Tomorrow is World Password Day

I have been predicting the death of the password for several years now, but all of us are still using them, even if they are easily stolen, cracked, or bypassed.  A password by itself is not all that secure anymore.  But there are several simple steps you can take to make them more secure.

Do not:

  • Do not use personal information. Information such as  your name, or the name of your pet, spouse, kids, sister, father are not secrets.  Bad guys can get the names from, LinkedIn or Facebook.
  • Do not use any single word.  Passwords using dictionary words have already been cracked and are sold in lists called “Rainbow Tables.”
  • Do not be predictable.  The most common password format is Capital, lowercase word, number, symbol.  Most common number is 1, most common symbol is exclamation point! Like Password1!  Another popular format in business networks is MonthYearSymbol, such as May2020!  This one shows up in business networks that enforce periodic (monthly or quarterly) password changes.
  • Do not use easy, popular passwords.  Like Qwerty, 123456, Password1!, P@assword, P@$$w0rd.  If it’s on this list, don’t use it.  Most Popular Passwords and PINs for 2019
  • Do not reuse passwords.  When a cyber-crook gets your Facebook password, they will try it on Amazon, your email account, and your online banking account.  If you reuse, it is easy pickings.  I know this one is tough, but a password manager will solve this problem.
  • Do not change them unless you have to.  US government agency NIST advises against requiring periodic password changes and recommends changing passwords only on indication of a breach.

Do this:

  • A longer password is a stronger password.   These days, a minimum length of 12 characters.  Twenty is not too extreme.
  • Use a pass phrase.  String three or four words together, or make an acronym out of a longer sentence.  For example, the phrase “Tony is number 87 and plays Right Guard for the Ponies” becomes Ti#87&pRG4tP
  • Use password complexity.  Longer is stronger, and to beat automated password cracking by machines, length is all that matters. But adding upper case letters, numbers, symbols, and character substitution (1 = l  or 3 for e, for instance) increases password entropy, or the amount of work effort required to solve for the password.  It also helps to defeat guessing by humans.
  • Read data breach alerts.  You can know when a password of yours has been stolen by signing up for password breach alerts on
  • Use a password manager.  This makes it easy to create long and unique passwords that you never have to remember, because the software program takes care of that for you.  My favorite is LastPass.
  • Use two factor authentication. Saved the best for last.  Two factor (2FA) or multi-factor (MFA) authentication requires you to a second secret after the password.  Usually is is a six-digit randomly generated code that is replaced every thirty seconds with a new number.  The code is on a smartphone app (Google Authenticator) or an RSA key fob that is in your physical possession.  If you lose your password, a bad actor would still need the secret number that is in your pocket.  2FA is nearly unbeatable.

Following these guidelines should help you create passwords that actually work to keep your accounts and private information secure.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.