At least 12 characters is better; 20 characters is even better. NIST, the federal agency that creates guidelines for cybersecurity, now wants websites to accommodate as many as 64 characters.
You don’t have to limit yourself to lowercase and uppercase letters and numerals. You can use punctuation marks and other symbols such as: & (ampersand), * (asterisk), @ (at sign), [ (open bracket), ] (close bracket), ^ (caret), $ (dollar sign), = (equal sign), < (less than), > (greater than), + (plus), / (slash), \ (backslash) and ~ (tilde). Some can work as replacements for letters.
Not all websites accept all special characters. But they often tell you which ones you can use.
4. Ditch a password for a passphrase
As you create longer passwords, a passphrase can be easier to remember than a bunch of random, mixed characters.
A passphrase should be a sequence of at least four mixed words without spaces and be something meaningful to you, such as [email protected]#1! — which loosely translates to my cat Felix is No. 1.
Some people create a passphrase by using association techniques. Scan a room in your home and create a passphrase that uses words to describe what you see, such as Window, Chair, Mug, Picture which becomes [email protected]+ure.
NIST is now recommending longer passphrases even if they don’t have the complexity of special characters. Length is more important. So smashing a sentence together — or having sites allow spaces between — is a good option if it helps you remember.
Have fun with it, but be sure to store it safely. And always be aware of your surroundings in public when entering passwords, passphrases or PINs.
5. Consider a passkey
In some cases, you could go without any password or username at all. A passkey verifies an app or website user through biometrics such as a fingerprint or facial recognition, a PIN or a pattern created by swiping.
The method uses two keys, one that resides on the app or website and the other through the device accessing it. Apple syncs its passkeys through its iCloud Keychain to allow a user access on any of their Apple devices. Google also is rolling out passkeys through its Chrome browser and Android phones, synced to Google Password Manager.
Although Microsoft hasn’t fully adopted the passkey method yet, it offers account users passwordless login access to Outlook and OneDrive using the Microsoft Authenticator app, which works in tandem with two-factor authentication, such as a mobile phone you’ve logged into with your face, fingerprint or PIN.
Some websites will help you
If you try to make your password too simple, you may find websites increasingly rejecting your choice. A data breach for you also has consequences for them.
The government is suggesting that sites reject dictionary words; passwords from previous breaches; repetitive or sequential characters; and words such as a user’s name, a username, a website’s name or any derivatives of them.
How to store passwords safely
Rather than writing passwords on a sticky note, which others can find — especially risky in a public place like an office — you can keep a list of passwords on your computer in a spreadsheet, Word processing document or a notes app. But you must make sure you encrypt, another word for lock, the file with a master password or passphrase in case someone gains access to your computer, phone or tablet.
On a Windows PC with Windows 11, open your Microsoft Word document, then click File | Info | Protect Document | Encrypt with Password. You then can create a password for your information.