How do you come up with new, safe passwords now that your current ones are probably for sale on the black market?

The barista pauses for a moment before he steams his pitcher of milk. “I’ve had the same e-mail and password since 1997,” he says. “Almost 20 years.”

But it may be time to change. Report after report shows millions of account details—from LinkedIn to Twitter—for sale on the Dark Web, and big names from Katy Perry to Facebook founder Mark Zuckerberg to the NFL have been hacked.

One hacker who reportedly took over George Harrison’s Twitter account this week told The Daily Beast, “If you’re a celebrity, you should change your password immediately. Literally everyone should just create a new e-mail, think of a new password, and do it for every account.”

Celebrities are not the only ones listening.

“Yeah, I’m going to change some passwords,” the barista nods. “Keep ’em fresh.”

But how do you find safe passwords for the 40 or more accounts you may have online?

“Make it something easily forgettable. Because I will forget in the next five minutes,” the barista laughed. “Because you know you’re going to have to click ‘Forgot your password?’ ‘Yes. Again.'”

Bad habits

You may know that it’s a bad idea to use your pet’s name or your birthdate or the name of the site as your password, as they are easy to guess.

Words and phrases like “Ilovekittens” and “sunshine” are popular and thus easily breakable. And using the same password over and over lets the bad guys steal one set of account data and then guess the passwords for your other accounts.

Hackers most likely got into Zuckerberg’s Twitter and Pinterest accounts by using his stolen LinkedIn account password, “dadada,” on his other accounts, reported The Wall Street Journal.

So you may try a different tack.

Adding numbers

“I don’t recycle. I repurpose.” said the barista, whom we’ll call Password123—not his real name, and not his real password. 

“I turn them into something new, like add a one. Mrsmuffybottoms1, Mrsmuffybottoms12, Mrsmuffybottoms123,” he said. 

But adding numbers at the end does not make your password more secure, experts say.

“Nope: crackers know that users often stick numbers at the end, so ‘brooklynqy’ is more secure than ‘brooklyn16,’” reported Bill Camarda with cybersecurity company Sophos’ Naked Security. 

Swapping out numbers for letters doesn’t help either.

“Nope: password crackers ‘exploit users’ tendency to make predictable substitutions,’ so ‘punk4life’ isn’t stronger than ‘punkforlife,’” he wrote in a post.

What now?

First, plan to make your password long. Very long.

Slade Griffin with Contextual Security said hackers can and do use computers to crack your personal code—in a very short time.

“There’s no typical password, but if we want to consider the most popular ones ‘typical,’ then it takes zero seconds,” he said.

In one demonstration, he used a computer to crack thousands of passwords in less than a minute.

But you can make your password more difficult to decode, so thieves move on to someone else. Length is part of the equation.

“We recommend greater than 15 [characters] based on the patterns we have seen,” Griffin told Archer News.

Complexity

Password123 sometimes uses the names of his favorite bands combined with numerals, or words related to the site to help him remember.

“If you’re not using it like at least once a week, like an e-mail or a bank, I’ll forget, because I don’t ever write them down,” he said. “They say not to write them down.”

Experts remind us that malicious hackers have a lot of resources at hand.

“The crooks have dictionaries, books, movie scripts, song lyrics, Facebook, twitter and much more,” said Paul Ducklin with Naked Security in a video. “So avoid password based on nicknames, birthdays, quotations, pets anything of that sort.”

Random letters, numbers and characters are better than real words that password-hacking tools can guess.

“Even the simplest of these tools now contain 99% of all possible English alphanumeric password combinations,” said cybersecurity company Mandylion on its site. “These tools are clever, stealthy and lethal. Worse yet, they are widely available for download on the net.”

Testing for strength

Longer is stronger, and our experiments with Mandylion’s password attack tool show why.

If we use a password of eight upper case letters, the tool says there could be more than 200 billion possible combinations.

Hackers using a desktop computer could crack it in about six hours, the tool shows. 

However, there are much faster computers in use, Griffin said. The desktop computer processes 17 billion tries an hour, according to the tool. But some computers can process 100 billion tries a second, according to Ducklin.

That same eight-letter password could be cracked in two seconds with the stronger computer, Ducklin’s video said.

Double it

If you make your password twice as long, that 16-letter code will not take hackers twice as long to crack, the tool shows. It will take much longer—almost 1,300,000,000,000 hours, or 54 billion days, on the desktop computer. Even on a stronger computer, the process might take too long.

“I don’t think the crooks have that kind of time,” the barista said.

Length is even more important than changing up numbers and letters, Griffin said. “Now, adding complexity—special characters, numbers, mixed case—all adds to the difficulty,” he said. “A password of over 15 characters is generally better than an eight-character password with complexity.”

Four random words

Griffin pointed to the cartoon XKCD, which showed how a password like “Tr0ub4dor&3” is easier to crack than four random words put together, like correct-horse-battery-staple, which would be typed out as “correcthorsebatterystaple.”

Ducklin gave similar examples like volcano-overdrive-pendulum-avocado and crooked-janitor-sandal-undergrowth.

“But watch out for words that relate obviously to you,” said Duckin. “They do need to be unusual.”

Passwords like my-cat-likes-treats and MG-roadster-racing-green are not good, according to Ducklin.

Memory fail?

Now that you’re ready to change all of your passwords, how will you keep track of them?

“They’re going to be a jumbled mess and I’m going to write ’em down and stick ’em in a coffee can and bury them in the back yard,” joked Password123. “Safety deposit box at the bank. Cyber Dobermans!”

“There’s a stigma of writing passwords down, however I am not totally opposed to this,” said Griffin. “Keeping the password right next to the device would obviously be a mistake. However, keeping a password book tucked away at home seems reasonable.”

Many experts recommend password manager programs that sit on your computer and store all of your user names and passwords—a cyber Doberman of sorts. You use just one password—hopefully a strong one—to access the digital safe.

“Storing passwords within software is popular,” said Griffin. “However, certain levels of trust are then placed in the software developer.” LastPass, 1Password, KeePass are password managers mentioned by Ducklin and Forbes.

Two is better than one

You can add another layer of security in case your password is cracked.

“Multi-factor authentication is really the only good answer and many companies are beginning to move in that direction,” said Griffin. “Many vendors now offer a two-step verification process where an SMS message can be received on a phone, an app can generate a temporary code, or a one-time password can be spontaneously generated and delivered,” he explained.

You can check your account profiles to see if you already have the option. 

Time for change

The barista has already changed one of his passwords on the spot. He plans to change the password for his bank account as well, though he’s not worried about his social media.

“I might just write them down, I guess. Nobody’s going to want to break in [to my house]. Last name’s not Rockefeller,” he said. “Or Bieber.”

But he wonders when the cat-and-mouse password game will end.

“Really, you just have to keep getting longer and more varied passwords. That’s just all there is to it. There’s nothing coming out where you can put a chip in your nose and just sneeze out your info?” he mused with a smile.

He sees a future with a different kind of authentication.

“Computers are going to start to identify you almost down to your DNA,” said Password123, who has now decided to call himself Xl9^tg#k.j?Y-hF. “The three levels would be your retina scan, fingerprinting and your brain waves, instead of these dark ages of ‘muffyballs22.’”

Other tips from Sophos’ Naked Security:

• Capitalize the middle of words rather than the beginning
• Place digits and symbols in the middle rather than the end
• Use random digit sequences instead of obvious ones, like years
• Choose words other than common first names
• Avoid words that are personal to you, like your child’s name
• Avoid words that are obviously related to the site or account you’re trying to protect