Skip to main content

Password tips: How to create a strong password

Running a good password cracking machine is both time-consuming and expensive, and for this reason, cyber criminals will always look for the path of least resistance. That is why you need to know how to create strong passwords, how to use a password manager, and learn how two-factor authentication (2FA) works.


Most of the passwords you are using daily are possible to break. It’s important that you know how to make them as complicated and time-consuming as possible for the cyber criminals to break so that they will move on to an easier target. 

It’s quite simple: if you find your password to be easy to remember, then it most likely is also easy for a cyber criminal to figure out. At the same time, we’re expected to memorise our passwords, and they should be unique, long, and complicated.

For a cyber criminal using a password cracking machine, it will take more time – and cost them more money – the stronger the password is. That is why, they will always look for the path of least resistance, to make sure they are not wasting their time. 

You might also be interested in visiting our cyber security page.

What is the weakness of the passwords we have today?

Your passwords can be leaked through a data breach, for example, because a company has not stored them securely. We can also fall victim to social engineering attacks, phishing attacks and other frauds.

The theft of credentials, and the sale and distribution of these, for
criminal activity is unfortunately lucrative and will continue as long as we have password logins.

However, the biggest weaknesses when it comes to passwords are the users themselves.

Users create weak passwords, and oftentimes use these in multiple places—both at work and in private settings. These passwords are often stored in insecure places. Feel guilty of leaving your password on a post-it note on your desk or in a note on your mobile?

Not to mention that we tend to forget our passwords, and therefore have to reset passwords often using a password reset link in an email. This can also be risky if someone gains access to this email.

What is considered a strong and a weak password?

A password is considered stronger the longer it is, and it is recommended that it should be no shorter than 12-15 characters. In addition to this, the password should contain the following elements:

  • Special characters such as: ! @ # ? and so on
  • Numbers
  • A combination of capital and lowercase letters 
  • Accents (è, é, â, î or ô and so on) if the system supports it
  • Spacing
  • A random sequence of characters

It might be a good idea to use a passphrase so that you more easily remember it, and combine it with all of the above, such as special characters, numbers, and spacing. 

To make it even stronger, you can use phrases that are typical for your accent or insert some spelling mistakes that only you will remember. 

Also read: Password security tips from our experts

What characterises a weak password?

A weak password on the other hand is short, a well-known word many people use or a well-known piece of information, and also something obvious that should be avoided at all cost. 

This can be for example your name, the name of your company, your favourite sports team, your dog’s name, or this in combination with an easy number combination such as 123 or 111. 

Did you know that one of the most common colours used in, or as a password, is the colour “blue”–the colour of Twitter, Facebook, and Linkedin’s logo? This is a good example that most people might not be particularly creative when choosing a password, but choosing whatever is literally under their nose, making it very easy for cyber criminals.

“If your email account is taken over by cybercriminals, they can effectively gain control over all your other Internet accounts. The strongest defence you have against this is a strong, unique password coupled with two-factor authentication,” – Christian Andersson, Security Engineer in Tripletex. 

Even your passphrases should not be too obvious as a cyber criminal will have access to most lyrics, movie scripts, books, TV shows, languages, and so on, and with the right tools will be able to compare it with your password in a matter of seconds. 

There are also popular passwords that are based on keystrokes such as for example “qwerty”. These should not be used. In addition, you should not change your password on a regular basis, unless you suspect that you have been part of a breach and that your credentials and passwords may have been leaked.

Changing your password too often can result in bad passwords since many will choose a more effortless route and create a password too similar to the old one.

You might also be interested in: 14 tips for staying secure at the home office

What is a password manager and how can it be used?

Experts usually recommend a password manager, because it is nearly impossible to have complex, unique and different passwords everywhere you log in–and still be able to remember all of them.

A password manager is a computer program, or more specifically an encrypted database, where users can store all their passwords and login information, or generate passwords, for all their different logins around the web. The only thing you need to remember is your master password to access all your other passwords and login information.

Nowadays, most password managers are cloud-based, meaning that you can use the same account on all your devices no matter where you are.

Some examples of password managers are Lastpass and 1Password. There are many different password managers to choose from, so in order to find the one provider that fits your needs the best, you should always take the time to do research online before making a decision.

What is 2FA/MFA?

Another way to make it more difficult for cyber criminals to access your passwords is through two-factor authentication (2FA) and Multi-factor authentication (MFA). These are electronic authentication methods where you’re granted login access only after having gone through two or more steps to prove your identity. 

This is a very effective way to secure your accounts and often comes in the form of the classic password or pin code, followed by an extra layer such as a randomly-generated code either sent to you by SMS or generated through an authenticator app installed on your phone. 

It can also be the use of a physical token, key or bank card, or biometrics: fingerprint on your phone, facial recognition, and so on.

What is the future of passwords?

If password security is such a pressing issue, how come we still have passwords? At the time being, there is not yet a solution that all vendors have been able to agree upon, and commit to. There is also the fear of changing something that works.

There is a fine balance between easy to use, scalability, complexity of technology, and resources. Humans and companies have a tendency to favour convenience and tested solutions, and that often comes at the expense of security.

So, what alternatives do we have for the future, then?

Even though many of the alternatives also have their limitations, we have seen many new options emerge over the past years. There is biometrics such as fingerprints, voice identification and face recognition with cameras that have become available.

Such solutions can cause some privacy issues. Also, it is still an expensive technology and a bit complex for everyday use on multiple
devices, platforms, and sites.

Mobile devices can also be used. The downside? That can in some cases
be impractical: if you don’t have a smartphone, run out of battery, or any other situation where you find yourself without a phone. It can also be vulnerable to man-in-the-middle attacks.

Another solution that has been up for discussion is public key infrastructure (PKI). This is a technology used for authenticating users and devices through encryption. It is a complex infrastructure, and it takes a great number of resources both financially and administratively.

Two-factor authentication with a physical token is another option. This is a field where there will likely be major changes in the future. The technology develops rapidly and we’re moving closer and closer to quantum computing, which will probably be the end of passwords as we know them.

Do you want to learn even more about password security? Watch Security Evangelist Per Thorsheim’s talk “Passwords are forever!” from the Visma Security Conference 2020

Or read more blog posts about security and cyber crime on our Security category page:

Read more about security

Most popular

  • ""

    What is an IT Security Policy?

    Every organisation—from startups to large, global corporations and nonprofits—must make sure that they have procedures to keep up with an ever-changing landscape of threats and vulnerabilities to keep its assets secure. But what is an IT Security Policy, and how do you enforce them?

  • ""

    Turning the UEFA Euro into math

    The Finnish company Weoptit, a company in Visma, has turned the UEFA Euro tournament into math and simulations. Based on a model originally built by their analysts prior to the World Cup 2006, they have played out the tournament 1,000 000 times to find out what results each team can expect from this summer’s football festival.