A password is typically a string of characters that may include letters, numbers, and symbols that can be used to access something, typically an account, and prevent others from accessing it. In today's Internet age, it is likely that most people have experience with having a password for some kind of account. As such, it is important to understand how to construct a strong password (or use a password generator) as well as to understand how to take measures to safeguard the password.

Password strength

Password strength is a measure of how effective a password is against being guessed or against brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability. Using strong passwords lowers overall risk of a security breach, but strong passwords do not replace the need for other effective security controls. The effectiveness of a password of a given strength is strongly determined by the design and implementation of the authentication factors (number of authentication factors, password requirements, etc.).

A password that is easy to remember is generally also easy for an attacker to guess. Passwords that are difficult to remember will reduce the security of a system because (a) users might need to write down or electronically store the password, (b) users will need frequent password resets, and (c) users are more likely to re-use the same password. Similarly, the more stringent requirements for password strength, e.g. "have a mix of uppercase and lowercase letters and digits" or "change it monthly", the greater the degree to which users will subvert the system.

How to create a secure password

To create a strong password, follow these guidelines:

• Include lower-case letter(s) [a-z]
• Include upper-case letter(s) [A-Z]
• Include numbers [0-9]
• Include symbols [!@#$%^&*()...]
• Exclude words involving the user's personal information
• Exclude words found in a password blacklist
• Exclude company/institution names, including abbreviations
• Exclude passwords that match common formats such as calendar dates, license plate numbers, phone numbers, or other common number formats

Password entropy

Password entropy is a measurement of how unpredictable a password is. Password entropy is based on the character set used (which is expansible by using lowercase, uppercase, numbers as well as symbols) as well as password length. Password entropy is measured in bits. A password with an entropy of 42 bits would require 2^42 (4,398,046,511,104) attempts to exhaust all possibilities during a brute force search. On average, an attacker would have to try half of the possible passwords before finding the correct one.

How to protect your password

Beyond creating a strong password, here are additional measures to protect your accounts:

• Don't share your password with other people: Ideally, only the user should know their password. Sharing increases the risk of less careful handling and potential theft, even if the person is trusted.
• Don't use the same password across different websites and accounts: Using the same password everywhere means a single security breach can compromise all accounts. Consider using a password manager to help manage and use different passwords for different accounts.
• Change your passwords regularly: While inconvenient, regular changes can help keep accounts secure. If someone learns your password, changing it limits the time they have access.
• Never save your passwords to public devices: It's advised not to save passwords at all to reduce the risk of unwanted access. Be cautious when accessing sensitive accounts on unsecured public networks.
• Don't keep obvious lists of your passwords: Avoid physical or electronic lists that someone could access. Use a password manager as an alternative, as phones and notebooks can be lost or stolen.