How to choose a strong password - and how to remember it!

Forget what you think you know about password security - we're here to tell you the best practices for the modern age

TODO alt text

Passwords: can't live with them, can't live without them. They protect some of our most precious digital possessions and data, yet they can be tricky to remember, and often lead to frustrating or even infuriating moments when trying to keep on top of all your accounts.

Well, Bill Burr basically wrote the book on password guidelines back in 2003 when he was working for the US government, and now he's changed his mind about what makes a good password - read on to find what's changed and how best to keep your accounts protected.

The old rules

Burr's original advice, written for the National Institute of Standards and Technology (NIST) and distributed by the US government, was to make passwords as long and complicated as possible - the more characters, the harder the password was to crack.

Throw in a few numbers and special characters and you're adding even more potential combinations - you may well have been nudged to create longer passwords when signing up for online accounts for this very reason.

This makes a lot of sense of course: "pAs5w0rD12!34" takes more attempts to crack than "password" because a computer doesn't just have to run through the lowercase alphabet, it has to try uppercase characters and numbers too, and has more potential combinations to try because of the extra characters.

The problem is, Burr says, this kind of password - though very secure - is very difficult for people to remember. As a result, users have tended to repeat the same password across multiple accounts to make it easier to bring back to memory, perhaps just changing one or two characters each time.

Another piece of advice Burr gave back in 2003 was to change our passwords regularly, and again while that's a good idea in theory, in practice it's meant that we've all fallen back on simple passwords that are easy for us to remember - and for hackers to guess.

Remembering multiple, complicated passwords, especially when they have to be regularly changed, has meant we've ended up with passwords that are hard for humans to remember and easy for computers to guess.

The new rules

So what's the new advice? The NIST guidelines have in fact been revised several times since 2003, and Burr and most experts now agree that the safest passwords are several random words strung together.

You've got a long series of characters, protecting it against brute-force hacking, but you've also just got four words to remember - and if you choose a selection that's odd and bizarre, enough, then you won't forget it in a hurry.

So "eleganthatsongiraffes" would work, as would "floatingpicklemusicwander" - but don't use either of those now we've mentioned them, obviously. Find something that sticks in your mind and use it.

It's still recommended to use different passwords for each account, so you'll need to remember a few of these combinations, but you can base them around the same topics or themes to make recalling them easier.

As before, changing passwords on a regular basis is recommended as well, just in case your password and username combination should leak out in a database breach.

But instead of having an almost random combination of characters to commit to memory each time, you've just got four words. From the side of the hackers, those four words are going to be almost impossible to guess, provided they aren't at all related to any information about you that can be easily found on the web.

Not only are these new kind of passwords just as hard to crack as the old ones, they're simpler to remember, and impossible to guess, ticking all the boxes.

Managing your passwords

Another option is to let a password manager do the hard work for you - services like 1Password and LastPass work across all the major platforms and devices, protecting as many passwords as you like behind one master password.

Not only do these apps remember all your passwords for you, they can also generate new passwords when it's time for a change: they really do do all of the hard work.

There are plenty of other ways to keep your online accounts secure too. You should switch on two-step verification, where it's available - which is pretty much everywhere, including on Facebook, Twitter, Google, Apple, and Microsoft accounts. It means a username and password on their own aren't enough to log into a new computer: a hacker also needs a code that gets sent to your registered phone.

You should of course avoid writing down your passwords anywhere, and make sure the answers to your security questions are as robust and unguessable as possible, just in case someone tries to circumvent the whole password process somehow.

Keep the number of third-party apps connected to your accounts down to a minimum as well, to limit the number of routes into your main accounts.

No security system or setup is ever 100 percent uncrackable, but you can certainly minimise the risk of being caught out - and once you've absorbed the most up-to-date password advice for 2017, make sure you tell all your friends and family too.