Virginia Tech® home

How to make strong passwords

passwords written on sticky notes

Did you know that most people use passwords that can be guessed by hackers within minutes?

A short, easy-to-guess password, like “Hokie123,” can be cracked in a few minutes. A longer, complex password can take a hacker years to guess. 

Here are Virginia Tech's recommendations for creating and managing passwords. If you’re not doing everything on this list, make some changes. It may save you a lot of trouble in the long run!

Make long, complex passwords

  • Use 12 characters minimum for all your passwords — the longer the better. 
  • Avoid obvious guesses such as your kid's or pet's names. 
  • Use a mix of uppercase, lowercase, numbers, and symbols. Depending on the service's password requirements, you may need to use all.
  • Long, random passphrases, such as something like “butter B52s abstract DONUT$" can work well. Using a set of unrelated words can be easier for you to remember than a bunch of random characters.

For more information, see Virginia Tech's password tips.

Use a different password for every account

Reusing passwords is a bad idea. If someone gets hold of one, they have access to every account where you use it. Using unique passwords for each account provides important damage control if one of your accounts is compromised, and it saves you time as you only have to change one password.

Change default passwords on smart devices

Did you know that there are sites out there that list the default passwords for common "smart" devices, such as camera systems, doorbells, and kitchen gadgets? If you use any device that connects to the internet, change the password to something unique.

Use a password manager

Password managers such as LastPass, 1Password, etc. store encrypted versions of your passwords so you don't have to remember the nice, strong passwords you've made.

Enable 2-Factor authentication (2FA) whenever possible

2-factor authentication requires another factor in addition to a password, such as code sent to your phone, to gain access to an account. This adds a layer of security above and beyond a strong password.