Creating Strong Passwords: A Practical Security Guide
The average person has over 100 online accounts. Most people reuse the same few passwords across most of them. This is one of the biggest security risks in modern life โ not because of sophisticated hacking, but because of straightforward attacks that exploit predictable human behavior.
This guide explains what makes a password genuinely strong, how attackers actually crack passwords, and how to build a password strategy you'll actually stick to.
How Attackers Crack Passwords
To understand what makes a password strong, you first need to understand how they're broken.
Credential stuffing
When a service gets breached, billions of username/password combinations get sold on underground markets. Attackers feed these lists into automated tools that try them against other services. If you reused your email/password from a breached site on your bank, your bank account is compromised โ even if the bank itself was never hacked.
The fix: Never reuse passwords. Every account gets a unique password.
Dictionary attacks
Attackers use wordlists โ not just dictionary words, but millions of real passwords leaked from previous breaches. They also include common substitutions: p@ssw0rd, S3cur1ty!, Tr0ub4dor&3. These pattern-substituted passwords offer almost no security advantage because the substitutions are predictable.
The fix: Don't use dictionary words with letter substitutions. A password like Tr0ub4dor&3 falls to a dictionary attack. A randomly generated string does not.
Brute force
For every added character, the number of possible passwords multiplies by the character set size. Here's what brute force looks like at scale โ modern graphics cards can test billions of passwords per second against leaked hashes:
| Password length | Lowercase only | Mixed case + numbers + symbols |
|---|---|---|
| 6 characters | Seconds | Minutes |
| 8 characters | Hours | Days |
| 12 characters | Centuries | Heat death of the universe |
Length is the most powerful factor in password security.
Phishing
No password is secure if you type it into a fake login page. Technical password strength is irrelevant here โ training and awareness matter most. Check the URL before entering credentials, and use a password manager that autofills only on the correct domain.
What Makes a Password Strong
A strong password has three properties:
1. Length โ Aim for at least 16 characters. Longer is always better. A 20-character password is exponentially harder to brute-force than a 12-character one, regardless of complexity.
2. Randomness โ Human-chosen passwords are predictable. We pick words we know, dates that matter to us, and patterns that feel "complex" but aren't. True randomness, generated by a computer, is far stronger.
3. Uniqueness โ Each account must have a different password. One breach should never cascade to other accounts.
Character Sets and Complexity
The "character set" is the pool of possible characters. Using all character types maximizes this pool:
- Lowercase letters: 26 characters
- Uppercase letters: 26 characters
- Digits: 10 characters
- Symbols (e.g.,
!@#$%^&*()): ~32 characters - Total: ~94 characters
A random 16-character password from this pool has 94^16 = roughly 37 trillion trillion possible combinations. That's not crackable in any practical timeframe.
Use the Password Generator to create cryptographically random passwords from the full character set.
Passphrases: A Human-Friendly Alternative
Random character passwords are strong but hard to memorize. Passphrases offer an alternative: a sequence of 4-6 random words.
correct-horse-battery-staple
purple-window-fork-november-cliff
A 5-word passphrase from a 7,776-word wordlist (the Diceware list) has 7776^5 โ 28 trillion trillion combinations โ comparable to a 12-character random password, but vastly more memorable.
The key is that the words must be truly random โ not a phrase you thought up. "My dog loves the park" is not a good passphrase because it's guessable based on what a human might choose. A random generator picks words without bias.
Password Managers: The Essential Tool
The only practical way to have a unique, strong password for every account is to use a password manager. This is not optional advice โ it's the single most impactful security improvement most people can make.
Password managers:
- Generate strong random passwords for each site
- Store them encrypted with one master password
- Autofill on the correct domain (defeating phishing)
- Alert you when a stored password appears in a breach
Popular options include Bitwarden (open-source, free tier available), 1Password, and Dashlane. Browser-built-in password managers (Chrome, Safari, Firefox) are also significantly better than manual password reuse.
Your master password for the password manager needs to be strong and memorable โ this is where a passphrase works well. You'll type it daily, so you'll memorize it, but it needs to be long enough that no one can brute-force it.
Multi-Factor Authentication (MFA)
Even a perfect password can be stolen via phishing or a service-side breach. MFA adds a second layer: something you have (phone app, hardware key) in addition to something you know (password).
Priority order for MFA methods (best to worst):
- Hardware security key (YubiKey, etc.) โ phishing-resistant
- Authenticator app (TOTP codes from Google Authenticator, Authy) โ strong
- SMS codes โ better than nothing, but vulnerable to SIM-swapping
Enable MFA on every account that matters: email, banking, social media, your password manager.
Common Password Mistakes
Incrementing passwords: Password1 โ Password2 โ Password3. Attackers know about this pattern and account for it.
Keyboard walks: qwerty, zxcvbn, 1qaz2wsx. These are in every cracking wordlist.
Personal information: Names of pets, children, birthdays, addresses. This information is often findable on social media.
Short passwords with "complexity": P@55! is only 5 characters. Complexity cannot compensate for length.
Security questions: When sites ask for your mother's maiden name or your first car, those answers are discoverable. Use random answers stored in your password manager.
Building a Practical Password Strategy
- Install a password manager. Pick one and commit to it.
- Create a strong master passphrase โ 5+ random words, memorized.
- Enable MFA on the password manager itself.
- Use the password generator (built into your manager, or this one) for every new account โ 16+ characters, all character types.
- Over time, replace old passwords. You don't need to do it all at once. Prioritize high-value accounts first: email, banking, social media.
- Check for breaches. Services like Have I Been Pwned let you check if your email appeared in known breaches.
FAQ
How often should I change my password? Only when there's a reason: a breach, suspicion of compromise, or when leaving a shared account. Mandatory periodic changes (every 90 days) without cause often result in weaker passwords as users just increment a number.
Is a long simple password better than a short complex one?
Yes. correct-horse-battery-staple (28 chars, lowercase + hyphens) is far stronger than P@55w0rd (8 chars, all types). Length wins.
What if I forget my master password? Most password managers offer account recovery options โ set these up when you create the account. Otherwise, you may lose access. Write your master passphrase on paper and store it somewhere physically secure (a home safe, a bank safety deposit box).
Are browser-saved passwords safe? Reasonably safe if your device is secured and you use a lock screen. They're much better than reusing passwords. A dedicated password manager offers better cross-device sync, breach alerts, and sharing features.
Can a password generator be trusted? Reputable generators use your device's cryptographically secure random number generator (CSPRNG). The Password Generator runs entirely in your browser โ the password is never sent to a server.