Javascript is not enabled.

Javascript must be enabled to use this site. Please enable Javascript in your browser and try again.

Skip to content
Content starts here
CLOSE ×
Search
Leaving AARP.org Website

You are now leaving AARP.org and going to a website that is not operated by AARP. A different privacy policy and terms of service will apply.

6 Steps to Help You Create Strong Passwords

Be random. Never repeat. Make them long and complicated


spinner image a series of images showing passwords that are weak, moderate and strong
Animation: AARP

Smartphones and computers make life convenient.

Shop online and your device stores the data. With one click, your name, address, email, phone and payment choice pop up on a site.

But with that ease comes serious risk, and the first mistake can be how you gain access to a site. A username and password combine to form one of the biggest gateways to a data breach.

Predictable word and letter combinations may be shared with friends and family, used across multiple accounts, kept in lists, scrawled on notepads and stowed within the very device that’s susceptible to hacking.

If you don’t want to use a password manager app, which generates random, complicated passwords to log in to online accounts, you have other ways to create unique, secure passwords to store your information safely.

So what makes a strong password?

1. Be unpredictable in your keystrokes

Choose random words instead of those in a well-worn dictionary. Cybercriminals often run programs that cross reference dictionaries to crack passwords. If you would play the word in a game of Scrabble, don’t use it as a password.

Avoid personal details, too. Steer clear of birthday or anniversary dates to unlock your smartphone or gain access to sites. Cybercriminals get clues by looking at social media posts or phishing for information through bogus emails.

Don’t use simple combinations: 123456, password, admin, 1234, UNKNOWN, 12345678, 123456789, 12345, abc123 and Password were the top 10 in 2023 in the United States, according to a study from Nord Security, an online privacy company headquartered in Vilnius, Lithuania, that partnered with independent cybersecurity researchers for its fifth annual password report. 

The worldwide list with information from 35 countries didn’t vary much, and even in another language, the patterns were not surprising. In France, the third most popular password was azerty, not a French word but the top row of letters on a French keyboard. The sixth most popular password? azertyuiop, which adds the remaining letters in the row. 

2. Embrace variety and shun cloning

Never repeat the same password, even if it’s super strong like f!P%^&TRf04. If you use the same password on multiple accounts and your system is breached, cybercriminals not only know your password but also can figure out all the sites and apps you visit.

More than three-quarters of 2,000 respondents to a survey released in June admit they use the same password to log into more than one account, according to Forbes Advisor and Talker Research, formerly OnePoll.

Also avoid using repetitive letters or numbers to make a password longer. Password may be weak, but so is paaaassword. Sequential numbers and letters, such as qwerty, the top row of letters on an English-language keyboard, have the same problem. Don’t add the next four letters either: qwertyuiop.

3. Use your keyboard’s special characters

The National Institute of Standards and Technology recommends passwords of at least eight characters, but that’s a low bar for hackers to crack. At least 12 characters is ideal; 20 characters is even better.

While most people won’t go this far, the agency says website passwords could be as long as 64 characters. That’s when a password manager would be helpful.

When configuring a password, don’t limit yourself to lower- and uppercase letters and numerals. You can use punctuation marks and other symbols to make it a lot less likely that a crook will guess your combination:

  • ampersand &
  • asterisk *
  • at sign @
  • brackets, open [ or close ]
  • caret ^
  • dollar sign $
  • equal sign =
  • greater than >
  • less than <
  • plus +
  • slash, forward / or back \
  • tilde ~

Some can work as replacements for letters. For example, D0m8inma$ter@ for “domain master” or G00denuf!1 for “good enough.” Have fun with it.

Not all websites accept all special characters. But they often tell you which ones you can use.

4. Opt for a passphrase to create a longer password

A passphrase can be easier to remember than random mixed characters. It can be a sequence of at least four words without spaces and something meaningful to you, such as myb!rDP0lly#1!, which loosely translates to “my bird Polly is No. 1.”

Some people create such a phrase using association techniques. Think of the site you’re visiting and create a password that relates to the service, perhaps Ih8tethisb&nk$! for “I hate this bank” or N3v3rsh0ph3r3ag8in$ for “never shop here again.”

The National Institute of Standards recommends longer passphrases even if you don’t include the complexity of special characters.

What you’re trying to do is turn the odds more in your favor when hackers try to guess your password. Think of this particular game like a lottery you don’t want them to win. Add more balls to the pool with special characters or increase the number of balls drawn with length, and possible combinations turn exponentially against the criminals. 

Want to geek out on the odds? A hacker has a roughly 1 in 1.2 trillion random chance of figuring out your password if you’re using eight characters with only digits and lowercase letters. The numbers are high because what you type is in a specific order, but the bad guys don’t do this manually. If you use a 12-character password and expand your choices to include capital letters and the special characters listed above, the odds of landing on the correct 12-character combo increase to 1 in almost 15 sextillion, as in add 21 zeros on the end. 

5. Consider a passkey for verification

A passkey verifies an app or website user through biometrics, such as a fingerprint or facial recognition, using a PIN or swiping to create a pattern. The method uses two keys, one that resides on the app or website and the other through the device accessing it.

  • Apple syncs its passkeys through its iCloud Keychain, a built-in password manager that allows user access on any Apple devices.
  • Google now has passkeys through its Chrome browser and Android phones, synced to Google Password Manager.
  • Microsoft offers logins without passwords for Windows users to sign into Microsoft accounts using their face, fingerprint or PIN.

Also possible: A physical security key to log into important accounts.

6. Accept help from your web browser

If you make your password too simple, you may find websites reject your choice and request you to try again. That’s because a data breach for you also has consequences for them.

Browsers such as Google Chrome, Apple Safari, Microsoft Edge and Mozilla Firefox have built-in password managers and will prompt you to let them generate complex passwords for you. Most commercial password manager apps, such as subscription-based 1Password, Bitwarden, Dashlane, Keeper Security and LastPass, have the same feature.

If you worry you may be caught up in a data breach, trusted resources such as haveibeenpwned.com and Cybernews’ data breach lookup can help. Type in your email or phone number to check if you’ve been exposed.

This story, originally published Jan. 3, 2023, was updated with new password tips, statistics and advice.

Unlock Access to AARP Members Edition

Join AARP to Continue

Already a Member?