How to create a secure password

Passwords are the primary means of securing your accounts online. Ensuring they’re strong and frequently updated is crucial to prevent unauthorised access. Recent data breaches have exposed millions of usernames and passwords, putting users' personal and financial information at risk.

In fact, in March 2021, a massive data breach known as the "Compilation of Many Breaches" exposed more than 3.2 billion unique email and password combinations. If you’ve not updated your passwords recently, maybe it’s time to do so - here’s a guide to help you be more secure online.

Illustration of a man with his laptop and a password input field. The man is trying to think of a new password.

The basic rules of thumb when choosing a password:

  • Bigger is better – aim for a minimum length of 12 characters.
  • Use a mixture of uppercase and lowercase letters, numbers and symbols.
  • Don’t use people’s names, place names or dictionary words.
  • Don’t use dates, phone numbers or postcodes… even as part of your password.
  • If a site offers two-step/two-factor verification you should probably use it.
  • Don’t use the same password for every account.

Never, ever use a password like the ones below as featured in SplashData’s 2023 annual list of the top passwords in use. If your password is in the list below you should change it now.

  1. 987654321
  2. qwertyuiop
  3. mynoob
  4. 123321
  5. 666666
  6. 18atcskd2w
  7. 7777777
  8. 1q2w3e4r
  9. 654321
  10. 555555
  11. 3rjs1la7qe
  12. google
  13. 1q2w3e4r5t
  14. 123qwe
  15. zxcvbnm
  16. 1q2w3e
  17. abc123
  18. monkey
  19. letmein
  20. football
  21. dragon
  22. baseball
  23. login
  24. sunshine
  25. master
  26. superman
  27. hello

Password cracking methods

It’s not just someone sitting there manually trying different words to discover your password, hackers use computer programs to do the work for them. Computers can make many more guesses per second than a human can, in fact a standard desktop PC could crack the password ‘letmein’ in under one minute. Here are a couple of examples of different types of cyber-attacks:

Dictionary attack

Attempts to crack your password by trying every word and combinations of words in a predefined list such as a dictionary (any/all languages) or maybe every word in a dictionary plus the most used passwords (see SplashData list above). Dictionary attacks can also try all words in the list using numbers and characters replacing letters, for example ‘p45Sw0rd’ is no safer than ‘password’.

Brute force attack

Will try to guess your password by trying every possible combination of letters, numbers and symbols. However brute force attacks can be much more advanced than simply trying every combination, they can also make assumptions about your password to cut down on the combinations/time required—for example passwords are now usually required to contain at least letters and numbers, so the brute force attack doesn’t bother trying guesses made of just letters.

There are many more methods employed by hackers to get into your accounts, these two are by no means the end of the story, they are just the ones that best illustrate how simple passwords are easily hacked.

Creating a secure password

I use a method described by Bruce Schneier as a starting point for my passwords, it works like this:

  1. You take a memorable phrase that might be personal to you, let’s say, ‘Michon has big wooden doors and used to be a school room’.
  2. Take the first letter of each word: ‘mhbwdautbasr’.
  3. The first ‘a’ in the sequence was for, ‘and’, so let’s change that to a ‘+’.
  4. The letter ‘t’ was for ‘to’, so let’s change that to a number ‘2’.
  5. Now let’s say the first letter after a number or a symbol should be an uppercase, so we now have, ‘mhbwd+U2Basr’, which is pretty random, but easy to remember. It’s 12 characters long and according to would take about 344 thousand years for a desktop PC to crack.

NB: I wouldn’t recommend putting a password you are really going to use into a password testing/scoring site.

You could then append or prepend this with a site-specific password created using the same method. ‘I like using Facebook’ becomes, ‘1luF’. Maybe I decide that social media accounts always append and use a symbol to join them, say an ampersand. Now I have a unique password for Facebook like so: mhbwd+U2Basr&1luF.

By doing this I find I can make memorable, unique and secure passwords for all my accounts.

Alternatively, you could use a password manager to generate and store your passwords, making things even easier. By using a password manager, you only have to remember one password, but make sure it’s a strong password because it holds all your secrets!

A word on email accounts

If there’s one account you should pay particular attention to it’s your email account. Your email account is important, it will probably contain a lot of private information about you, your family, and friends. And if a hacker gets into your email, they could use the “Forgot password” feature of other online accounts to gain access to them too. So make sure the password for your email account is secure.

And finally, never give out your password. If someone phones you from a company whose services you use, they should never, ever ask you for your password—if they do they are not legit.


Do you need help with your website? Get in touch – we’d love to help. Alternatively, for the latest digital, marketing and branding news, take a look at our Articles page.