Sage Advice - Cybersecurity Blog

What Makes a Strong Password and Six Steps to Create One

123456-is-not-a-strong-password-1Passwords are one of the most important things under my control that I can use to secure my information online. And while intellectually I understand this – and believe it is my civic responsibility to be cyber aware – I still think they are a major inconvenience.  Especially considering the number of online accounts I have to manage.  And I know I’m not alone in this.  According to this infographic, the average number of accounts registered to one email in the United States is 130… and the number of accounts we use is doubling every five years!  That’s a lot to keep track of!

But let’s face it, passwords are a necessary inconvenience.  And it’s not enough to have one, it has to be strong.  According to Identity Hawk, “Since passwords grant access to bank and credit card accounts and a variety of other aspects of people's lives, the stakes are very high… At a time when millions of people become identity theft victims every year, a sober approach to password security and complexity is a big part of preventing identity theft. The very least you can do is make it difficult for others to guess (or find) your passwords.” 

What is a strong password?

#1. Passwords should be long, strong, and complex.

Mathematically speaking, the difference between a weak password and a strong password is the number of characters available, and hence the number of possible combinations available to construct a password based on those characters.  There are many tools out there that bad guys use to break passwords, and they are getting faster.  Use all the characters available – uppercase letters, lowercase letters, numbers, and special characters.  The length and complexity can create a stronger password, and make it more difficult for the hackers to break!

#2. Password should not be easy to guess.

As human beings we tend to follow the same patterns when selecting passwords – things like pet’s names, a favorite sport, or even the word 'password.'  Not to mention a sequential list of number like 123456.  In fact SplashData, which collects passwords from data breaches, said in 2015 the most common password was 123456 for the fifth year running.

Common passwords are extremely easy to guess, and should be avoided.  Check out this list of most common passwords to see if your password is included.

#3. You should use a different password for every account.

This one is tough, but it’s definitely important.  Do you remember the supposed Starbucks “Data Breach” back in 2015?  While it proved to be true that several customers’ accounts experienced unauthorized access, Starbucks had not been breached.  What happened is that Starbucks customers used the same username and passwords to access their Starbucks account that they used to access other accounts.  And one of those sites had experienced a breach.  The fraudster acquired the stolen credentials from one site, and simply tried them to see which would work on other sites.

I understand the appeal of using the same passwords for multiple accounts – it’s easy to remember and makes getting things done online much quicker.  But there are tools, like passwords managers, that can help ease the burden.  Or you can create a system to help you develop a unique password for each account. (Be sure to keep reading because I’ll share it with you below!)

#4. Use two-factor authentication when available.  

Two-factor, or multi-factor, authentication can provide you with an extra layer of security.  It requires additional information over and above your username and password to access your accounts.  These include one (or more) of the following:

  • Something you know. A username and password is the primary example, but answers to challenge questions may also be used to provide another layer of identity verification. When selecting challenge questions, try to avoid the “simple questions” like mother’s maiden name or city of birth, and opt for questions that are more difficult to guess or find with basic google searches or looking at one of your social media sites. 
  • Something you have. This includes your mobile phone and having a One-Time Passcode (OTP) sent to your phone via text mesTyler or email after you’ve entered your username and password to gain access to a site. This prevents an attacker from gaining access to your information with just your username and password. You might also be issued a security token that generates a new secret code at a pre-determined interval. This code is entered after username and password are submitted, and provides the same sort of security layer as text mesTyler with an OTP.
  • Something you are (i.e., a physical characteristic). A fingerprint is a good example of this.

Two-factor authentication is becoming widely available for a variety of accounts.  Check out to find out which of your accounts offer it.

How to Create a Strong Password


Celebrate Cybersecurity Awareness Month this October by increasing your awareness and make staying safe online your new habit.  Learn more at

Free Download: Ransomware Survival Guide

We’ve all seen the headlines. Ransomware attacks are escalating. It’s essential that your organization has the proper controls in place to defend your organization against an attack. But defense strategies are not enough. With some ransomware strains touting success rates of 40% or higher, it’s even more important that your organization is prepared to confidently respond to, and survive, a ransomware attack. This survival guide will arm you with the knowledge you need to defend against and prepare for an attack.

Go to Download

Topics: Security Policy, Cyber Defense

The Tyler Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

Cybersecurity Lifecycle

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More