How to Create Strong Passwords

A longer, more memorable sequence of words used to login to an account. A password is a shorter combination of letters, numbers, and symbols. Passphrases are generally considered more secure because their length makes them much harder for attackers to guess through brute-force attacks, and they are easier for users to remember than a random, complex string of characters.

Passphrase:

An attacker tries to gain access to an account by systematically guessing every possible password until one works. They automate this with software that cycles through common words, likely variations, or every combination of characters (numbers, letters, and symbols). The longer the password, the more time and computing power it takes for a brute-force attack to succeed.

Weak or reused passwords are one of the biggest reasons accounts get hacked.¹ Attackers don’t need to be geniuses, they rely on people using the same short, predictable combinations like “password” or “123456”. A single breach from one site can give them the key to many others if you reuse your credentials. A good password, on the other hand, turns every account you open into a unique, secured area.

So what actually makes a password strong? Surprisingly to some, length is the biggest factor. Each additional character exponentially increases the number of possible combinations. That’s why a 12 character password is vastly stronger than one with 8, even if both use similar symbols. Adding randomness helps too. Avoid anything that could be guessed or connected to you, like birthdays, pets, or family names. A good password looks like gibberish to everyone but you.

Many people think complexity - like mixing uppercase, lowercase, numbers, and symbols - is what matters most. Complexity does help, but it’s not as powerful as length. For instance, “Mydog_Rex!” may look solid, but a password like “cactusenginepurpletrain” is actually much more secure and easier to remember. The trick is to use a passphrase, a string of random, unrelated words that form a mental picture. Attackers can’t easily brute-force or guess a 25 character phrase built from common words.

Still, remembering dozens of long, unique passwords isn’t practical, and that’s why password managers were created. These tools securely store and generate passwords for you, encrypting your data behind one strong master password. With a password manager, you only have to remember one key and it takes care of the rest, autofilling your logins across devices. It acts as a vault that holds all your spare keys, protected by a lock only you can open.

Some people worry about putting all their passwords in one place, but reputable password managers use zero-knowledge encryption. That means even the company itself can’t see your passwords, only you can decrypt them. Compared to juggling sticky notes, reused logins, or browser autofill, a password manager is the safest way to stay organized and protected.

If you’re still not comfortable using one, there are other good habits to adopt. Start by using unique passwords for your most important accounts, especially your email, banking, and social media. Your email account is the “master reset” for everything else, so treat it like the crown jewel. If an attacker gets into your email, they can probably reset your passwords on other sites.

Another key defense is multi-factor authentication, mentioned repeatedly on this site. This adds an extra layer of protection beyond your password, like a text code, app PIN, or hardware key. Even if someone steals your password, they still need that second factor to get in. If a burglar gets their hands on your house key they can easily enter, but if there’s also an alarm that must be disabled with a code, that will be a problem for them. That’s the basic idea behind MFA.

Attackers often use automated tools to crack passwords, testing millions of combinations per second. They also use leaked password lists from previous data breaches.² That’s why even a moderately strong password can fail if it’s been exposed elsewhere. You can check if your credentials have been compromised at sites like haveibeenpwned.com, and if they have, change those passwords immediately.

For users of the internet, strong passwords aren’t just about security, they’re about peace of mind. Each unique password you use closes one door that attackers can’t walk through. Over time, you’ll find that password security becomes second nature. Whether you use a manager or your own clever system of phrases, the goal is the same: make it hard for attackers and easy for you. A few extra seconds when creating a password can save you hours or days of cleanup after a breach. You can’t expect to stop every single threat out there, but you can make your accounts strong enough that attackers move on to easier targets.

¹ “Questioning a security assumption: Are unique passwords harder to remember than reused or modified passwords?”, by Woods, N and Siponen, M, October 2025
² “Password Cracking and Countermeasures in Computer Security: A Survey”, by Han, L, 2014