Overview

The best passwords are long, complicated, and totally unique. Avoid using easy-to-guess personal details or popular sayings. To create something complex but still easy to remember, try changing up a familiar phrase by swapping out letters with similar special characters (think @ for a, $ for s). And never use the same password twice.

You probably know that personal details, like your birth date or pet’s name, shouldn’t be used as passwords. With a little research, someone else — like a trained cybercriminal — could guess correctly and crack the code.

But, what makes for a strong password?

In the past, experts have advised a combination of upper- and lower-case letters, with a few special characters thrown in for good measure. But earlier this year, the federal government released a report with new guidelines for password security, upending some conventional wisdom about data security.

Here are a few of the biggest takeaways.

Don’t pull from your personal history – or even from the dictionary

Each time you use a mobile banking app, post on social media, or simply browse the internet, your digital footprint — a record of all your online activity — grows. Unfortunately, this means that some of your personal information might be more exposed than you realize.

That’s why it’s smart to avoid referencing anything personal when creating passwords. People naturally gravitate to anniversaries, addresses, or family members’ names because they’re easy to remember. But they can also be easy for others to discover with a bit of amateur internet sleuthing.

Randomness, then, is key to a good password. And a word or phrase that’s misspelled or nonsensical is even better, as some thieves use programs that try every word in the dictionary, a method known as a dictionary attack.

One good solution: Take a phrase that’s easy to remember, and tweak it to make it harder to guess, like in the examples below.

  • Swap out letters with similar special characters (think @ for a, $ for s) to turn a familiar verse into a stronger password. For example, Wordsworth’s “I wandered lonely as a cloud” becomes “Iw@nderedlonley@$@cloud” — a much stronger password.

  • Use only the first letter of each word in a popular phrase or song. Sheryl Crow’s “All I wanna do / is have some fun / and I’ve got a feeling / I’m not the only one” becomes the more cryptic “AIWDIHSFAIGAFINTOO”

Aim for long, complicated, and totally unique

According to NIST, it’s wise to use the longest password allowed. Most sites cap off password length somewhere between 8 and 64 characters.

Just because a password is long, though, doesn’t make it a good choice. When written plainly, easy-to-remember lyrics or phrases aren’t very secure. If you know all the words to a song, others probably do too.

A good strategy is to combine length and complexity, disguising the information with special characters and mnemonic devices like in the examples above.

And whatever you do, don’t use the same password more than once. That way, if a single account is compromised, your entire identity won’t be up for grabs.

Keep in mind, even the strongest passwords aren’t totally fool-proof. If you’re an Allstate Identity Protection member and you ever suspect one of your accounts has been breached, reach out to our Identity Specialists. They’re here 24/7 to help you chart a path to recovery.