Password Best Practices: What Makes an Effective Password?

The number of passwords the average person has is extensive. Keeping track of all these passwords is a hassle…and then you add in the dreaded password reset day when you have to remember yet another one.

As much of a headache passwords can be, it’s more important than ever to use strong passwords. Using password best practices, requiring two-factor authentication (2FA) and using a password manager can make the difference between keeping your organization secure or leaving your organization vulnerable to risks.

So, what does an effective password look like? What is the difference between a weak and strong password?

Strong passwords

  • Use 8+ characters – Your password should be at least 8 characters long, but longer is better. A seven-character password can be cracked in 0.29 milliseconds but by just adding more character, the password would take 5 hours.
  • Use a combination of lowercase letters, uppercase letters, numbers and symbols – When you only use lowercase letters for your password, there are 26 different characters that can be combined into a password. If you would consider using both uppercase and lowercase letters, you would double the number of possible characters to 52. When you add in numeric letters (1-9) as possible characters, your total characters add up to 61. To further increase the mathematical complexity of your password, you can use symbols (@, %, #, etc.) to bring the total character set to 80.
  • Contains a passphrase – Take three or four words that are completely unrelated and turn them into a phrase (“CorrectHorseBatteryStaple”) to make them easier to remember.


  • Using the same password across accounts – Using the same password to log into both Facebook and online banking is a bad idea. This is because if your password gets compromised on Facebook, your online banking login also becomes compromised.
  • Using personal information such as your name, child’s name or phone number – Be unique with the passwords you choose. Personal information like your name isn’t unique which makes it easier to hack.
  • Using passwords that contain keyboard sequences/patterns of 4 in a row – Avoid using passwords that contain sequences like 1234.
  • Using the same password over an extended time – Some websites, or your organization, force you to reset your password after 90-120 days. Periodically updating your password ensures that if your password was ever previously compromised, the compromise is resolved as soon as your password changes.

Follow Us