–Brute force attack. It is theoretically possible to “guess” any password by simply trying every combination of letters and numbers until you get the right combination. An eight-character password can be brute forced in less than 10 minutes using a distributed botnet, based on a 2017 report. Adding a character to your password increases this time by a factor of fifty or more, so longer passwords become significantly more difficult to crack. Websites and applications thwart brute force attacks by introducing a delay after each unsuccessful password attempt, or by locking accounts after a certain number of unsuccessful login attempts.

–Rainbow tables. Rainbow tables are huge tables containing millions of data entries that can be used to try to guess a user’s password. There are also password lookup tables that contain millions of common password strings. These tables generally include all the words in the dictionary, along with common substitutions for those words like adding a number to the end or replacing the letter “a” with the “@” symbol.

–Online hack databases. Major hacks like those at Yahoo, Adobe, Experian, LinkedIn, and others may have revealed usernames and passwords for millions of internet users. The revealed account information is now contained in databases that are freely available within the criminal underworld. In response to some of these breaches, the Australian web security expert, Troy Hunt, created the website www.haveibeenpwned.com to allow users to check their accounts against some of these databases. While not being on this list does not mean you are in the clear, if you are on this list, then your password has most probably been compromised at some point.

–Company breach. If your company—or any company you work with—has been breached, it is likely that your password at that company has been compromised as well. Attackers frequently try to obtain authentication databases (e.g., usernames and passwords) from companies they breach. Even if they have not gotten your actual password, they may have obtained your password hash, which may be used to impersonate you or to obtain your actual password, under certain circumstances.

–Keyloggers. Similarly, if attackers compromise your computer, your phone, or a computer that you have used—like a public computing kiosk —then they may have obtained your credentials using a keylogger. Keyloggers are programs that monitor and record what keystrokes are entered via the keyboard, while looking for certain patterns that indicate a password is being entered. For example, a keylogger may watch for you to go to common logon pages or watch for you to type patterns like “[email protected].” These patterns may indicate you are entering an e-mail address, followed by a password.

–Network sniffing. Like keylogging, attackers can watch network traffic for credentials as well. While proper implementations encrypt usernames and passwords before they are sent over the internet or wireless connections, it is not always the case. Implementation glitches may allow these credentials to be transmitted in the clear, or poor encryption may permit attackers to decrypt the credentials and obtain the usernames and passwords.

–Shoulder surfing. Usually, the people most likely to be looking over our shoulder as we are entering passwords are our family or friends, but that is not always the case. In public with a laptop, at an ATM, or while sitting in front of a client, people who you do not know well may have opportunities to see what you type and may just try it themselves out of curiosity or malice. Be situationally aware every time you type your password and shield your fingers if you think you are being watched. One useful technique is to type wrong characters in the middle of the password and then backspace over them—this makes it hard for others to follow what you actually ended up typing.

–Avoid dictionary words. The first list attackers use is the dictionary. On UNIX computers, there is a file called “usr/share/dict/words” that is automatically installed and contains over 200,000 English words, along with word lists in other common languages as well.

–Avoid names and dates. Like the dictionary, there are lists of common first and last names, as well as the complete results of the U.S. Census, all available online. Dates, with their strict formats of MM/DD/YYYY, or MM-DD-YYYY or DD-MMM-YYYY, are easily generated by a computer program and tested en masse.

–Avoid obvious permutations. Since attackers are hacking passwords with a computer, it is easy to do simple permutations of those words. These permutations might include replacing “a” with “@,” “l” with “1” (that is the letter and the number), or other common adjustments, as well as adding numbers or punctuation marks to the ends of words. Similar techniques can be used with a telephone keypad to guess PIN codes.

–Make it long enough. Make sure your password is long enough to resist brute-force attacks. It used to be that 8 characters was enough—today it is more like 10, 12, or 14 characters. Longer is better. There is nothing wrong with having a password that is 20 characters or more, provided it works with the technology or website involved.

–Make it complex enough. Complexity and length go together. By adding in uppercase, lowercase, numbers, and punctuation you ensure your password is not in a dictionary attack. Also, most applications and websites require complexity.

–Make it easy to remember. A good password is easy to remember. While names or dates on their own may be insecure, a combination of elements (like a name, plus a date, plus a random string, plus complexity) can still be simple while also being secure. Including the name of a website along with other secure password elements allows you to make a password unique to that site without having to think of random strings.

–Watch out for password policies. Common applications and websites have their own password policies and requirements, and they can vary widely. These policies can make creating passwords more challenging, as some sites require punctuation, while other sites require capitalization, etc. In addition, sites may have limitations like not allowing spaces or quotation marks. Minimum and maximum password length requirements vary widely.

–Consider passphrases. A passphrase involves stringing together a series of words, dates, numbers, or names into a “phrase” and then using that phrase as your password. A phrase can also include punctuation and numbers within the context of the phrase. Just beware that long passphrases with spaces may not work at some sites and may also be difficult to type on mobile devices.

–Make “families” of passwords. Using the tips above, you should consider creating “families” of passwords and passphrases that all use a consistent pattern that you can remember easily, while also being related in a way that only you know. This technique allows you to rapidly change passwords when necessary to other passwords in the “family” and to group passwords according to their function, their use, or the password policies of the sites involved. You might have passwords that are optimized to be more secure, to be easier to remember (like for a family Wi-Fi site), or to be longer or more complex. You would then choose the appropriate password for the appropriate application.

–Make use of password hints. Many applications and websites have password “hints” that you can use to help jog your memory if you forget the password. Do not just put “the usual” in these fields. Use these fields to identify the general password policy or the password family that you used for this site, so you can reconstruct in your memory or your notes what the correct password should be.

–Change your passwords quarterly, or at least annually. In general, you should try to change your passwords at least once a year, and preferably once a quarter.

–Change your passwords after a breach. Obviously, if you hear of a breach at a website you frequent, or at one of your accounts, you should change your password. If you reuse a password at multiple sites and one of them is compromised, you should change your password at all of them. Attackers will frequently try stolen passwords across multiple sites, because they know users often re-use passwords.

–Change your passwords after suspicious use. If you detect suspicious use of your account, or signs your account has been tampered with, one of your first steps should be to change your password for that account.

–Change your passwords after international travel. Most of us do not think about this regularly, but you should change your passwords if you used them while traveling internationally or using public kiosks or open networks. In some countries, your logons might be monitored by national intelligence agencies, if you are identified as being a foreigner.

–Consider automatic password management. The easiest way to regularly change your password is to have a machine do it for you. Password management tools can randomly generate passwords for you and automatically change your passwords on a regular basis. Automatic password rotation can make passwords secure and extremely resistant to attack, especially for sensitive financial transactions or systems administration.

–Reduce the number of places where you share passwords. While perhaps overly simplistic, this password advice is good general guidance. It is much better for you to use password families to create unique but easy-to-remember passwords for each application or website.

–Use unique passwords for shared applications. When you have an application where multiple people will access the password—like your home Wi-Fi, family Netflix, or other account—use a password that is unique from your other passwords. Most likely you will want this password to be easier to remember and type, as well.

–Do not share between high security and low security needs. Your best passwords should be reserved for your highest security applications, such as e-mail, cell phone, e-commerce, and financial accounts. E-mail and cell phone accounts need strong passwords because attackers can use them to force password resets to other accounts and get into your applications, despite your passwords.

–Password management is sharing, too. When you click “remember this password” in your web browser, or use a password management tool, you are basically sharing the password with that application. While these applications include security features, they are not impregnable. Your most important passwords should be shared as little as possible—it is best if they can be memorized and never shared at all.

–Know where passwords are written down, cached, or recorded. When you write a password down, click “remember this password” in your web browser, or store it in a password manager, it becomes vulnerable. A breach to any of those locations can compromise the password. Know where you are recording your passwords, so if there is a problem you know which passwords need to be reset and changed.

–Know where default passwords reside. When you purchase computers, applications, services, or network-connected devices, read the documentation and check to see if there are default passwords. Devices like internet routers frequently have their default passwords printed on a sticker attached to the device.

–Change default passwords. When you find default passwords, go ahead and change them, consistent with good password practices.

–Rotate these passwords at least occasionally. Especially for devices that are internet-facing or connect to the internet, you should rotate the passwords occasionally. Also make sure these devices are kept up-to-date with their firmware and software.

–Memorize the most important passwords. While not every password needs to be memorized, the ones that protect your safety and your money are probably more important than others. Keep track of the handful of passwords that are most important to you and commit those passwords to memory.

–Consider keeping a “master password” list. For the rest of your passwords, it may be desirable to keep track of them in a password list or password organizer. This list can be on paper, or it can be on a device. Paper lists have the advantage of being impossible to hack, while they are vulnerable in other ways. Mobile phones are good places to keep lists electronically, since they are convenient and are frequently more secure from hacking than personal computers.

–Protect your master password list. If you keep your master list on the computer or on a device like a smartphone, make sure it is protected as well. Use password or biometric protection so only you can access the list. Also make sure the password list is backed up in case your device is lost or compromised.

–Keep your passwords separate from your computer. By having your passwords on your phone, but primarily using them on the computer, you reduce the risk of computer compromise resulting in account compromise (but just a little). Avoid keeping your passwords “in the clear” on your computer, or in cloud-based storage like Dropbox. Use encryption so your passwords are protected even if the file they are in is obtained by someone.

–Use a password manager. Password manager tools usually include encryption to protect your password list, authentication to verify it is you, and may include cloud storage in case you lose your device or to synchronize passwords across multiple devices. These services are not impregnable, but their benefits generally outweigh their risks.

–Have backup plans. No matter how good or secure your password management is, things go wrong. Losing access to some web postings may not be a big deal but losing ten years of personal photos may be. Consider the accounts you use and have backup plans for access, in case your passwords are lost or compromised.

–Know your password reset mechanisms. For your most important accounts, check how their password reset mechanism works. Password reset is often dependent on other accounts, like e-mail accounts or phone numbers, to authenticate you. Make sure this information is kept up-to-date, and that you have alternatives, such as if you lose your phone.

–Secure e-mail accounts used for password reset. Most often, password reset involves sending a temporary link or password to your e-mail account. Make sure this account is as well-protected as the accounts it is securing. Also, make sure you have a password reset mechanism for the e-mail account set up.

–Secure phone numbers used for password reset. Telephone short message service (SMS) (also known as, texting) or phone identification is an increasingly popular mechanism for password reset, as well as for multifactor authentication (see below). Professional attackers may try to hijack your phone to reset your password and may be able to do so if they get online access to your cell phone provider. Protect this account as well as your most secure e-mail and financial accounts.

–Watch for password reset notifications. Watch out for signs that your passwords have been reset. Attackers who are resetting your passwords may try to cover their tracks by deleting notification messages or hiding them so you can not see them. When you logon to accounts, watch for messages that state when you last logged in, or that a new computer has connected to your account. These messages could all be signs your account has been hijacked.

–Know what accounts support multifactor. Check your most important financial and e-mail accounts to see if they support multifactor authentication and use it where you can. Also, multifactor may work on mobile apps, but not work for web access, or vice versa. Understand the fine print and make sure that multifactor authentication works for you.

–Understand cards, tokens, fobs, and apps. Multifactor includes a variety of form factors, with different limitations and considerations for each. You may encounter smart cards, one-time-password tokens, USB fobs, smartphone applications, and biometrics. There is no “one-size-fits-all” with multifactor authentication.

–Keep your second factors together. The power of multifactor authentication is that you should notice if your second factor is lost or stolen. So, keep your authentication devices together so you know where they are. A keychain may be useful, or keeping them in a locked drawer. Just make sure you know where they are and that they are all present.

–Have a backup plan. Multifactor authentication introduces a whole new way to get locked out of your accounts. Make sure you understand the backup options and reset mechanisms in case you lose your token or get locked out of your account. Beware that when multifactor is enabled, password reset mechanisms may also be enhanced to make your account harder to hack. These security features may make it harder for you to get in, as well.