Secure Passwords: Essential Guide to Strong Password Creation

Passwords remain the primary defense mechanism for most digital accounts and systems. Despite decades of predictions about their demise, passwords continue to be the most widely used authentication method across the internet. Understanding how to create and manage truly secure passwords is therefore critical to your digital security.

This guide provides comprehensive information about password security, drawing extensively from the pioneering work of Steve Gibson and Gibson Research Corporation (GRC), whose research into cryptographically secure password generation has set industry standards for password security practices.

The Foundation of Password Security

Understanding Password Strength

Password strength isn’t just about length or complexity—it’s about unpredictability and entropy. A truly secure password must be:

Cryptographically random: Generated using proper random number generators, not predictable patterns
Appropriately complex: Containing sufficient entropy for its intended use case
Unique: Never reused across different accounts or systems
Properly stored: Managed securely without compromise

The Entropy Principle

Password entropy measures the unpredictability of a password. As Steve Gibson’s research at GRC demonstrates, even seemingly complex passwords can have low entropy if they follow predictable patterns. For example:

High entropy: K7#mQ9$vL2@nR5!p (truly random characters)
Low entropy: Password123! (follows common substitution patterns)

The key insight from GRC’s work is that randomness trumps complexity. A password generated through proper cryptographic methods will always be more secure than one created through human attempts at randomness.

Password Generation Methods

Cryptographically Secure Generation

Based on GRC’s research and implementation in their Perfect Passwords system, the most secure passwords are generated using:

Hardware random number generators: When available, these provide the highest quality randomness
Cryptographically secure pseudorandom number generators (CSPRNGs): Software-based generators that meet cryptographic standards
Entropy pooling: Combining multiple sources of randomness for enhanced security

Password Format Types

Different systems and applications require different password formats. GRC’s research identifies several key categories:

Hexadecimal Passwords

Format: 0-9 and A-F characters only
Use cases: WEP encryption, some VPN configurations, cryptographic keys
Advantages: Maximum compatibility with systems expecting hex input
Example length: 26 characters for WEP-128, 58 characters for WPA-256

Printable ASCII Passwords

Format: All printable ASCII characters (33-126)
Use cases: General account passwords, system administration
Advantages: High entropy per character, full symbol set available
Considerations: Some systems may not accept all special characters

Alphanumeric Passwords

Format: Letters and numbers only (A-Z, a-z, 0-9)
Use cases: Systems with character restrictions, mobile device entry
Advantages: Universal compatibility, easier manual entry
Trade-off: Requires longer length to achieve equivalent security

Application-Specific Guidelines

Wireless Network Security

Following GRC’s recommendations for wireless security:

WPA/WPA2/WPA3 Networks:

Minimum 20 characters for strong security
Use full printable ASCII character set when possible
Consider 32+ characters for high-security environments
Avoid dictionary words or patterns, even with modifications

Legacy WEP Networks (deprecated):

Use 26 hexadecimal characters for WEP-128
Note: WEP is fundamentally insecure and should be avoided

Online Account Security

Financial and Critical Accounts:

16+ characters with mixed case, numbers, and symbols
Unique password for each account
Enable two-factor authentication when available
Regular password rotation for high-value accounts

General Web Accounts:

12+ characters minimum
Unique passwords using a password manager
Longer passwords preferred over complex short ones

System Administration

Server and Network Equipment:

20+ character passwords for administrative accounts
Consider passphrase-style passwords for memorability
Implement account lockout policies
Use cryptographically generated passwords for service accounts

Password Management Best Practices

The Password Manager Imperative

As demonstrated by security research including GRC’s work, human beings cannot create truly random passwords at scale. Therefore:

Use a reputable password manager for generating and storing unique passwords
Master password security: Your password manager’s master password should be your strongest, most memorable password
Regular backups: Ensure your password database is backed up securely

Multi-Factor Authentication

Even the strongest password can be compromised. Implement additional security layers:

Hardware security keys (FIDO2/WebAuthn)
Time-based one-time passwords (TOTP)
SMS backup codes (least secure option)

Password Rotation Strategy

When to change passwords:

Suspected compromise of any account
Employee departure (for shared/administrative accounts)
Security breach at the service provider
Regular rotation for high-risk accounts (quarterly/annually)

When NOT to change passwords:

Arbitrary time-based schedules for personal accounts
If it encourages weaker, more predictable passwords
When secure storage is not available

The Future: Moving Beyond Passwords with Passkeys

Understanding Passkeys

Passkeys represent the most significant advancement in authentication technology since the introduction of two-factor authentication. Built on the FIDO2/WebAuthn standard, passkeys eliminate many fundamental vulnerabilities inherent in password-based authentication systems.

Unlike passwords, which are shared secrets that exist on both your device and the service provider’s servers, passkeys use asymmetric cryptography. Your device stores a private key that never leaves your control, while services only receive a public key that cannot be used to impersonate you.

Why Passkeys Can Be Superior to Passwords

Immunity to Common Attacks:

Phishing resistant: Passkeys are cryptographically bound to specific domains, making them impossible to use on fraudulent websites
Breach protection: Even if a service provider is compromised, attackers cannot obtain usable authentication credentials
No reuse vulnerabilities: Each passkey is unique to its service, eliminating password reuse risks
Brute force immunity: There’s no shared secret for attackers to guess or crack

Enhanced Security Through Cryptography:

Public key cryptography: Uses proven mathematical principles rather than relying on secret complexity
Hardware-backed security: Modern devices store passkey private keys in secure hardware elements
Cryptographic proof: Each authentication provides mathematical proof of identity without revealing secrets

The Security Foundation: Device Protection

The security of passkeys depends entirely on the security of the device that stores them. A passkey is only as secure as the device and account ecosystem protecting it.

Essential Device Security Requirements:

Strong Device Authentication:

Minimum requirement: Device PIN, password, or biometric lock
Recommended: Complex device passwords combined with biometric authentication
Critical: Never store passkeys on devices without lock screen protection

Account-Level Security:

Apple ID/Google Account protection: Use strong two-factor authentication on the account that syncs passkeys
Hardware security keys: Protect your primary account with FIDO2 security keys rather than SMS or authenticator apps
Account recovery security: Ensure account recovery methods are as secure as the passkeys they protect

Passkeys vs. Traditional Authentication Hierarchy

When properly secured, passkeys can provide superior security to traditional authentication methods:

Traditional Password + SMS (Weakest):

Vulnerable to SIM swapping, network interception, and social engineering
Password can be stolen, guessed, or cracked
SMS codes can be intercepted or redirected

Traditional Password + Authenticator App (Better):

Eliminates SMS vulnerabilities but password remains weak point
Still vulnerable to phishing and credential stuffing attacks
Requires managing both password and authenticator device

Traditional Password + Hardware Security Key (Strong):

Hardware key provides phishing resistance
Password remains the weakest link in the chain
Requires carrying and managing physical devices

Properly Secured Passkey (Strongest):

Eliminates password vulnerabilities entirely
Phishing resistant by design
Hardware-backed cryptographic security
Streamlined user experience without security compromise

Implementation Requirements for Maximum Security

Device Security Foundation:

Primary Device Protection:

Use complex device passwords (not just PINs or simple patterns)
Enable automatic device locking with short timeout periods
Keep devices updated with latest security patches
Enable device encryption and secure boot when available

Account Ecosystem Security:

Apple ID: Protect with hardware security keys, not SMS or even authenticator apps
Google Account: Use Advanced Protection Program with multiple hardware keys
Microsoft Account: Enable security key authentication for highest protection
Regular audits: Review account access and connected devices quarterly

Network and Environmental Security:

Avoid creating or using passkeys on compromised or untrusted networks
Be cautious about passkey creation in public or shared environments
Consider network-level threats when establishing passkey trust relationships

Platform-Specific Considerations

Apple Ecosystem: The Gold Standard with Security Keys

Apple’s Security Keys for Apple Account feature represents the most secure method available for protecting your Apple ID and the passkeys it syncs across your devices. As Apple states in their official documentation , this is “an optional advanced security feature designed for people who want extra protection from targeted attacks, such as phishing or social engineering scams.”

Why Apple Security Keys Are Critical for Passkey Security:

Ultimate Protection: Your Apple ID controls access to all synced passkeys across your devices
Phishing Immunity: Physical security keys cannot be intercepted or replicated by attackers
Eliminates SMS Vulnerabilities: No risk of SIM swapping or network-level attacks
Superior to Authenticator Apps: Even compromised devices cannot expose security key credentials

Apple’s Requirements (iOS 16.3+, iPadOS 16.3+, macOS Ventura 13.2+):

Essential Prerequisites:

At least two FIDO® Certified security keys that work with your Apple devices
Two-factor authentication already enabled on your Apple Account
Modern web browser for web-based authentication
Compatible software versions on all devices where you’re signed in

Apple’s Recommended Security Keys:

YubiKey 5C NFC: Works with most Mac and iPhone models (USB-C + NFC)
YubiKey 5Ci: Works with most Mac and iPhone models (USB-C + Lightning)
FEITIAN ePass K9 NFC USB-A: Works with older Mac models and most iPhone models

Connector Compatibility:

NFC: Works only with iPhone (tap-based connection)
USB-C: iPhone 15 or later, most Mac models
Lightning: iPhone 14 and previous iPhone models
USB-A: Older Mac models (or newer Macs with USB-C-to-USB-A adapter)

Critical Security Warnings from Apple: ⚠️ Account Lockout Risk: “You’re responsible for maintaining access to your security keys. If you lose all of your trusted devices and security keys, you could be locked out of your account permanently.”

⚠️ Device Compatibility: Cannot sign in to older devices that can’t be updated to support security keys

⚠️ Feature Limitations: Not supported for child Apple IDs, Managed Apple IDs, or Apple Watches paired with family member’s iPhone

Implementation Strategy:

Purchase Multiple Keys: Apple requires minimum 2 keys, supports up to 6
Geographic Distribution: Keep keys in different locations (home, work, safety deposit box)
Test Before Full Deployment: Verify compatibility with all your Apple devices
Plan for Device Updates: Ensure all devices meet minimum software requirements

Why This Matters for Passkey Security: When you enable Security Keys for Apple Account, you’re not just protecting one account—you’re securing the entire foundation that protects all your passkeys. Since Apple syncs passkeys through iCloud Keychain, compromising your Apple ID would give attackers access to all your passwordless authentication credentials across every service that supports passkeys.

Google/Android Ecosystem:

Passkeys sync through Google Password Manager
Integration with Android’s hardware-backed security features
Requires Google Account security as foundation
Advanced Protection Program provides additional security layer

Cross-Platform Strategies:

Consider using dedicated password managers that support passkeys (1Password, Bitwarden)
Maintain passkey backups across multiple secure platforms
Plan for device loss or platform migration scenarios

When Passkeys May Not Be Appropriate

Technical Limitations:

Limited support on older devices or legacy systems
Some services don’t yet support passkey authentication
Cross-platform compatibility still evolving

Security Considerations:

Shared or compromised devices should never store passkeys
Accounts without strong two-factor authentication shouldn’t manage passkeys
Environments where device security cannot be guaranteed

Backup and Recovery Challenges:

Account recovery becomes more complex without password fallbacks
Device loss can temporarily lock access to services
Platform lock-in concerns with proprietary passkey sync systems

Migration Strategy: From Passwords to Passkeys

Phase 1: Foundation (Immediate)

Secure your primary accounts (Apple ID, Google, Microsoft) with hardware security keys
Ensure all devices have strong authentication and are fully updated
Review and strengthen account recovery methods

Phase 2: High-Value Accounts (Month 1)

Enable passkeys for financial services and critical work accounts
Maintain password + MFA as backup during transition period
Test passkey functionality across all your devices

Phase 3: General Adoption (Months 2-6)

Replace password authentication with passkeys as services add support
Gradually reduce reliance on password managers for sites supporting passkeys
Monitor account security and access patterns

Phase 4: Password Elimination (Ongoing)

Remove passwords entirely from accounts offering passkey-only authentication
Maintain password manager only for legacy services
Regular security audits of authentication methods

Future-Proofing Your Authentication

Passkeys represent the current best practice in authentication technology, but security is an evolving field. Stay informed about:

New authentication standards and protocol improvements
Platform security updates that enhance passkey protection
Service provider adoption of advanced authentication methods
Threat landscape changes that might affect passkey security

Remember: The goal isn’t perfect security—it’s meaningful improvement over current methods. Properly implemented passkeys on well-secured devices provide dramatically better protection than even the strongest password-based authentication systems.

Advanced Security Considerations

Password Recovery and Account Recovery

Set up secure account recovery methods before you need them
Use alternative email addresses that are also properly secured
Store recovery codes in your password manager
Consider the security of recovery questions and avoid predictable answers

Threat Modeling for Password Selection

Different accounts require different security levels:

Maximum Security (banking, primary email, password manager):

20+ character cryptographically generated passwords
Hardware-based multi-factor authentication
Regular security monitoring

High Security (work accounts, social media, shopping):

16+ character unique passwords
Software-based multi-factor authentication
Periodic security reviews

Standard Security (low-value accounts, newsletters):

12+ character unique passwords
Basic multi-factor authentication where available

Implementation Guide

Getting Started

Audit your current passwords: Identify reused, weak, or old passwords
Choose a password manager: Research and select a reputable solution
Generate a strong master password: Use techniques from GRC’s research for maximum entropy
Begin systematic replacement: Start with your most critical accounts
Enable multi-factor authentication: Implement additional security layers

Tools and Resources

Password Generators:

Your chosen password manager’s built-in generator
GRC’s Perfect Passwords: https://www.grc.com/passwords.htm (excellent for understanding cryptographic password generation)
Hardware security keys for password-less authentication

Password Strength Testing:

Built-in strength meters (with skepticism about their accuracy)
Entropy calculation tools
Breach databases for checking if passwords have been compromised

Conclusion

Secure password practices form the foundation of digital security. By implementing the principles outlined in this guide—drawing from the extensive research conducted by Steve Gibson and GRC—you can significantly improve your security posture.

Remember that password security is not a one-time setup but an ongoing practice. Stay informed about new threats, regularly review your security practices, and always prioritize cryptographically secure generation over human attempts at randomness.

The investment in proper password security pays dividends in protecting your digital identity and sensitive information from increasingly sophisticated attacks.

Attribution and Further Reading

This guide incorporates principles and research from Steve Gibson and Gibson Research Corporation (GRC). For detailed technical information about cryptographically secure password generation, visit:

GRC’s Perfect Passwords: https://www.grc.com/passwords.htm
Security Now! Podcast: Steve Gibson’s ongoing security research and commentary
GRC’s SpinRite: Additional security tools and research

We encourage readers to explore GRC’s extensive security research for deeper technical understanding of cryptographic principles and security best practices.

Last updated: May 31, 2025

Secure Passwords: Essential Guide to Strong Password Creation#

The Foundation of Password Security#

Understanding Password Strength#

The Entropy Principle#

Password Generation Methods#

Cryptographically Secure Generation#

Password Format Types#

Hexadecimal Passwords#

Printable ASCII Passwords#

Alphanumeric Passwords#

Application-Specific Guidelines#

Wireless Network Security#

Online Account Security#

System Administration#

Password Management Best Practices#

The Password Manager Imperative#

Multi-Factor Authentication#

Password Rotation Strategy#

The Future: Moving Beyond Passwords with Passkeys#

Understanding Passkeys#

Why Passkeys Can Be Superior to Passwords#

The Security Foundation: Device Protection#

Passkeys vs. Traditional Authentication Hierarchy#

Implementation Requirements for Maximum Security#

Platform-Specific Considerations#

When Passkeys May Not Be Appropriate#

Migration Strategy: From Passwords to Passkeys#

Future-Proofing Your Authentication#

Advanced Security Considerations#

Password Recovery and Account Recovery#

Threat Modeling for Password Selection#

Implementation Guide#

Getting Started#

Tools and Resources#

Conclusion#

Attribution and Further Reading#