Passwords protect our online accounts both at work and in our everyday lives. They are the primary layer of protection against unauthorized access to the accounts they protect. While it may seem like it’s enough to create a password that is difficult for another person to guess, it’s also necessary to consider the tools used by nefarious actors to try to guess your password. These automated programs, often referred to as bots, can use various techniques to try hundreds of passwords per minute. If your password isn’t complex enough, a bot could guess it within hours or even minutes, giving their master full access to your account.

This means that when you create a password, it’s necessary to devise one complex enough to thwart a bot while still being difficult for another person to guess. The good news is that while bots do have infinite patience and can work quickly, their time is finite. It’s entirely possible to make a password that’s easy for you to remember, virtually impossible for someone else to guess, and complex enough that it would take a bot more time than the universe has existed to crack.

Preventing a bot from cracking your password is all about complexity; the longer your password is and the more capital letters, numbers, and special characters it has, the longer it will take a bot to guess the password. There are many tools online that will let you check the complexity of your password and see how long it would take a bot to crack it. The following examples used the How Secure Is My Password? Tool from security.org.

The following examples of simple passwords are organized by how long it would take a bot to guess them.

By introducing password complexity, it is possible to take a simple password a bot would guess instantly all the way to something that would take it many, many billions of years to figure out. The introduction of capitals, numbers, and special characters increases the bot guess time exponentially.

While the above examples show how complexity can easily prevent bots from cracking your password, they are not ideal passwords. It’s entirely possible that another person could guess them. To prevent other people from guessing a password, it needs to be complex in a very specific, personally memorable way.

The best way to do this is to use a passphrase. A passphrase is a short phrase or sentence instead of a single word. It uses spaces and punctuation to make something easy for the password owner to remember, but the exact wording will make it difficult for a person to guess easily.

The following examples are still organized by bot guess time, with the addition of a column that indicates how likely it is for an unrelated third party to guess the passphrase themselves.

As shown here, even the simplest passphrase with normal punctuation would take a bot 4 billion years to guess, and as before the time increases exponentially with relatively little added length. The specific phrasing means that it isn’t too likely that someone unfamiliar with you personally would guess the passphrase, either.

To truly make a password that’s impossible to guess, consider doing any of the following:

1. Replace letters with numbers or symbols that resemble them. For example, you could replace an A with 4 or @. You could also do this the other way around, and replace numbers with letters that resemble them, like I for 1, or O for 0.
2. Intentionally misspell words in a way you’ll remember, such as ‘yeer’ instead of ‘year.’

The following examples apply these principles to passwords from the previous example sets.

While the weaker passwords aren’t improved much by this, there are still notable improvements across the board, with the passphrase rendered almost impossible to guess.

Making your passwords secure is extremely important, but it also needs to be used effectively to really prevent unauthorized access to your accounts. Follow these best practices to make your passwords as effective as they can be:

1. Do not use the same password or security question and answer for multiple important accounts. If any given account is compromised, other ones with the same password become vulnerable as well.
2. Don’t use a “template password” with elements that change with each account (e.g., Turtw1g@S0l4c30NiTunes, Turtw1g@S0l4c30NDropBox, Turtw1g@S0l4c30NGoogle, etc.). If one of these passwords is compromised, the format becomes obvious, and any other password with the same format could easily be guessed.
3. Try to make your passwords at least 16 characters long.
4. Don’t use postal codes, address information, phone numbers, birthdates, ID numbers, or other personal information in your passwords.
5. Don’t use the names of family members, friends, or pets in your passwords.
6. Try to avoid using dictionary words in your passwords as much as possible. Many bots cross-reference dictionaries of words as part of their guessing to speed up the process.
7. Back up your passwords somewhere safe, like your Outlook Passwords contact.

By combining the methods and best practices discussed above, it is possible to create a password that is easy for you to remember, difficult for others to guess, and entirely impossible for a bot to crack. Remember that you don’t have to fully memorize passwords either; you can store any password you need in a secure location, such as in a password manager or your Outlook Passwords contact.