Passwords are ubiquitous. We use them to access everything from our bank accounts and sensitive business documents, to our social media and online memberships. The most secure passwords are a series of random numbers, letters, and characters. Using these types of passwords can present practical challenges, though, because they are easily forgotten and difficult to enter correctly. Further, because passwords are such a common part of our lives, we can too easily fall into bad habits that put business or personal information at risk.

There are dos and don’ts you can follow to build passwords that are secure and practical for frequent use. If you find yourself keeping your password on a sticky note on your computer or reusing the same password, try these techniques to build better, more secure passwords.

Don’t use common words or phrases

Hackers often begin cracking systems by trying variations of common words and phrases, like PASSWORD123 or the more sophisticated PA$$WORD123. Avoid building your password off common phrases so you are not giving the hacker a leg up.

Don’t use names or personally significant dates

Hacking incidents often start with a stolen identity, in which cases the hackers can have access to personal information like names of family members and important birthdates. Avoid using these significant names and dates, as this may be the very information the hacker has about you.

Do use numbers and special characters

Many systems now require users to create passwords with a mix of numbers and special characters. Even if a system you are trying to access does not do this, use the numbers and special characters to complicate and secure your password.

Do adopt an uncommon root word to build the password

While using common words and phrases is a don’t, using an uncommon root word as the starting place for a password can avoid the security risks of a common word while making the password easier to remember. For example, consider using unique nicknames, fictional character names, or goofy word combinations (eg. SquirrelJam).

Do consider the sensitivity of the account and the frequency of use

How you build your password should depend on the sensitivity of the information it protects and the frequency of your access to the account. For example, your password for a customer relations management system must be very secure, as unauthorized access to this type of information can create legal liability for a company. However, if you access the system every day or multiple times a day, there will be a strong incentive to keep a complicated password written down or to adopt an overly simple password. Assess the risk and use as many techniques as possible to build a password you can remember that is also secure.

Don’t use the same password twice

Reusing passwords invites trouble, as hacking one account can open up multiple other access points for hackers. Highly sensitive accounts, like bank accounts and access to customer information, should always be completely unique. Less sensitive accounts may reuse root words, but each password should be different.

Do change passwords for sensitive accounts periodically

The longer you maintain the same password, the more opportunities you provide to hackers to figure it out. A great way to thwart this is to change sensitive passwords periodically. Changing passwords quarterly, and using the dos and don’t discussed here, will provide additional security.

Let’s look examples of how to apply these ideas

Applying these ideas, you can improve your data security while also using passwords that are practical.

The example phrase “SquirrelJam” is a good starting point, as it is an uncommon phrase but relatively easy to remember. We can then add numbers and special characters to improve security. A good technique is to replace the letters in the phrase with numbers and special characters, creating, as an example, the password “$qu!re1J@m.” Here, the dollar sign replaces the letter S, an exclamation point replaces the letter I, the number one replaces the letter L, and the @ sign to replaces the letter A. The result is a secure password that will be relatively easy to recall and enter correctly.

If the account is particularly sensitive, do not reuse the root word. For less sensitive accounts, though, you can also adopt techniques to recycle these principles while still using a unique and memorable password. For example, try adding additional numbers and letters at the end of a secure root phrase. To create a new password for www.fakewebsite.com, $qu!rre1J@mF@ke may be a good option, as it uses a secure root word and then makes it unique in a way that you may recall more easily.