How to Create Strong Passwords – Best Practices in 2020

Software Licensing Service
Licensing As a Service – Why It Is the Modern Way of Software Licensing
14th October 2019
Strong Customer Authentication explained
What is SCA? (Strong Customer Authentication) – Quick Guide
29th October 2019
Show all

How to Create Strong Passwords – Best Practices in 2020

How to enforce strong passwords

With 81% of company data breaches for companies in 2018 due to not using strong passwords, it’s increasingly important to take every step possible to stay safe when conducting transactions online.

But what exactly is a ‘strong’ password and what options are available to help ensure that your sensitive information remains secret and safe? Let’s explore further…

What is a ‘strong’ password?

When we are asked to come up with a password, it will often involve something that is easy for us to remember – such as a string of words or numbers that mean something personal to us. These are ‘weak’ passwords that are often easy to guess for individuals attempting to gain access to your account or personal information.

A strong password is one that is difficult or impossible to guess. The best strong passwords are ones that are at least six characters long, combine upper-and lower-case letters, numbers, and do not hold any words that can be found in the dictionary or can be figured out by examining your social media profile.

Why are passwords so important?


Simply put, passwords are deployed to protect information or functionality that is personal to you or should not be available to the general public. Passwords are used on a number of different sites from personal email accounts, online banking details, private business logins, commercially sensitive file-sharing platforms, and much more.

A weak password means that a suitably motivated individual can access this information with ease and personally profit. At the lowest end of the scale, this means the inconvenience of having to update your personal passwords and site details. At the other, you can be at risk of losing significant savings from your account, be subject to fraud, or be personally responsible for data loss for your business. 

While password creation and maintenance can be consuming, it is always worth remembering that it will involve a fraction of the time and stress involved with resolving a data breach or attempting to refund any money stolen from your account.

If you are personally responsible for keeping your information secure, it is essential that you deploy strong passwords and have a broad awareness of dos and don’ts when it comes to creating them.

Most people don’t do this at all - did you know that the top 5 most common passwords are:

1. 123456

2. 123456789

3. qwerty

4. password

5. 111111

(according to the UK's National Cyber Security Centre (NCSC) in 2019)

Examples of weak passwords - what not to do

Not using 123456 as your work email's password? Great. But even then there is a good chance your passwords are not secure. Take a look at these examples.


Plain language passwords

A common trick for bypassing passwords is to use a ‘brute force’ hack. Depending on the setup of the system, intruders with access to your social media will apply your initials, that of relatives, or pet names. If it can be found in a book, it shouldn’t be in your password. 

Shared Passwords

Never use the same password on multiple sites. If an intruder gains access to your account, their first port of call will be to try your login id and password with other accounts that are linked or could be attached to your account. In addition, never share your password with another friend or colleague as this will exponentially increase your risk of a breach.

Unchanged passwords

While it may be possible to determine what your password is over time, changing it regularly will make it more difficult for others to guess it. It’s advisable to change your password at least once a month and use password tracker software to keep tabs on your new password. Never physically write your password down and, of course, sticking it onto your monitor or laptop with sticky notes should not happen!

Any good site will ask your to regularly change or verify your account password. Companies like Amazon or eBay will ask you to attach a mobile phone number to your account and send one-use passwords or verification or alert messages if a user with a new IP tries to access your account.

The need for higher online security has been taken seriously in the past years. In September 2019, new European regulatory requirement called Strong Customer Authentication (SCA) took effect. SCA’s purpose is to prevent and reduce fraud and make online payments more secure.

How to create a strong password?

Ideally, most sites you use should enforce the creation of a strong password on their system. Ideally this should involve the following steps.

The site should detail what your password needs to have, this should include upper- and lower-case characters, numbers and be of a certain length.
When the password is being entered, a dynamic checker should give information about the status of the password from poor, to strong, to secure, sometimes with colours from red to green.
Once it is entered, the registration should be sent to your email account to confirm that it is indeed you registering on the site.

If this is not the case, we would always advise that you follow these steps anyway and make the extra effort to ensure that your online security is given top priority.

It is also worth using a password protector service such as KeePass to store your account information in one secure place. These often come with random key generators to help quickly and securely create high-strength passwords and prevent unwanted access to your personal and professional accounts.

Multi-Factor Authentication can help with keeping passwords safe

Multi-Factor Authentication (MFA) is the new gold-standard for site security when you’re looking to keep your account passwords safe. 

This a security system that asks anyone accessing your account for multiple unique credentials to prove exactly they are who they say they are. Depending on how you want to set it up, this can include push notifications to your mobile device, a request for fingerprint ID, or a unique additional security question. Smart devices such as iPhones have even started using facial recognition or the potential for retinal ID as an added plus. 

One-time passwords are also an extra layer of security that can be implemented. If you want to learn more about how this can help, you can check out our recent blog on one-time passwords and find out how it can contribute to your personal security online.


If you want to keep your account secure online, applying MFA in combination with a strong approach to password security is a hugely helpful way to keep your personal information out of unwanted hands.

This means choosing regularly updated, long-form passwords that are created according to recognised best practice. It is also helpful to look into using MFA to keep your accounts secure and staying abreast of industry best practice, as the internet never stands still…and neither should you.

If you're developing an application and want to enforce MFA, please contact us at 10Duke.

If you want to have a look on your options for best password managers you can do so at Digital, who have done research on the topic: Best Password Managers of 2020.


You might also be interested in:

20th August 2021
10Duke 101 - Understanding 10Duke Licensing

10Duke 101 – Understanding the Basics of 10Duke Licensing

A brief introduction to 10Duke’s Licensing Solution. We will go through its main concepts and how to integrate with 10Duke, including delegation of authentication, product configuration […]
29th March 2021
Password sharing - don't do it!

Is Sharing Really Caring? Not If It’s Your Password

Password sharing may seem harmless, but it actually puts your business, employees and customers at risk. Find out why what you can do to prevent it.
18th February 2021
How to Protect Software IP?

Software IP Protection – How to Protect Software Intellectual Property?

Software IP protection strategy is not just about limiting access. Best IP protection also aims to enhance customer experience.
18th November 2020
Working with 10Duke

Working with 10Duke

Working with 10Duke normally follows a 4 stage process, which we will go through in this blog post.
28th November 2019
What Is A Brute Force Attack

Brute Force Attacks – 4 Methods to Protect Against Them

Brute Force Attack involves multiple attempts to guess a password. But how do you protect against them? Learn all about it on this blog.
9th January 2019

One-time Passwords: Beginner’s Guide 2020

One-time passwords can be generated in several ways and each one has trade-offs in term of security, convenience, and cost.
9th January 2019

Beginner’s Guide to REST API and GRAPH API

The unsung hero of our connected world is the Application Programming Interface (API). APIs make it possible for interactions between applications, data and devices to take […]
8th January 2019
cybersecurity word collage

Mapping the Cybersecurity Landscape

“An ounce of prevention is worth a pound of cure.” Cybersecurity is about gaining peace of mind from knowing that your business is prepared.
2nd October 2018
single sign on to multiple apps

Alternative to Okta

The 10Duke Identity Bridge service is a cloud-based service that enables Single Sign-On for your employees by ‘bridging’ between the Identity Provider used by your company […]

Ideally, most sites you use should enforce the creation of a strong password on their system. Ideally this should involve the following steps.

Schedule a Demo