are long, complex, and unique for every service and device you use.
Brute Force Attacks
This type of password-stealing technique uses a computer program to keep trying various combinations until one succeeds. This is an old method but can be effective, especially when people use easy-to-guess passwords with common words. “People tend to repeatedly use a few simple passwords, which leaves them exposed to brute force attacks,” says the internet security firm Imperva, which estimates that brute force attacks account for about 5% of successful breaches. These attacks can be averted with strong and unique passwords and websites that lock out users after a given number of attempts.
A dictionary attack is a type of brute force attack that succeeds when people rely on common words for their passwords. According to the password manager firm NordPass, these passwords are much easier to crack than ones that use long, random strings of letters and other characters.
Most of us have received emails that appear to be from someone we know but are in fact from malicious actors seeking to steal our credentials. This is known as phishing and can be effective if users aren’t vigilant. The technique is often practices by sophisticated cybercriminals who are very good at mimicking banks and companies that have sensitive data to steal, according to cybersecurity company Akamai. “Skilled website developers create complex phishing kits, which in some cases are near-flawless replicas of the targeted brand or financial institution,” the company says.
As people become more guarded about emails, some hackers have begun “smishing,” or using phishing techniques in SMS or text messages. “You might get a text message that says your bank account has been hijacked,” says Ben Sadeghipour at the security firm HackerOne. “It looks like it was made for you, and you panic. Anyone can fall for that.”
“The longer the password, the better,” Sadeghipour says. “The more components you add, the harder it is to crack.”
Tips for Creating Strong Passwords
Creating strong passwords doesn’t have to be difficult. Below are some tips to make your passwords stronger.
Make Them Complex
- An English uppercase letter (A-Z)
- An English lowercase letter (a-z)
- A number (0-9) and/or symbol (such as !, #, or %)
- Ten or more characters total (some experts recommend 12-16).
“The longer the password, the better,” Sadeghipour says. “The more components you add, the harder it is to crack.” Security experts recommend a combination of upper and lower case letters, numbers, and symbols or other special characters, without repeating the same character three or more times.
Stay away from common words, which aren’t safe because they can open you up to a dictionary or brute force attack. Also avoid passwords based on personal information like your name or date of birth, or the names of your family members or pets. All of these might be posted on social media or otherwise be available online. Also avoid sequential strings of letters or numbers, as well as keyboard patterns or sequences. Don’t use a single word in any language, as a dictionary attack can crack this type of password very quickly.
Here are several examples of passwords that are easy to guess, many of which are commonly used and wind up on lists of hacked passwords every year.
- common words like monkey
- senha (Portuguese for password)
Use a Passphrase
Instead of a single password, the FBI suggests using a phrase, otherwise known as a passphrase. This involves combining multiple words into a long string of at least 15 characters. Passphrases have two advantages: they’re harder to crack and can be easier to remember than random strings of characters. The best passphrases combine multiple random words, such as “DirectorMonthLearnTruck.”
Use the Sentence Method
A passphrase sentence can be easier to remember than some other types of passwords while still protecting your accounts. The University of Buffalo Information Security Office suggests taking a phrase such as “iced tea is great for summer” and making some phonetic and visual substitutions for added strength, such as “IcedTisgr84$umm3R.” This would be very hard for a hacker to crack.
However, some caution is warranted. “If you have a favorite quote that you use on social media or frequently in conversation or just like, that quote would not be a good choice as a passphrase for your accounts,” the University of Virginia advises students.
Instead of a single password, the FBI suggests using a phrase, otherwise known as a passphrase.
Don’t Reuse Passwords
Security professionals have long warned against reusing passwords, but many people do it anyway. An investigation by the New York State Attorney General’s Office found 1.1 million online accounts at 17 known companies that appeared to be compromised by “credential stuffing,” where hackers used stolen password combinations from one service to log into other accounts. “In a typical credential stuffing attack, an attacker may submit hundreds of thousands, or even millions, of login attempts using automated, credential-stuffing software and lists of stolen credentials downloaded from the dark web or hacking forums,” according to a statement from the attorney general’s office issued January 2022.
Use a Password Manager
The best way to generate unique, strong passwords without having to remember them is to use a password manager, like Keeper, Bitwarden, Dashlane, or LastPass. A password manager is software that generates and stores passwords for all of your accounts in a secure “vault” that can only be accessed with a master password that you create. (Even the password manager company won’t know your master password, so make sure you remember it.) A password manager can be used across different browsers, operating systems, and devices.
Not only do these services offer hard-to-crack passwords, but they can tell you when a site has been breached so you can change your password for that site, says Joseph Lorenzo Hall a technologist and vice president at the Internet Society. A good password manager will encrypt your passwords so that even if the company’s servers are hacked, your account details can’t be read.
Other Best Practices for Password Security
Good password security involves more than just creating hard-to-guess passwords. Here are some other password tips.
Find Out if Your Passwords Have Been Stolen
Some password managers and identity theft services will alert you to website breaches where your password may be compromised. You can also enter your email to https://haveibeenpwned.com/ (based on video game slang “pwned” for defeated) to learn whether your credentials have been stolen.
When on public Wi-Fi, use a virtual private network that establishes a secure and encrypted “tunnel” for your data transfers and makes it nearly impossible to intercept.
Use Sites Beginning With HTTPS
Make sure any website where you enter credentials begins with “https:” rather than “http:” and features a padlock in the address bar. An https website encrypts your data to make snooping more difficult, according to the security firm Cloudflare. Some browsers will alert you to sites without this protection and label them “unsafe.”
Use a VPN on Public Wi-Fi
Maybe you have good security at home but use Wi-Fi at your local coffee shop or at the train station. To guard against hackers, security professionals say you should use a virtual private network (VPN) that establishes a secure and encrypted “tunnel” for your data transfers and makes it nearly impossible to intercept. Many companies use VPNs for internal communications, but you can also get a personal VPN account for a monthly fee.
Use Two-Factor Authentication
Experts say two-factor authentication is critical for protecting your accounts. Two-factor authentication uses an email, text message, or other means of verifying your identity. Authentication is based on three separate things: something you know to verify it’s you; something you have, such as a physical key; or something you are, such as a fingerprint or other biometric data.
Two-factor authentication prevents someone from gaining access to your accounts and stealing your identity or causing other harm if they have your primary password. “Given the vast number of data breaches and passwords for sale on the dark web, organizations can no longer trust that simply knowing the right password is credible enough to allow a user access to an account,” the digital identity firm OneSpan says.
Related 360 Reviews
Why You Can Trust Us
At U.S. News & World Report, we rank the Best Hospitals, Best Colleges, and Best Cars to guide readers through some of life’s most complicated decisions. Our 360 Reviews team draws on this same unbiased approach to rate tech products that you use every day. The team doesn’t keep samples, gifts, or loans of products or services we review. In addition, we maintain a separate business team that has no influence over our methodology or recommendations.