We've suggested plenty of strong password tips over the years, but in light of the faster and newer cracking capabilities, these are worth reviewing.
1. Avoid Predictable Password FormulasThe biggest problem is we're all padding our passwords the same way (partly because most companies limit your password length and require certain types of characters). When required to use mix of upper- and lower-case letters, numbers, and symbols, most of us:
- Use a name, place, or common word as the seed, e.g., "fido" (Women tend to use personal names and men tend to use hobbies)
- Capitalize the first letter: "Fido"
- Add a number, most likely 1 or 2, at the end: "Fido1"
- Add one of the most common symbols (~, !, @, #, $, %, &, ?) at the end: "Fido1!"
Other clever obfuscation techniques, such as shifting keys to the left or right or using other keyboard patterns are also now sniffed out by hacking tools. As one commenter wrote in the Ars Technica article, hackers use keyword walk generators to emulate millions of keyboard patterns.
The solution: Don't do what everyone else is doing. Avoid the patterns above and remember the basics: don't use a single dictionary word, names, or dates in your password; use a mix of character types (including spaces); and make your passwords as long as possible. If you have a template for how you create memorable passwords, it's only secure if no one else is using that rule. (Check out IT security pro Mark Burnett's collection of the top 10,000 most common passwords, which he says represents 99.8% of all user passwords from leaked databases, or this list of 500 most common passwords in one page.)
2. Use Truly Random PasswordsUse multiple unrelated words for your strong, long password: Using a passphrase is more secure and more memorable than complicated but shorter passwords, as web comic Xkcd pointed last year. Longer and simpler passwords trump shorter and more complex ones—but only if the words you use are truly random. If you're using a common quote or saying for your passphrase, you're a target, because hackers' dictionaries include common quotes, phrases, titles, and lyrics—and they can easily employ rules to use just the first letter of each word or other similar pattern. "To be or not to be" and "2b30rn0t2b3" and "tbontb" might all very well take just seconds to crack thanks to fast algorithms, so make your passphrase truly unique and random. (The Xkcd password generator can pick four random words for you.)
The best option is to use a password generator and manager: While the passphrase approach might be good for, say, your computer login or the few cases you need to remember your password, the best option is to generate a truly random, long, and complex password. This avoids the problem of easily cracked patterns and word lists. LastPass, KeePass, or 1Password can all generate a random password for you. See how to build a nearly hack-proof password system with LastPass for detailed instructions. Remember, the only secure password is the one you can't remember.