Many people dread receiving emails notifying them it is time to change their passwords. The reason? “Most of us are terrible at picking passwords, including me,” said Elizabeth Redwine, a Tier 2 Senior Technical Support Analyst in Information Technology Services (ITS).

However, passwords are necessary because they help protect accounts and devices from unauthorized access, which could lead to compromised accounts. The Cybersecurity & Infrastructure Security Agency (CISA) emphasizes that strong passwords make it difficult for cybercriminals to access your information.

“Tracking all of the number, letter, and word combinations may be frustrating, but these protections are important because hackers represent a real threat to your information,” according to CISA. “Often, an attack is not specifically about your account but about using the access to your information to launch a larger attack.”

Tips abound for creating strong passwords designed to thwart cybercriminals. Redwine suggests using an adjective, a noun, and number, or an adverb, a verb, and number, and putting in an allowable special character, making sure to capitalize one of the letters to create a strong password using George Mason’s requirements. “It may seem complicated, but if you follow the guidelines, you should be fine,” she said.

CISA points to the guidelines developed by the National Institute of Standards and Technology (NIST) regarding length and complexity. NIST, a federal agency that sets standards and procedures for different fields, including cybersecurity, recommends using the longest password or passphrase acceptable. They also recommend avoiding common phrases, famous quotes, song lyrics, and words in the dictionary.

Avoid using personal information such as your name, a pet’s name, or any information that can be found on social media. Tricks to strengthen passwords include substituting letters with numbers and punctuation marks or symbols. For example, CISA recommends using “@” for “A” or “!” for “I” or “L”. Replace “PH” for “F” or “enjin” for engine.

Different passwords for each account also help keep accounts and devices safe, according to CISA. “If attackers guess your password, they will have access to your other accounts with the same password.” Additionally, you can protect strong passwords using Two-Factor Authentication (2FA) on accounts where it is available.

Redwine said those who have trouble remembering their passwords should consider a password manager. ITS does not endorse specific password managers but encourages people to review available services to determine what works best for their needs. There are free and premium services.

CISA also recommends password managers. “With just one master password, a computer can generate and retrieve passwords for every account that you have – protecting your online information, including credit card numbers and their three-digit Card Verification Value (CVV) codes, answers to security questions, and more,” the agency said.

One of the top ways to keep others from accessing accounts is to keep passwords private. “Don’t tell anyone your passwords and watch for attackers trying to trick you into revealing your passwords through email or calls,” according to CISA. “Every time you share or reuse a password, it chips away at your security by opening up more avenues in which it could be misused or stolen.”

To learn more about creating a strong password, visit the ITS website.