Is Remembering Complex Passwords More Trouble Than It’s Worth?
David Colombo was 19 when he hacked more than 25 Teslas, taking “full remote control” of their security systems, doors, windows, and radios [*]. But, while David’s hack took advantage of a software vulnerability, the vehicles all had one thing in common: the owners hadn't changed the default password in the Tesla app.
Password security is a weak point for many Americans. According to a survey by LastPass [*]:
“Even though 89% of people say they know that using the same password is a risk, just 12% use different passwords for every account.”
On average, Americans have 240 online accounts that require passwords [*], making it almost impossible to remember a unique (and secure) password for every single one.
In this guide, we’ll explain the dos and don’ts of password hygiene, how to remember secure passwords for your accounts, and what to do if you’ve forgotten, been locked out of, or need to secure your online accounts.
Why You Need a Secure Way To Remember Passwords
Passwords are the first — and sometimes only — line of defense against hackers.
When you use strong and unique passwords for every account, you are much less vulnerable to account takeovers and losing sensitive information that could be used to steal your identity.
Unfortunately, few people have secure systems in place to help them protect and remember their passwords. According to recent surveys:
- 53% of people rely solely on memory to manage their passwords [*].
- 51% of people reuse the same passwords for work and personal accounts.
- 23 million account holders use the password “123456” [*].
Even worse, strong and complex passwords are being leaked onto the Dark Web almost daily due to data breaches at major companies, including PayPal, Twitter, and Facebook.
And in February 2023, news spread that hackers had stolen data center login credentials from some of the world’s biggest companies, including Apple, Microsoft, and Goldman Sachs [*].
If you reuse passwords (or are unaware that they’ve been leaked), this can jeopardize the security of your most sensitive online accounts — including your banking, email, and social media accounts.
The question is: how do you create strong passwords (and remember them) without putting your accounts at risk?
Here are some of the best practices for creating, storing, and monitoring your passwords:
How To Remember Passwords That Hackers Won’t Guess
- Combine random words to form a strong password
- Use memorable, long passphrases instead of overly complicated passwords
- Create passwords out of abbreviated song lyrics or quotes
- Create passphrases that include words from different languages
- Store your passwords in a secure password manager
The longer a password is in length, the harder it is for cybercriminals to crack — but this means it’s also harder for you to remember.
According to cybersecurity researchers, a 10-character password with a mix of uppercase and lowercase letters, numbers, and symbols can take five months to crack, while a 12-character combination could take up to 34 years [*].
Unfortunately, long, complex, and random passwords are nearly impossible to remember.
Here are five actionable ways that you can create and remember complex yet memorable passwords:
1. Combine random words to form a strong password
It’s not easy to remember passwords that consist of a random string of characters and numbers. As a workaround, many people use substitutions — like “pa$$word” — that are easy for hackers to guess or crack with a brute-force attack.
As a more secure alternative, use the “three random words” method to create secure passwords that are easier to remember.
How to create a strong password with the “three random words” method:
- Choose three (or more) unrelated words. Ideally, they should have no obvious link — for example, “computerhorselisbon.”
- Make it more secure by adding numbers and characters. One easy-to-remember tactic is to separate the words with numbers — for example, “computer5horse3lisbon!8.” You can also add special characters to ensure compliance, such as "computer!5horse!3lisbon!8."
- Get ideas from a random password generator. Bear in mind, however, that it may not be safe to rely 100% on the outputs of these public apps. It’s safer to combine ideas that the apps generate. For instance, generate three separate passwords, and create your unique phrase by taking one word from each suggestion.
💡 Related: How Do Hackers Get Passwords (and How To Stop Them) →
2. Use memorable, long passphrases instead of overly complicated passwords
The Federal Bureau of Investigation (FBI) advises people to use longer passphrases instead of short, complex character strings [*]. This approach allows you to create longer, stronger passwords that are easier to remember.
How to create a password with passphrases:
- Start with a common phrase. For example, let’s say that the “grass is always greener” is one of your favorite expressions.
- Change some letters to uppercase. Now, change the phrase to “tHE graSS IS alwaYS GreenER.” Note that you shouldn’t only capitalize the first letter of each word, as that’s too obvious.
- Replace some of the letters with similar-looking numbers and tack on a few extra characters. For example, this phrase could be changed to “tHE%gr4SS%15%alwaYS%Gr33nER.”
3. Create passwords out of abbreviated song lyrics or quotes
You can take the passphrase concept a step further by abbreviating every word in the phrase. Even if somebody discovers your favorite quote or poem, it’s unlikely they will guess the abbreviated form that you use for a password.
How to create passwords with abbreviated passphrases:
- Start with a phrase that is meaningful to you. It could be a song lyric, a line from a poem, a movie quote, or a passage from a book.
- Abbreviate the words in the phrase. You can create a password from the first letter (or first two letters) of each word in the sentence. For example, imagine your passphrase was the line from the movie, Interstellar: “We've always defined ourselves by the ability to overcome the impossible.” Your password could be: “WeAlDeOuByThAbToOvThIm.”
- Avoid common phrases, famous quotations, and song well-known lyrics. The key here is that the password must be meaningful to you — but impossible for somebody else to guess. Don’t choose something too popular or mainstream.
💡 Related: What Is Credential Stuffing? (and How To Protect Yourself) →
4. Create passphrases that include words from different languages
By mixing up words from other languages, you can add another level of complexity to your credentials. You should use words that you know well.
How to create a password with non-English words:
- Start with one of the methods above. For example, use three random words or a passphrase based on a quote or passage from a book.
- Replace or add words in a different language. For example, if your passphrase is “Dogs!Wine2Travel,” you could change it to: “Dogs!Vino2Travel.”
- Make sure it’s not an obvious substitute. If your partner has a non-English name, don't use that. Similarly, stay clear of common crossover phrases, like "carpe diem" or "déjà vu," etc.
5. Store your passwords in a secure password manager
Using password managers is by far the best way to create complex passwords that you won’t forget. These applications store your account credentials in a secure digital vault so that you can access them whenever you need to.
Every time you visit a site for which you have an account, a password manager can automatically input your username and password. Instead of trying to remember numerous individual passwords for every account, you only have to remember one master password for the password manager vault.
As an added bonus, Aura’s password manager can warn you if your password has been leaked, is too weak, or if you’re trying to enter it on a fake website.
How to store your passwords in a secure password manager:
- Choose a password manager. Look for an application that works across all of the devices and browsers that you use. Aura’s award-winning identity theft protection service comes with a robust password manager that encrypts all of your password data and works across iOS and Android devices, as well as most major browsers on Mac and PC computers.
- Create a strong master password. Password managers use a single “master” password to access your secure vault. Use one of the methods above to ensure that your master password can’t be cracked. Whatever you do, don’t reuse passwords from another account as your master password.
- Use your password manager. You can create and store more complex passwords for every account. The autofill feature makes it easy to log in quickly. Also, you will get alerts if you have duplicate passwords so that you can make one-click changes to update any compromised accounts.
How To Recover a Forgotten Password
If you’re trying to access an account and are locked out or can’t remember your password, you may need to reset your password.
Here’s how you can recover a forgotten password (using Gmail as an example):
- Visit the Gmail login screen on your device. Enter the name of the account that you want to recover, and select “Next.”
- When prompted for your password, select “Forgot password?”
- Next, Gmail will guide you through the various authentication methods (depending on what is set up on your account). For example, the system may send a push notification or text message to your phone to ensure a hacker isn’t trying to access your email account.
- If you can’t pass the two-factor authentication (2FA) method, select “Try another way” in the bottom-left corner of the window. As a last resort, Google can send a confirmation text or call to the recovery phone number listed on your account.
- When you’re able to successfully verify your identity, Gmail will ask you to set a new password. Use one of the methods above to create a new, strong password that you’ll remember.
If you can’t access the account through any 2FA method, you can provide an alternative email address to which you have access. Google will need time to assess your problem and then get in touch to help you recover your account.
The process for recovering your Facebook account is similar to the one above. Whatever the app or platform is, you’ll need to follow the in-app instructions to pass multi-factor authentication (MFA) and create a new password.
💡 Related: I Think My Gmail Was Hacked! How To Secure Your Email →
How To Secure Your Online Accounts (Beyond Passwords)
While strong and unique passwords can help keep your accounts secure, they’re not your only option.
Here are 10 actionable ways to protect your accounts:
- Enable two-factor authentication (2FA). 2FA adds an extra layer of security by requiring two distinct forms of identification before granting access. Consider stronger multi-factor authentication (MFA) for high-value accounts. Biometric authentication, like fingerprint scans or facial recognition, is available on iPhone and Android devices.
- Don’t store passwords in your browser. Major browsers like Google Chrome, Firefox, and Safari offer to save your passwords. But it's best to decline this option, as it could expose your data to phishing attacks. A password manager keeps your passwords safe in an encrypted vault.
- Keep your software up to date. It’s easy to overlook or delay prompts to download the latest updates for your operating system or apps. But these updates contain security patches and fixes to defend against emerging cyberattacks — so don’t ignore them!
- Watch out for warning signs indicating that your accounts have been hacked. If your passwords stop working or you get emails about unfamiliar login attempts, these are red flags. When you know the warning signs of a hack, you can react quickly if ever your accounts are compromised.
- Don’t click on suspicious links or download unknown attachments. Scammers want you to click on malicious links or enter sensitive details (like your credit card numbers) on bogus websites. To keep your passwords and information safe, avoid interacting with any suspicious communications.
- Protect your devices and network with antivirus. When you run regular scans, antivirus software helps you identify existing vulnerabilities and detect cybersecurity threats.
- Use a virtual private network (VPN). A VPN hides your internet protocol (IP) address, personal data, and geolocation. This security measure masks your browsing activity — so hackers, advertisers, and government bodies can’t track you.
- Disable ad tracking. Companies collect personal data for marketing purposes. But if the company is breached, hackers could steal your data, and you could become a victim of identity theft. Be mindful of what permissions you give to companies. It's easy to decline cookies on every site. Or, Aura can block invasive site trackers for you.
- Set stricter privacy settings. Review the settings on all of your accounts to ensure that you aren't sharing more than you should. For example, it's good practice on social media to guard personal details, like your location, phone number, and photos.
- Check if your passwords have been leaked on the Dark Web. Fraudsters buy and sell stolen personal information on hacker forums and marketplaces. Aura’s free Dark Web scanner can check if your personal data has been leaked. Aura’s scanner will alert you if it finds your passwords — so you can make changes before someone hacks your account.
The Bottom Line: Don’t Ignore Password Safety
It’s almost impossible to remember all of your passwords — especially if you’re following best practices for complex and unique passwords.
Simpler methods like using passphrases or mnemonics make it easier to remember your passwords. But the best way to keep your accounts safe is by using an all-in-one digital security solution.
With Aura, you get:
- A secure password manager to help you create and store unique, complex passwords for every online account. On some sites, you can even automatically update your password with a single click.
- VPN and Antivirus software to protect your devices against malware, spyware, and ransomware threats by using military-grade encryption and Wi-Fi protection.
- 24/7 three-bureau credit monitoring (Experian, Equifax, and TransUnion) with rapid fraud alerts that are up to 250x faster than competing digital security providers.
- Award-winning identity theft protection to monitor your most sensitive information — including your Social Security number (SSN), passport, driver’s license, phone number, and more.
- Dark Web monitoring that scans the deepest reaches of the internet in near real -time and alerts you if any of your personal information is exposed.
- $1,000,000 insurance policy to cover eligible losses due to identity theft, such as stolen money, credit cards, and passports.