Password Best Practices: The SIMPLE Way to Get It Right

Few of us follow password best practices partially because we want a S.I.M.P.L.E. way to know if we’re doing it right. We’re always trying to strike a balance between convenience and security. Until websites and online services settle on a replacement for passwords, we can at least do a better job creating, storing, and using them.

Password best practices are SIMPLE to remember:

  • STOP reusing passwords
  • INSPECT the requirements for new passwords
  • MEASURE the complexity of your passwords
  • PUT all passwords in a password manager
  • LIMIT memorized passwords
  • ELIMINATE old passwords
Clickable Checkboxes 🙂

Let’s explore each of these points individually. Below, I’ll walk you through the bad habit with examples, the logic behind the advice, and then the current best practice.

Password best practices: the simple way to get it right

Stop Reusing Passwords

The second worst habit we have with passwords is reusing them. This March 2018 study from Virginia Tech examined 28.8 million users and found that 52% reused passwords. Worse yet, they were using them across sensitive sites like email and shopping sites. The article also notes

We also observe that users would still reuse the already-leaked passwords for other online services for years after the initial data breach.

Chun Wang, Steve T.K. Jan, Hang Hu, Douglas Bossart, and Gang Wang, March 2018

This means that as we sign up on new sites, we’re creating accounts that are already hacked!

The letter ‘S’ is for ‘Stop’. We need to stop reusing passwords when creating a new account. We also need to update our existing passwords, so they’re unique and not used or found anywhere else on the Internet.

Password security is a process that we can create habits around. It’s not complicated. I’ll show you exactly how to keep track of each password easily.

Inspect the Requirements For New Passwords

Users aren’t the only cause of creating weak passwords. Sometimes the business or service limits password complexity during new account creation. For example, my bank allows only 12-characters for a password. My son’s college savings program permits using only uppercase letters and numbers as the password.

The letter ‘I’ is for ‘Inspect’. Inspect the password requirements as you sign up for any new online service or create a new account inside a mobile app. Some services will provide guidance near the password entry field during the sign-up process.

Password best practices: the simple way to get it right

Other sites will provide their password policy if you attempt to use a weak password.

Password best practices: the simple way to get it right

Easy Tip: After I fill out a new username, I purposefully try “123456” to find the password guidance before submitting a real password. Sometimes the service permits a new user account with this weak password. The example below even calls “123456” OK 🙁

Password best practices: the simple way to get it right

Now that you’ve found the password guidance max it out. If you’re allowed a 32-character password, use them all. Longer passwords or passphrases are critical. Combining length with the use of uppercase, lowercase, numbers, and special characters bolsters your password security.

Measure the Complexity of Your Passwords

You’re still probably wondering from earlier what the #1 bad habit is. Collectively, we create and use really weak passwords like “password1”, “123456”, “qwerty”, or “letmein”. These are some of the most common passwords as listed on Wikipedia.

You might be saying to yourself that your password is not on the list. That’s an excellent first step, but is it long enough? Are the characters from a large enough pool of possibilities?

A basic password has these traits:

  • Longer than 15 characters.
  • No part of it exists in a dictionary of any language.
  • No part of it exists in any common or breached password lists.
  • Contains uppercase letters, lowercase letters, numbers, and special characters/symbols.

The letter ‘M’ is for ‘Measure’. Let’s create a fake test password and measure its resistance to being cracked. Note that the following is a learning exercise and estimates password strength.

  1. Think of a similar password to the one you might already use. For example, I’ll select “letmein” but alter it a bit for testing: “comeonin” This is different enough not to give away my real password but similar enough for testing.
  2. Go to How Secure Is My Password, a password testing tool by the trusted password management service Dashlane.
  3. Type or paste your test password into this tool to see how long it would take to crack.
  4. Now experiment with a new, stronger password. You’ll start to get a feel for how long and complex a strong password needs to be.

A longer password or passphrase using a more extensive character set are the key ingredients to a stronger password. No more uses of “password1” agreed? These are not secure passwords.

Another Easy Tip: You can also apply secure password creation to make a random username when a username doesn’t need to be memorable.

You might be wondering how you’re going to remember a strong password. That’s what the next piece of advice covers.

Put All Passwords In a Password Manager

We’re creating long, unique, complex passwords for each service we sign up for. How are we going to track these? Isn’t it annoying to type them every time we want to log in?

Bad Practices

Examples of where password best practices are ignored.

The letter ‘P’ is for ‘Put’ (and ‘Password Manager’). Please practice putting passwords prudently inside a password manager. This is software that stores your password list in an encrypted form.

I recommend Bitwarden because it is open-source. If you prefer having a company backing your data security, we have a great one on our Recommended Tech page.

The market is full of other software names like Dashlane, Keepass, and Roboform that store passwords. Some are more technical, while others are nicer looking. Your password manager should also include two-factor authentication, a must-use feature.

It is essential to select a password manager, install it, and start using it. You do not have back-fill (though I recommend it) all your weak-sauce passwords….just begin storing login credentials now.

In addition to storing your passwords and passphrases, a password safe allows you to use and store lengthy random usernames. You should also save answers to your security questions, which you can now falsify. Fake answers act like having multiple passwords for your user account.

Password best practices: the simple way to get it right

A password manager is a key cornerstone of password security. It allows frequent password changes without concerns about being locked out of any of your accounts.

If you do not use a password manager, at least save them in a secure and encrypted notes app.

Limit Memorized Passwords

At first, I had two or three passwords memorized. I reused them but split them between sensitive (banking, shopping, email) and non-sensitive (forums, some social media, etc.).

I later thought I was clever in memorizing a pretty complex password and then adding a couple of characters from the internet address to make it a unique password.

This was the WRONG approach.

Your memory will fail you, or data breaches at multiple companies will. Passwords need are static pieces of information that need to be kept in static, unchanging storage. Our brains are constantly rewiring and moving data around. This is not a good place to store more than a couple of passwords.

The letter ‘L’ is for ‘Limit’. Try to limit the passwords you have in your brain to one or two at most.

Generally, we humans are horrible at creating complex passwords, but for password management, we do need one master password that you can remember.

Here is how to create a unique password for your password manager (with an example):

  1. Grab a pencil with an eraser.
  2. Find a piece of paper you’ll tear up and throw away soon.
  3. Write down a passphrase sentence with 10-15 words, including some numbers. 
    Every morning at 7am, I wake our two kids and make them breakfast.
  4. Under that, convert the numbers and words to symbol character types. 
    Every morning @ 7 A.M., I wake our 2 kids & make them breakfast.
  5. On the next line, take each word’s first letter, including all your numbers and symbols. 
    E m @ 7 A . M . , I w o 2 k & m t b . (19-characters)
  6. Write this password, character-by-character 7-9 more times by hand, and as you write 
    a. speak the underlying words from your sentence aloud 
    b. create a picture or video for your sentence
  7. Type your master password into your password manager as you set up the account/vault.
  8. After you’ve gained access to your new and empty password vault, log out and log back in 3-5 more times… 
    a. saying each underlying word from your sentence in your head 
    b. reviewing the picture or video from your sentence
  9. Tear up and securely throw away your paper.

Eliminate Old Passwords

I started this site after realizing that my online and digital life needed to be cleaned up. My password manager showed that I had over a thousand records. That’s a considerable threat or attack surface. This is the sum of all the points where a hacker can access your data.

The larger the attack surface, the less secure you are.

This 2015 article from Dashlane estimated that by 2020, the average Internet user would have 207 online accounts. They estimated that our lists of accounts would grow at a 14% rate which means your list will double every five years.

The letter ‘E’ is for ‘Eliminate’. We need to go through all your logins and eliminate unused accounts. Once a year, scroll through your password manager to find accounts you can close and then delete from your password vault?

I just logged into our vault, which lists 287 records. This is far better than the more than 1K we started. …I wonder if we need this login for registering our LG washing machine?… 😕

Final Thoughts

Software developers are already experimenting with and implementing alternatives to the out-date password concept.

We’re seeing increased use of identity providers like Google or Facebook login buttons. Some sites like Slack encourage the use of passwordless authentication, which they call a “magic link”.

On the cutting edge, some European governments and banks are encouraging users to opt into using hardware keys. For example, customers scan an on-screen QR code with a service-specific smartphone app to log in and complete transactions.

We’re transacting and communicating more online than ever before, and the trend will continue as we move more of our lives into the cloud, increasing the number of accounts we have to maintain. Until alternatives become mainstream, we must focus on solid password best practices. Your next step is to turn on Two-Factor Authentication (2FA).

What is the best password length? The best password length is “as long as you’re allowed to create”, but generally shoot for 15-20 characters, including a combination of lower-case letters, upper-case, numbers, and symbols. Do not create anything less than 10-characters long.

What is the best app for storing passwords? The best app for storing passwords is Bitwarden. It’s open-source, convenient, free of charge, and you can control the data. If you prefer to pay a company to be responsible, use RoboForm. Ultimately, pick an app you’ll stick with using to store unique, long, random passwords properly.

How can I teach kids about passwords? The best way to teach kids about passwords is to make it engaging in the form of a story. Below are two worksheets I used on Bring-Your-Parent-To-School Day. I tailored it for 4th and 5th graders. I walked the kids through the worksheet using a fictional tale and gave them invisible ink pens I bought on Amazon.

Mike Chu

Mike is a web developer and content writer living as a digital nomad. With more than 20 years of devops experience, he brings his "programmer with people skills" approach to help explain technology to the average user. Check out his full author bio by clicking here.

Recent Posts