What Makes a Good Password?

A young woman is shocked in front of her computer

Many of us spend quite a bit of time online, whether it be on social media, shopping, managing finances, or simply browsing. To access the wide array of platforms and services online, we typically need to create an account and protect it with a secure password. 

With a multitude of accounts, and just as many passwords to remember, it can be tempting to use simple passwords, or repeat old ones. This can leave your online accounts vulnerable to hackers.

With October marking the start of Cyber Security Awareness Month, the Good Hands Advice team has developed some tips to help you create secure passwords and manage them properly. 

The Dos and Don’ts of Creating a Good Password

Don’t…Do…
Don’t use simple passwords like “12345”, obvious words like “password” or keyboard patterns like “asdfghjkl”. Even passwords like “sun123” are very easy to guess.Do use long passwords (or passphrases) by combining words, numbers and special characters. A strong password is at least 16 characters long. For example, you could use a random string of characters, making your password among the strongest possible, such as “X4j13$#eCm1cG@KdcS&?TCbUDY”.But you could also use a passphrase like “In#1803NapoleonsHorseWasWhite!” or something that you can remember easily, without it being obvious. Do not use these precise examples, for obvious reasons. You could also swap words around in your passphrase instead of making a proper sentence.
Don’t substitute “1” for “i”, “@” for “a”, “3” for “e” and the like, as many people do.Do use numbers and special characters, but in less obvious places in your password. You could place a special character or a number between every word in a passphrase. Taking the previous example, you could use something like: “Napoleons#1Horse8Was0White!3” (again, be sure to choose a password that will resonate with you).
Don’t use the same password for multiple websites or accounts. If one website is compromised, your login credentials could be used to try your email account or other portals, allowing the hacker to access a range of personal information about you.Do use a different and complex password for each website or service. Consider using two (or more) different email addresses. Some people have different email accounts for their social media channels, streaming services, banking/financial, or even for miscellaneous accounts. This allows you to protect your other accounts from potential hackers looking to use the same email across a range of online services. 
Don’t use any personal information as a password, like your child’s name, a nickname, a birth date or the model of your first car. This information can usually be found in your account information or security questions on a variety of websites.Do use words or numbers that have a meaning just for you and nobody else. Or make something up entirely, like “Lucky1To2Go4Happy$Shopping(ShowTime)”. Long passwords are less likely to be guessed or hacked.
Don’t forget to log out of your email accounts when you leave your computer unattended. If your laptop gets lost or stolen, people could have access to all of your information and retrieve any of your passwords.Do log out of both your email accounts and your computer when you are not using them. This way, it becomes much more difficult for a hacker to gain access to any information.
Don’t write your password on sticky notes or in a notebook, next to your computer. A thief could get their hands on them, or you could lose them all in a fire or flood.Do use a password manager. Many exist and are safe to use. Password managers allow you to synchronize your passwords with your smartphone to access them anywhere, anytime. Do your research and choose which is right for you. And, don’t forget to log out of your password manager website or lock the app to ensure they stay out of reach of prying eyes or hands.
Don’t use the same password forever on any website.Do change your password every 6 months. This can help secure your account if a website is hacked.
Don’t think your weak password is safe because you use Two-Factor Authentication (2FA).Do use 2FA, especially for your email and bank account(s). But know that, although this adds an extra layer of security,  it is not 100% hack-proof – even with text or SMS validation. Authenticator apps can also help protect your accounts and passwords, so if you are offered a choice between the two, we recommend going with an Authentication app (such as those from Google or Microsoft).

What Other Ways Can I Protect Myself Online?

Practicing good online habits can help make sure all your accounts and personal information are safe. This can save you a lot of trouble, like having to deal with identity theft and fraud for example.

For more tips and tricks visit www.getcybersafe.gc.ca/en/cyber-security-awareness-month.

Do you have questions or any tips about password security in general? We’d love to hear about them in the comments!
This information and the opinions expressed in this blog are written by Capital-Image Inc., conducted on behalf of Allstate Canada. This blog has been provided for your convenience only and should not be construed as providing legal or insurance advice.