If you consider yourself at least somewhat IT-aware, you know that a 4-character password is no longer any good (and hasn’t been for a long time).

At the same time, you probably appreciate that having to remember a 16-character password is neither practical nor efficient, at least not if you’re planning to have a unique one for every online account you create.

The solution, therefore, is to use a free password manager / generator instead of having to create and remember the passwords yourself. In essence, these are built on the same principles as constructing an optimal password manually, the only difference when it comes to using them is that they automate the process and do the heavy lifting for you. In fact, the best cybersecurity professionals use them themselves. But the best thing is, you don’t need to be a professional yourself to use them with the same degree of efficiency.

With that out of the way, we’ll look at what makes passwords safe and how you should design them to be resilient to cyber-attacks. In addition, we will provide some tips on how you can check whether you’ve previously been hacked.

The Optimal Password Length

If 4 characters is too short for a password, what is the ideal length to aim for?

The answer is – it depends. If you’re using a password manager, e.g. NordPass, the answer is straightforward: use the longest one you can think of (and the kind the site lets you use). Otherwise, shoot for the middle ground between practicality and security. When it comes to the latter, the longer the better.

If you want the best of both worlds, a good trick is to combine a couple of words that aren’t hard to remember, sprinkle some numbers and special characters on top, and let that be your password. At the same time, be careful not to make these words too easy to guess or associate with you (for obvious reasons, your town of birth or home address may not be the strongest of choices).

The problem with reusing your passwords

If you’re considering using the same password more than once, think twice.

By doing so, you subject yourself to unnecessary risk. If someone steals your password or compromises a website you have an account with, they will be able to access your entire portfolio of accounts. Don’t make a hacker’s job any easier than it needs to be.

Know whether you’ve been hacked

While there’s no fool proof way to know whether or not you’ve been hacked, there are subtle clues to be on the lookout for.

You can start with your local machine. Have you noticed anything strange lately? Perhaps your device isn’t as responsive as it used to be, or weird pop-ups appear on your screen? These are signs of a malware infection so ,if you’ve noticed them, it’s time for an antivirus scan.

It is also possible that a website you signed up with has been compromised, in which case there’s nothing you could have done about it. To verify if this is the case, visit Have I Been Pwned to see if has happened. If you previously resorted to the bad practice of reusing your passwords, change them immediately.

Fortify your passwords with 2FA

No matter how complex you’ve designed your password to be, someone could still steal it from you. So, it is best to make a password as strong as possible but also to avoid making it the only line of defense between you and your personal data. Instead, enable two-factor authentication (2FA) to increase the security of your accounts.

In essence, 2FA acts as an extra step you need to take before being able to access your account. In most cases, the website asks for an additional randomly generated code sent to you through another communication channel. This could either be an email message, an SMS, or an app prompt. So, even if hackers get a hold of your password, they will need physical access to your device to bypass your defenses. In practice, this is hard to accomplish, hence why using 2FA is such a strong security measure.

It’s not bulletproof, however. By committing SIM swap fraud, a hacker can get access to your phone number, which they can use to intercept your verification code. That’s why it’s much safer to use professionally designed solutions such as Google or Microsoft Authenticator and similar. This includes physical devices such as YubiKey.

---

---

How Often Should You Reset Your Passwords?

This is a delicate question with no simple answer. Moreover, when it comes to the frequency of resetting your passwords, there are different schools of thought.

Once again, it boils down to the question of weighing security against practicality. However, that question is very easy to answer if you’ve been hacked (or the same happened to a website you’re registered with), in which case the answer is today. As for the other situations, it depends.

For a long time, the industry experts suggested 60 to 90 days to be the optimal time frame. But recently, Microsoft noted this is not needed (unless, of course, you have reason to believe that one of your accounts has been compromised). After all, changing one’s password too often could prompt some to resort to crafting over-simplified passwords just to keep on top of everything, a practice that is not recommended.

Is it a good idea to write your passwords down?

Yes and no; it depends on personal circumstances. Do you live with people you can trust? If it’s your family, then perhaps the benefits outweigh the risks. Then again, if it’s roommates you haven’t known for long enough, you should reconsider it. Because either way, this creates an additional security risk, although it’s specific. It’s more of a physical-access risk than it is a digital one.

However, the risk of someone breaking into your home to steal your passwords is much lower than the risk of being targeted in a digital attack. A burglar would have to know you’ve written your passwords down in the first place, succeed in breaking in, and then find the where your passwords are stored. So, if that’s how you approach your password storage, it’s best not to tell anyone. Or just use a password manager instead.

---

Conclusion

By now, you should know how to create strong passwords and keep them safe. Above all, never forget that your security is not a given – it depends on your discipline, knowledge, and skills.

---