Creating Strong Passwords
Last Reviewed: August 18, 2023
Reusing passwords is a dangerous security practice. If someone gets ahold of your password —whether that's from a data breach, or wherever else—they can often gain access to any other account you used that same password. The solution is to use unique passwords everywhere and take additional steps to secure your accounts when possible.
Creating Strong Passwords Using Password Managers anchor link
A password manager is a tool that creates and stores unique passwords for you, so you can use many different passwords on different sites and services without having to memorize them. Password managers:
- Generate strong passwords that a human being would be unlikely to guess.
- Store several passwords (and responses to security questions) safely.
- Protect your passwords with a single master password (or passphrase ).
- Sync passwords between your devices, so you can access these complex passwords from anywhere.
Choosing the right password manager can take some research, but you can follow our guide to help ease the process.
Passwords managers may not be for everyone, but a good password manager does its best to mitigate potential security problems. It's still important to remember:
- Using a password manager creates a single point of failure.
- Password managers are an obvious target for adversaries.
This is why you should have a strong master password and enable two-factor authentication when possible. But if a powerful adversary like a government is targeting you, it’s important to carefully choose the right password manager and set it up for maximum security.
For some people, a low-tech solution might be better than a password manager. It depends on your threat model , but having different passwords for each site written on a piece of paper and kept in a secure location is better than reusing a single password on every site.
Creating Strong Passwords Using Dice anchor link
You should memorize a few passwords that need to be particularly strong. These include:
- Passwords for your device
- Passwords for encryption (like full-disk encryption)
- The master password, or “passphrase,” for your password manager
- Your email password
One of many difficulties when people choose passwords themselves is that people aren't very good at making random, unpredictable choices. An effective way of creating a strong and memorable password is to use dice and a word list to randomly choose words. Together, these words form your “passphrase.” A "passphrase" is a type of password that is longer for added security. For disk encryption and your password manager, we recommend selecting a minimum of six words.
Why use a minimum of six words? Why use dice to pick words in a phrase randomly? The longer and more random the password, the harder it is for both computers and humans to guess. To find out why you need such a long, hard-to-guess password, here’s a video explainer.
Password managers make strong passphrases for you, but if you want to try an analog version to learn how it works, you can use one of EFF's standard word lists, or a fandom-inspired word list.
If your computer or device gets compromised and spyware is installed, the spyware can watch you type your master password and could steal the contents of the password manager. So it's still very important to keep your computer and other devices clean of malware when using a password manager.
A Word About “Security Questions” anchor link
Be careful with the “security questions” that some websites use to confirm your identity. Honest answers to these questions are often publicly discoverable facts that a determined adversary can easily find and use to bypass your password entirely.
Instead, give fictional answers that no one knows but you. For example, if the security question asks:
“What was the name of your first pet?”
Your answer could be a random password generated from your password manager. You can also store these fictional answers in your password manager.
Think of sites where you’ve used security questions and consider changing your responses. Do not use the same passwords or security question answers for multiple accounts on different websites or services.
Multi-Factor Authentication and One-Time Passwords anchor link
Strong, unique passwords make your account security much stronger. To further protect your accounts, enable two-factor authentication when you can.
Some services offer two-factor authentication (also called 2FA, multi-factor authentication, or two-step verification), which requires you to possess two components (a password and a second factor) to gain access to your account. The second factor could be a one-off secret code or a number generated by an app running on a mobile device.
Two-factor authentication using a mobile phone can be done in one of two ways:
- Your phone can run an authenticator application that generates security codes (most password managers can do this, or you can use a standalone application such as Authy), or you can use a stand-alone hardware device (such as a YubiKey).
- The service can send you an SMS text message or email with an extra security code that you need to type in whenever you log in.
If you have a choice, pick the authenticator application or stand-alone hardware device instead of receiving codes by text message. It’s easier for an attacker to redirect these codes to their own phone than it is to bypass the authenticator.
Some services, such as Google, also generate a list of one-time passwords, sometimes called single-use passwords. These are meant to be printed or written down on paper and carried with you. Each of these passwords works only once, so if one is stolen by spyware when you enter it, the thief won't be able to use it for anything in the future.
More useful than one-time passwords are backups of the security codes. Many authenticator applications offer optional backups, where your security codes are stored on a third-party server. This makes it so that if you lose your phone, you can restore the backup and easily get back into your accounts without finding those one-time passwords.
If you don't have a backup, and you didn't save the one-time passwords, you may lose access to your accounts forever. Like password managers, this has a security trade-off and some people may not want to back up the tokens. Check with the app's documentation to make sure the backups are end-to-end encrypted. If you are never asked to create a password for the backup, there's a good chance they are not.
Sometimes, You May Need to Disclose Your Password anchor link
Laws about revealing passwords differ from place to place. In some jurisdictions, you may be able to legally challenge a demand for your password, while in others, local laws allow the government to demand disclosure, and even imprison you on the suspicion that you may know a password or key . Threats of physical harm can be used to force someone to give up their password. Or you may find yourself in a situation, such as traveling across a border, where the authorities can delay you or seize your devices if you refuse to give up a password or unlock your device.
We have a separate guide to crossing the U.S. border that gives advice on how to deal with requests for access to devices while traveling to or from the United States. In other situations, you should think about how someone might force you or others to give up your passwords, and what the consequences would be.