How to choose a strong password?

Strong passwords

Much has been said about the need for strong and unique passwords. Yet, every publicized data breach incident reveals that many people still opt for weak and common passwords.

As our lives get more entwined with growing online services and digital transactions, we need to step up our game to counter the cybercriminals who are on a constant lookout for our personal and financial information for nefarious crimes.

In one of our recent blog posts, we explained how to flush out compromised passwords from your Enpass database in a few simple steps. Let’s now take a look at the importance of a strong password and share some best practices around choosing one.

The common mistakes

A common developer practice is to have users create a minimum length of the password (usually six or eight characters) and include uppercase, numbers and special characters (like @, #, or !). We, humans, are terrible at picking random passwords and generally end up creating poor passwords.

For example, while it appears that “Rob3rtJ@nuary!” is a complex password, it is as easy for a hacker to crack as “robertjanuary1”, even though it’s a character longer and includes uppercase/digits/special characters. Looking for predictable character substitutions and capitals is like a snap of fingers for any hacker looking for an intrusion.

Also, human memory is limited and cannot remember too many complex passwords. To get around the problem, most people generate a variation of their previously used passwords and well, that never helps!

What you should do?

Here’s a thumb rule that minimizes your risk against data breaches – Always use the Enpass password generator to create every single password that you need. We can’t stress that enough!

Enpass creates strong and random passwords by using a cryptographically secure random generator. And because you use a password manager, you’d save the complex and strong password without a need to memorize it ever. Keep it safe, and autofill it wherever you need to enter the password – whether in your desktop browser or an app on your smartphone.

In the case where websites force you to create a password of a specific length, follow the same rule. Create a non-pronounceable password using Enpass password generator and include the pre-defined complexities (uppercase, digits, and symbols) to make it stronger.

Still need a memorable password?

In some cases though, it is preferable to have pronounceable passwords – like when you have to choose a master password or sign-in to an online service frequently where you can’t autofill login credentials.

While selecting a pronounceable password, it is always recommended to choose a passphrase. A passphrase is a set of words which is generally longer than a password and contains spaces in between words such as this: “revisable viola aluminum miranda staining dade.” The length of the passphrases makes them more secure and every additional word in the passphrase increases the time it would take a hacker to guess your password by order of magnitude.

Today, many security programs and websites allow you to enter a passphrase instead of just a short password for added security. Now, the problem lies in choosing random words for a passphrase but of course, Enpass is there to help.

Enpass uses Diceware methodology to create a pronounceable password using 14,400 English dictionary words. The Diceware password is a set of passphrases that is easily pronounceable and at the same time is very difficult for the hackers to crack.

How long should a passphrase be?

We recommend using the default passphrase length of Enpass password generator – seven words – to avoid the radar of hackers. But depending on your use case, you can choose the range accordingly.

Generally, a five-word passphrase provides a high level of security than the simple passwords most people use. You can use six words for wireless security, GPG, and file encryption programs like password managers. A higher length passphrase is recommended for critical scenarios such as whole disk encryption, cryptocurrency, etc.


What are your preferred security best practices? Tell us on Twitter at @EnpassApp or on Facebook. You can also drop us a line at support@enpass.io for any help, and to start any discussion, head straight to the Enpass Forums.