Best practices for creating secure passwords

Informatec Digital » Resources » Best practices for creating secure passwords

In our current digital life, every online account we open It stores potentially very sensitive information: personal data, conversations, photos, videos, bank details, or work documents. Protecting all of that depends largely on something as seemingly simple as a password; learning how to create strong passwords It is essential, but creating it incorrectly can open the door to fraud, identity theft, or even damage to our reputation if someone uses our accounts to impersonate us.

In addition, many of our accounts are connected to each otherWe often use the same email address to register on social media, online stores, banks, or cloud services. If an attacker manages to access just one account and you reuse the same password elsewhere, the damage can be multiplied. That's why it's important to take creating and using strong passwords seriously, even if it's sometimes a bit inconvenient.

Why passwords are your first line of defense

A strong password is the first protective wall between your data and anyone trying to break into your accounts. Think about everything you store: emails with invoices, confidential documents, private photos, data about your clients or your company… If someone gains unauthorized access, they can use it to commit fraud, blackmail, or identity theft.

It should also be noted that, when an account is stolenThe damage isn't limited to the financial aspect. An intruder could send messages in your name, post offensive content on your social media, or solicit money from your contacts while impersonating you. Repairing the damage afterward can be very time-consuming and require significant effort.

Passwords, when used properly, they help you Protecting personal data on the Internet Under control: only you decide who accesses what, from where, and when. But for that to be true, they must be difficult to guess, unrelated to you, and managed with a minimum of digital hygiene.

Another key aspect is that many attacks are no longer manual, but automated. Cybercriminals use programs that test millions of combinations These attacks use words, numbers, and keyboard patterns, or reuse data leaked from other websites (so-called credential stuffing attacks). If your password is simple or repetitive, you're an easy target.

What should a truly secure password be like?

For a password to be considered strong, It's not enough to just put a couple of numbers at the endThe main security agencies recommend that it have a minimum length of 12 characters, although 14 or more is even better if the service allows it.

The key is to combine them randomly. uppercase, lowercase, numbers and symbolsA string like “6MonkeysRLooking^” or “B1gOte_289!” illustrates the idea well: enough characters, a mix of types, and not a dictionary word per se. Avoid making it an obvious phrase or an easily deducible pattern.

Equally important is the password do not contain personal dataNot your name, nor the names of your partner, children, or pets, nor dates of birth, phone numbers, license plate numbers, ID numbers, postal codes, zodiac signs, or obvious hobbies. All of that is the first thing an attacker who has gathered information about you will try.

It's also advisable to avoid the words that appear in dictionaries from any language, even if you spell them backward or with a slight variation. Dictionary attack programs test huge lists of common words, insults, technical terms, and typical combinations like "password," "password123," or similar.

Finally, never use username as password And don't use a password so similar that it can be guessed at a glance. If you suspect your password has been leaked or someone has seen it, change it immediately without hesitation.

Practical methods for generating strong and memorable passwords

One of the great dilemmas is that very complex passwords Passwords are often difficult to remember. If you end up having to write them down on unprotected paper or reset them constantly, you lose some of the security you've gained. Luckily, there are very simple techniques for creating strong passwords that your memory can handle without strain.

1. Create passwords from a phrase

A very useful trick is to start with a a phrase that sounds familiar to you And meaningful, but not obviously associated with you or a well-known saying. It could be a line from a song, a verse from a poem, a line from a movie, or something you made up.

For example, if you think of "At Juan's bar they always serve large tapas for 3 euros," you can focus on the first letter of each word and keep the numbers: “EebdJspTga3€”. Then you can adjust symbols if any service does not support the euro sign, changing it to another allowed special character.

Another option is to use titles or phrases that only you associate with the topic, such as your favorite song, an anecdote shared with friends, or a common but slightly modified comment. The important thing is that the base phrase is... easy to remember for you and that the final result includes a variety of characters.

2. Replace or remove vowels

A common addition is to transform some of the letters into numbers or symbols. For example, you can decide that a = 4, e = 3, i = 1, o = 0 and replace only some vowels to further complicate the password: “Seguridad” would become “53gur1d4d”. This scheme is known to attackers, but when combined with other methods, it continues to increase in difficulty.

Another variant is directly remove all vowels (or almost all) of a made-up word or phrase. If you start with something "weird" that only you understand and remove the vowels, the result will bear little resemblance to real words, making dictionary attacks more difficult. Just remember to add numbers and symbols afterward to make it more robust.

3. Mix word and number following a pattern

Some people prefer somewhat more mechanical schemes, such as to interleave the letters of a word with the digits of a number, always following the same order. Imagine you choose the word "Mustache" and the number "28921" and alternate: a letter, a number in reverse order, and so on. The result could be something like "B1i2g9o8t2e".

This method of building passwords forces you to play a little mental game, which reinforces the memory And it avoids linear sequences like "mustache28921" which would be much easier to break. Again, simply add a symbol and, if you want, some extra capital letters to further complicate the equation.

4. Dice, Sudoku and other “geeky” techniques

If you'd like to go a step further, there are methods such as dicewareIt's based on rolling dice and using word lists to generate completely random combinations. Each roll targets a different word, and by chaining several together, you get a very robust phrase-sequence.

Another creative idea is to draw a Sudoku-type grid (For example, 6x6), fill it with random numbers and then trace a pattern with your finger, just like when you unlock your phone. The digits your stroke passes over will form the basis of your password, to which you can then add letters and symbols according to a system only you know.

The advantage of these approaches is that, if you change the grid numbers or use a previously solved Sudoku, the same pattern generates new passwordsYou just need to remember the mental drawing and the rules you apply to transform numbers into letters and symbols.

Good and bad practices when choosing passwords

Beyond how you generate them, there are certain characteristics that define a good passwordAmong them, that it contains a mixture of uppercase and lowercase letters, numbers and symbols; that it is not based on obvious words or dates; that it is of sufficient length (better 12-15 characters than 8); and that it is reasonably easy to retain without having to write it down on any paper.

On the opposite side, we find examples of “Dangerous” passwords and extremely easy to guess. This includes all proper names (yours, family members', partner's, friends', pets'), company or domain names, simple dictionary words, sequences like "aaaaaa" or "123456", phone numbers, license plates, card PINs, or keyboard strings like "qwertyui" or "asdf1234".

It's also a good idea to avoid terms related to your tastes or personal data that you usually post: favorite football team, hobbies that are very visible on social media, city of birth, nickname you are known by, etc. Attackers can gather all this information through social engineering and test obvious combinations based on it.

On the other hand, it's not a good idea for your password to be identical or very similar to the userIf your email is “juan.perez@example.com”, using something like “juanperez2024” is a gift to anyone trying to attack you. The more conceptual distance you put between your public identity and your password, the better.

In some services, there are also character restrictionsFor example, they only accept ASCII characters and don't allow accents, ñ's, or certain unusual symbols. In those cases, you'll have to adapt your method (for example, avoid the euro sign if the system doesn't support it) without sacrificing complexity.

Password hygiene: how to manage them on a daily basis

Password security is not limited to creating good passwords; it also involves how you use and store them daily. This set of habits is often called "password hygiene" and includes everything from not sharing them to periodically checking their status.

First, every important account should have one individual passwordReusing the same password across multiple services is one of the most common mistakes: if a website suffers a data breach and your password is leaked, attackers will try it on banks, email, social media, or shopping platforms. This type of automated attack is known as "credential stuffing."

It is also recommended to change your passwords when there are indications of riskIf a service alerts you to suspicious access, if you notice unusual activity, or if a company acknowledges a data breach, you should update your password. Some older policies required passwords to be changed every three months, but nowadays it's more common to update them when there's evidence of a compromise or if you detect a weak password.

It is essential to replace them immediately. predefined passwords These keys come pre-installed on routers, control panels, IoT devices, or newly created accounts (for example, if you're sent a temporary contract number). These keys are usually public, short, or very easy to guess.

And of course, Do not select the “remember password” option on browsers or devices you don't control (shared computers, internet cafes, work computers open to many people). Storing credentials in insecure environments is inviting anyone to access your identity.

Where and how to store your passwords without making a mistake

Many people end up writing down their passwords on a piece of paper stuck to the screen, in a notebook on the table, or in a file called “passwords.xlsx” on the desktop. These solutions are very practical, but terrible in terms of safetyAnyone with physical or remote access to the device can take over all your accounts.

If you decide to write them down somewhere physical, try to make it a place safe and subtlefar from the computer they protect. Even so, it's not the best option for business environments or for particularly sensitive accounts (banking, system administration, customer dashboards, etc.).

A modern and safer alternative is to use a password managerThese applications store your encrypted keys, generate highly complex combinations, and automatically fill them in when you need them. You only need to remember a strong master password and, in many cases, enable multi-factor authentication to access the manager itself.

Reputable password managers update your passwords, alert you if any are weak or compromised, and keep them secure even if someone steals your device. The combination of strong encryption and two-factor authentication (2FA) makes it extremely difficult for a third party to access your password vault.

If you still prefer not to use a manager, you can opt for mnemonic rules As mentioned before (phrases, patterns, transformations), applying slight variations depending on the website. For example, inserting the service name at a certain point in the key, changing a specific letter depending on the account type, etc. The important thing is that the system is convenient for you and doesn't lead you to oversimplify.

Protect your passwords against phishing and social engineering

In many cases, attackers don't bother to technically crack the password, but instead try to trick you into giving it to himThis is what happens with phishing and other social engineering techniques: emails, SMS messages, or calls that impersonate your bank, a famous online store, or even a trusted contact.

If you receive an email that claims to be from a well-known company and asks you Confirm your passwordEntering your information into a suspicious link or sending sensitive data "for security" should raise immediate suspicion. The same applies if you receive a phone call supposedly from your bank or payment platform asking for your password to "verify" your identity.

These scams often mimic the appearance of legitimate websites, copying logos, colors, and text to appear authentic. That's why it's important to always access services only through legitimate channels. from trust markers or by typing the address yourself into the browser, instead of following links included in unexpected emails or messages.

If you have any doubts, go to the official website of the bank, store, or service by typing the URL you already know, or call the phone number listed on their official site. Never share your password by email, messaging, or phone, even if it seems like someone you trust or a service technician is asking for it.

Multi-factor authentication and extra protection steps

Even with all of the above, there's always a chance someone could get hold of your password. That's why it's highly recommended to activate the Multi-factor authentication (MFA or 2FA) provided it is available. This system requires more than just a password: for example, a temporary code sent by SMS or generated by an app, a physical key, or biometric recognition.

The idea is simple: even if an attacker manages to get hold of your password, You will not be able to log in If it lacks that second factor. Many large platforms (Google, Microsoft, social networks, banks, etc.) already offer this system, and in business environments it is becoming an indispensable standard.

Another helpful boost is keeping your recovery information: alternative email and backup phone number (see how recover my Gmail accountThis information allows you to detect anomalous access, recover your account if you forget your password or if someone tries to change it, and receive alerts in case of suspicious activity.

However, treat this data with care: periodically check if it is still up-to-date (a mobile phone you no longer use is of little use) and avoid sharing it carelessly on unreliable forms or social networks.

If you suspect that one of your accounts may have been compromised, act quickly: change the affected passwordClose open sessions on other devices and review recent activity. For critical services (primary email, banking, corporate tools), it may be wise to also change other related passwords.

Specific recommendations in personal and business environments

On a personal level, the goal is simple: protect your private data and prevent your accounts from being used for malicious purposes. To do this, simply follow the best practices outlined above: long and unique passwordsUse a strong password manager or mnemonic devices, 2FA whenever possible, and avoid sharing passwords with friends or family; if it's essential, learn to securely share passwords "Because, in the end, nothing happens."

In business environments, passwords become even more important, because They can provide access to corporate informationThis includes work tools, customer databases, and critical systems. It is essential that each employee has their own credentials, that generic user accounts are not shared, and that the files or systems where passwords are stored are especially protected.

Organizations should define clear password policies: minimum length, required complexity, use of corporate managers, obligation to activate MFA on critical accounts, prohibition of writing keys on post-its or unencrypted documents, and change procedures when someone joins or leaves.

In addition, it is advisable to strengthen the formed at basic cybersecurity For all staff: recognize phishing emails, carefully check web addresses before entering credentials, immediately report any lost or stolen devices with account access, etc. The best password in the world is useless if the user inadvertently gives it to a scammer.

In short, passwords are like a digital toothbrush: They are not shared, they are cared for and renewed. When the time comes. By combining long, unique, and well-constructed passwords, good management habits, password managers when necessary, and multi-factor authentication on the most important services, you can make life much more difficult for attackers and navigate your online life with much greater peace of mind.