When you’re picking a new password for an account, you’ve probably noticed that most services tell you how strong your password is. This is meant to be a gauge of how tough it would be for a hacker to get into your account. If you’re told your password is weak, you should definitely work on improving your password—but if you’re told your password is good (or even okay) chances are you stick with that password instead of trying to remember one that’s more complicated.
But do password strength meters really help us make strong passwords? Testing by anti-virus maker Sophos says no. The problem is that many common strength meters don’t do a good job of measuring what makes a strong password. It’s easy for a password meter to tell if your password is made up of dictionary words and has no special characters. That’s just a measure of how hard a password would be to crack using brute force guessing. According to Sophos, this is not not the first method hackers use to try to crack passwords. They use methods that take into account the common ways people use to d!sguise comm0n words. So meters need to determine how guessable a password would be, which is more difficult to gauge.
To judge how well password checkers do their jobs, Sophos picked the five most common password strength meters and ran five of the most commonly used—and therefore the least secure—passwords through them. None of these common meters saw all of these as the weak passwords they are, and one even thought three of the five were good.
Compounding this problem is the fact that many people are also pretty bad at telling what a strong password is. So it’s easy to make a bad password without even realizing it.
Since you can’t count on a password site to tell you whether you’ve made a strong password, what should you do? Here are some tips for making the best possible passwords:
Avoid using words out of the dictionary, which are easy for password cracking software to figure out. Phrases and acronyms are better.
Never use a password on the most used passwords list.
Use long passwords, at least 12 characters. To make it easier to remember, turn the password into a meaningful sentence. For example, “This little piggy went to market” turns into “tlpWENT2m.” Notice that not only does this password use the letters from the sentence, but it uses both uppercase and lowercase characters and replaces “to” with “2.”
Add special characters and punctuation.
Don’t include any personal information like your address or birth date, which can make your password easier to guess.
Never use the same password on more than one site—that means if one site gets hacked, all of your passwords are compromised!
Use a password manager to keep track of all of your passwords. If they’re just written down on a post-it stuck to your desk, they’re not very secure!
Use two-factor authentication—where you have to enter a password and a code (usually texted to your phone)—on any site or service that supports it.