How to Create, Store, and Use Secure Passwords

Last Update: 8/11/2017
iPad password entry screen

Passwords are one of the biggest security problems on the Internet, possibly even more so than Malware. Poorly chosen passwords and security questions are making online accounts easily hackable by cyber-criminals.

Everyone knows it’s important to create and use complex passwords, ones that do not include:

  • Words from the dictionary of any language
  • Personal information such as names of your kids, pets, addresses, etc.
  • The same password for more than one site
  • Ones that are written down

Few people follow this type of policy. If you are guilty of one or more of the above, you are at risk of getting hacked. Hackers are able to use brute force attacks to test over 200,000 passwords per hour. As technology improves, they will be able to test passwords even faster. In this article we will help you create, store, and easily use secure passwords.

Secure your computer, web browser, Internet connection

Follow our guides to secure your Windows PC or secure your Macintosh by installing the right software, firewall, antivirus software, etc. Secure your mobile devices: iPhone, Android smartphone or tablet, iPad. Configure the settings and add plug-ins to you web browser so that it is more secure. Consult our tutorials for: Internet Explorer 9, Google Chrome, and Mozilla Firefox. Secure your Internet Connection: Wireless Network, Public Wi-Fi.

Better Usernames

We suggest users first start with a non-obvious username. Don’t use your first name or first name + last name as your username throughout your online accounts. Make up a name or alias. Include numbers and/or upper and lowercase letters. Better yet, use a different username on every site. The password managers recommended below will automatically remember all your logins.

What is a good password?

1. Characters, numbers, symbols, length, complexity

A good password has alphabetical characters of both upper and lower case, numbers, symbols. The password should be at least 12 characters in length. Length is more important than complexity. Computers have gotten so fast that they are able to password crack shorter passwords in no time especially with high speed GPUs. Keep in mind that some online services have limits as to what characters are valid and how long a password can be.

Examples of good passwords include: 9F1%6!Q(&3mdIOe39 or f7aX3z&a8L2;’\]

These are pretty hard to remember, aren’t they? We will include suggestions on how to create strong and easy to remember passwords below.

2. What passwords not to use

There should be no words from the dictionary of any language, present in your password. No personal information should be in your password including birthdays, names, addresses, phone numbers, etc. Develop a mnemonic system for remembering complex passwords.

Examples of bad passwords include: 12345 or john or 123elm or password

If you have to use one of these passwords, at least harden them with some extra symbols and length.

Examples of better passwords include: 12345!!!!???? or !!!!john!!!! or $$$$123elm$$$$ or %%password!! or {[password]}

Not only are the passwords only slightly more difficult to remember, but the security is enhanced by orders of magnitude.

3. Every website you visit should have a different password. The average Internet user has over 25 password protected accounts. If you only use one password, you would be in danger of losing your entire universe, if only one site got hacked and they stored passwords in plain text.

Examples of better passwords include: 12345!!!!????ebay or 12345!!!!????gmail

Another way to create an easy to remember but secure password is to come up with a memorable sentence or phrase and use the first character of each word. Append onto the end of each site’s password, the name of each website and a symbol and a number.

Example sentence: Jack and Jill went up the hill to fetch a pail of water


Password: JaJwuthtfapowgmail!1

4. How often to change your password

Passwords should be changed every so often, especially if you think it has been compromised. Changing a password too often causes major logistical problems. Some companies require password changes every XX weeks.  This causes more harm than good. Works will then reuse old passwords or slight variants of them. The focus should be on changing the most important and most used passwords every couple months. US-CERT has additional password tips.

5. Avoid sites that are not making security a priority. See the posts on Plain text Offenders.

How to create secure passwords

Read the National Institute on Standards and Technology’s 2017 password guidelines.

1. Manually creating passwords

You will basically pick numbers, characters, and symbols at random and keep doing so until you have created a fairly long password. The upside is that it is easy to do, but the downside is that you will probably not pick very random passwords.

2. Web pages that create secure passwords

There are several websites that help you generate secure passwords. Keep in mind that having to visit a website every time you need to generate a password, becomes inconvenient really fast.

  • GRC has a password haystack page that helps compute how long it would take to hack a given password.
  • GRC also has a page that generates high-security passwords.
  • PC Tools helps you generate secure passwords with customizable criteria
  • Microsoft has a page that lets you see how strong your password is

3. Software Utilities

Several free software programs can also help you generate secure passwords. Most of these programs also store the passwords, so they’ll be covered in the section below.

4. Password testers

It is best to test your password’s security with the hacking tools the expert hackers use. Windows-based password hacking utilities include: John the Ripper password cracker, Cain and Abel (Windows only)

Hacker Notify – Can check to see if your email address has been hacked.

5. Password recovery questions or security questions

We recommend that users enter secure passwords in these fields and not the true answer. Hackers can and have mined social media including Facebook to extract answers to these questions. You can alternately put in the correct answer and then consistently append a word to it.

6. Need to register and generate a password to see content? is a database of usernames and passwords for sites that require logging in to see content.

7. If you use Steam, turn on Steam Guard so you need to respond to an email every time you login to Steam from a new computer. Blizzard has an addon two factor authentication app to protect their gaming logins for iOS, and they also have a hardware authenticator for sale.

Two factor authentication system using SMS text messages is not secure, due to the weak SS7 routing system. We suggest only using two factor when you can use a token or a time based authenticator like Googles.

Many sites give alternate methods of logging in, if you do not have your second factor available. Commonly these are using your social security number or birthday, data that could be publically found.  This helps negates the advantage of two factor.

In the end, using Two Factor authentication is better than not using it.

These keys are more secure than using Text or SMS to send a one time code. Criminals can divert SMS messages and calls, to another device (either by social engineering a customer service person at the phone company, or via more advanced attacks like SS7 hacks).

8. There are password cracking utilities from companies like Elcomsoft that can break the encryption on many programs and even smartphones. Keep this in mind when assessing the security of a product.

9. If you are buying a new notebook, consider buying one with a hardware security module built-in. The new Intel Ultrabook lightweight notebook specification includes support for a IPT Identity Protection Technology hardware security module or Trusted Platform Module (TPM) that can enhance security by requiring both a password and this hardware key to access certain websites.

How to store and use secure passwords

1. Do not store your passwords in a simple Word or text document. Also, do not write your passwords on a piece of paper or Post-it note. Obviously, your passwords could be easily stolen this way. Storing password in a browser is also a no-no. They have been hacked easily. If you really need to write down your passwords, only write down parts of your passwords and or login, and leave the rest blank.

2. The best place to generate and store passwords is a password wallet utility program.  Our goal is to find a Multi-platform PC, Mac, iOS and Android compatible program that can create  secure passwords, save the passwords, and automatically fill forms with the secure passwords. Here are some examples:

  • Lastpass – A password manager that works on Windows, Mac, Apple iOS, Linux, WebOS, Windows phone, Symbian, Android, and Blackberry. Stores data on the web for access anywhere and at anytime. Automatic form filling, one click login. Supports Yubikey, multi-factor authentication including Google two step authentication. Free for mobile users starting in August 2015. Make sure you have Password Iterations set higher than 1. Downside: Mobile version costs money, data is stored on their servers. A two factor authentication system using SMS text messages is not secure.
  • KeePass – Open source password manager with auto type capabilities. Available for Windows.  Unofficial versions for Apple iOS, Android, Mac, Linux. Be sure to select the options to:
    • Lock workspace after KeePass inactivity
    • Lock workspace after global user inactivity
    • Lock workspace when minimizing main window
    • Lock workspace when locking the computer or switching the user
    • Lock workspace when the computer is about to be suspended
    • Lock workspace when the remote control mode changes
    • Downside: Password database is stored locally, no online synchronization.
  • 1Password -A $49.99 password and identity manager that automatically save and fill website logins. Supports Apple iOS, Android, Mac, and Windows.
    Downside: Cost, Can’t retrieve master password.
  • Passpack – Free version supports up to 100 logins. Windows only. Supports most browsers. Supports yubikey. Uses Adobe Air. Allows sharing of logins.
    Downside: Adobe AIR only. (No iOS support)
  • Password Safe – Open source password manager for Windows.
    Downside: Windows only.
  • Roboform – A password and wallet manager for Mac and Windows that is complete with 1-Click form filling. One identity is Free, Unlimited Logins, Identities, Bookmarks, Safenotes and more cost $29.95.
    Roboform everywhere supports Apple iOS devices, Windows phone, symbian, Palm, Android, and Blackberry. It costs $9.95 for the first year. $19.99/year thereafter.
    Downside: Cost, occasionally pops up when not needed, smartphone apps can’t fill forms, remote access doesn’t allow editing form-fill data.
  • Clipperz – Free Online password manager from an Italian company.
    Downside: Web based, requires connection.
  • SafePad – Is a notepad with password protection

Our recommendation is to use one of the password managers above for most of your passwords, while remembering a couple important passwords through memorization. Your e-mail, online banking, and online trading passwords should not be stored within these password managers.

Important: If you use a password manager and use its convenient form filler, DO NOT enable automatic form filling. You could be brought to a malicious page and have all your information automatically entered on it, before you realized it.

3. Never send your password via email, over a social network like Facebook, or via phone.

4. Do not forget to backup your Google account with Google Takeout

We have covered many ways for you to create, store, and use secure passwords. If more people utilized the techniques covered above, fewer password intrusions would occur.

Author: SafeGadget

Teaching users on how to secure their computers and gadgets.