Javascript is not enabled.

Javascript must be enabled to use this site. Please enable Javascript in your browser and try again.

Skip to content

Where you live can impact your health and happiness. See how your community measures up.

Content starts here
CLOSE ×
Search
Popular Searches

Games

Car rental

AARP daily Crossword Puzzle

Hotels with AARP discounts

Life Insurance

AARP Dental Insurance Plans

Travel

Suggested Links
Help Show me my account info Change my Address How do I contact AARP? Where is my membership card? How do I get a digital card?
Red Membership Card

AARP MEMBERSHIP 

AARP Membership — $12 for your first year when you sign up for Automatic Renewal

Get instant access to members-only products, hundreds of discounts, a free second membership, and a subscription to AARP the Magazine. 

 

120x30-AARP-logo-red
Join
Renew
Enroll
Rejoin

AARP en Español

Join
Renew
Enroll
Rejoin
Leaving AARP.org Website

You are now leaving AARP.org and going to a website that is not operated by AARP. A different privacy policy and terms of service will apply.

Continue Cancel

6 Steps to Help You Create Strong Passwords

Be random. Never repeat. Make them long and complicated

By

Marc Saltzman,

 
AARP
Comments
Published January 03, 2023
/ Updated July 01, 2024
a series of images showing passwords that are weak, moderate and strong
Animation: AARP

In this story

A weak linkQuirky is goodRepetition is notSpecial characters add challengesPassphrases aid memoryPasskeys help verifyBrowsers can assist

Smartphones and computers make life convenient.

Shop online and your device stores the data. With one click, your name, address, email, phone and payment choice pop up on a site.

But with that ease comes serious risk, and the first mistake can be how you gain access to a site. A username and password combine to form one of the biggest gateways to a data breach.

Image Alt Attribute

AARP Membership— $12 for your first year when you sign up for Automatic Renewal

Get instant access to members-only products and hundreds of discounts, a free second membership, and a subscription to AARP the Magazine. 

Join Now

Predictable word and letter combinations may be shared with friends and family, used across multiple accounts, kept in lists, scrawled on notepads and stowed within the very device that’s susceptible to hacking.

If you don’t want to use a password manager app, which generates random, complicated passwords to log in to online accounts, you have other ways to create unique, secure passwords to store your information safely.

So what makes a strong password?

1. Be unpredictable in your keystrokes

Choose random words instead of those in a well-worn dictionary. Cybercriminals often run programs that cross reference dictionaries to crack passwords. If you would play the word in a game of Scrabble, don’t use it as a password.

Avoid personal details, too. Steer clear of birthday or anniversary dates to unlock your smartphone or gain access to sites. Cybercriminals get clues by looking at social media posts or phishing for information through bogus emails.

Don’t use simple combinations: 123456, password, admin, 1234, UNKNOWN, 12345678, 123456789, 12345, abc123 and Password were the top 10 in 2023 in the United States, according to a study from Nord Security, an online privacy company headquartered in Vilnius, Lithuania, that partnered with independent cybersecurity researchers for its fifth annual password report. 

The worldwide list with information from 35 countries didn’t vary much, and even in another language, the patterns were not surprising. In France, the third most popular password was azerty, not a French word but the top row of letters on a French keyboard. The sixth most popular password? azertyuiop, which adds the remaining letters in the row. 

2. Embrace variety and shun cloning

Never repeat the same password, even if it’s super strong like f!P%^&TRf04. If you use the same password on multiple accounts and your system is breached, cybercriminals not only know your password but also can figure out all the sites and apps you visit.

More than three-quarters of 2,000 respondents to a survey released in June admit they use the same password to log into more than one account, according to Forbes Advisor and Talker Research, formerly OnePoll.

Also avoid using repetitive letters or numbers to make a password longer. Password may be weak, but so is paaaassword. Sequential numbers and letters, such as qwerty, the top row of letters on an English-language keyboard, have the same problem. Don’t add the next four letters either: qwertyuiop.

Technology & Wireless

Consumer Cellular

5% off monthly fees and 30% off accessories

View Details
See All
See more Technology & Wireless offers >

3. Use your keyboard’s special characters

The National Institute of Standards and Technology recommends passwords of at least eight characters, but that’s a low bar for hackers to crack. At least 12 characters is ideal; 20 characters is even better.

While most people won’t go this far, the agency says website passwords could be as long as 64 characters. That’s when a password manager would be helpful.

When configuring a password, don’t limit yourself to lower- and uppercase letters and numerals. You can use punctuation marks and other symbols to make it a lot less likely that a crook will guess your combination:

  • ampersand &
  • asterisk *
  • at sign @
  • brackets, open [ or close ]
  • caret ^
  • dollar sign $
  • equal sign =
  • greater than >
  • less than <
  • plus +
  • slash, forward / or back \
  • tilde ~

Some can work as replacements for letters. For example, D0m8inma$ter@ for “domain master” or G00denuf!1 for “good enough.” Have fun with it.

Not all websites accept all special characters. But they often tell you which ones you can use.

4. Opt for a passphrase to create a longer password

A passphrase can be easier to remember than random mixed characters. It can be a sequence of at least four words without spaces and something meaningful to you, such as myb!rDP0lly#1!, which loosely translates to “my bird Polly is No. 1.”

Some people create such a phrase using association techniques. Think of the site you’re visiting and create a password that relates to the service, perhaps Ih8tethisb&nk$! for “I hate this bank” or N3v3rsh0ph3r3ag8in$ for “never shop here again.”

The National Institute of Standards recommends longer passphrases even if you don’t include the complexity of special characters.

What you’re trying to do is turn the odds more in your favor when hackers try to guess your password. Think of this particular game like a lottery you don’t want them to win. Add more balls to the pool with special characters or increase the number of balls drawn with length, and possible combinations turn exponentially against the criminals. 

Want to geek out on the odds? A hacker has a roughly 1 in 1.2 trillion random chance of figuring out your password if you’re using eight characters with only digits and lowercase letters. The numbers are high because what you type is in a specific order, but the bad guys don’t do this manually. If you use a 12-character password and expand your choices to include capital letters and the special characters listed above, the odds of landing on the correct 12-character combo increase to 1 in almost 15 sextillion, as in add 21 zeros on the end. 

5. Consider a passkey for verification

A passkey verifies an app or website user through biometrics, such as a fingerprint or facial recognition, using a PIN or swiping to create a pattern. The method uses two keys, one that resides on the app or website and the other through the device accessing it.

  • Apple syncs its passkeys through its iCloud Keychain, a built-in password manager that allows user access on any Apple devices.
  • Google now has passkeys through its Chrome browser and Android phones, synced to Google Password Manager.
  • Microsoft offers logins without passwords for Windows users to sign into Microsoft accounts using their face, fingerprint or PIN.

Also possible: A physical security key to log into important accounts.

6. Accept help from your web browser

If you make your password too simple, you may find websites reject your choice and request you to try again. That’s because a data breach for you also has consequences for them.

Browsers such as Google Chrome, Apple Safari, Microsoft Edge and Mozilla Firefox have built-in password managers and will prompt you to let them generate complex passwords for you. Most commercial password manager apps, such as subscription-based 1Password, Bitwarden, Dashlane, Keeper Security and LastPass, have the same feature.

If you worry you may be caught up in a data breach, trusted resources such as haveibeenpwned.com and Cybernews’ data breach lookup can help. Type in your email or phone number to check if you’ve been exposed.

This story, originally published Jan. 3, 2023, was updated with new password tips, statistics and advice.

Marc Saltzman is a contributing writer who covers personal technology. He hosts the podcast series Tech It Out and is the author of several books, including the upcoming Apple Vision Pro for Dummies.

Unlock Access to AARP Members Edition

Join AARP to Continue

Already a Member?

Benefits Recommended For You

See All