What Makes a Password Strong?
Password strength depends on two factors: how many possible combinations an attacker must try, and how quickly those attempts can be checked. Modern computers can test billions of password combinations per second, which means length matters far more than complexity. A 12-character random password beats an 8-character complex one every time.
The math is straightforward: each character you add to a password multiplies the difficulty exponentially. A 6-character lowercase password has 26^6 (about 309 million) possible combinations. Add one character and you get 26^7 (8 billion). Increase to 12 characters and you're at 26^12 — roughly 95 quadrillion possibilities. Use our password generator to create strong passwords instantly.
Common Password Mistakes
Despite decades of security warnings, people still use terrible passwords. "123456" and "password" consistently rank at the top of breach analyses. Adding a number or capital letter doesn't help when attackers know these patterns: P@ssw0rd! gets cracked almost as fast as Password1.
Personal information makes passwords guessable. Your birthday, pet's name, children's names, favorite sports team, hometown, and anniversary are all potential attack vectors, especially if the attacker has any familiarity with you or your social media presence. Never use information that exists somewhere on the internet in connection with your name.
Reusing passwords is perhaps the most dangerous common practice. If your password for one site gets breached, attackers automatically try those credentials on dozens of other services. You might have a perfectly strong password, but if the service storing it gets hacked, your reused password becomes a skeleton key for your entire digital life.
Password Managers: Your Best Defense
A password manager generates, stores, and autofills unique passwords for every site. You only need to remember one master password — make it strong, memorable, and unique. Popular options include Bitwarden (open source), 1Password, and Dashlane.
The master password itself needs special attention. It should be the longest password you use, but memorable — perhaps a passphrase rather than a single word. "correct horse battery staple" is famously stronger than "Tr0ub4dor&3" because it's longer, even though it uses common words. The key is using words in an unusual combination that won't appear in dictionaries or wordlists.
Creating Memorable Strong Passwords
If you must create passwords without a manager, use the passphrase method. Pick four or five unrelated words and combine them with numbers and symbols. Something like "sunset-elephant-purple-74" is 28 characters and easy to type once you've committed it to memory.
Avoid common substitutions — attackers know that @ = a, 3 = e, 0 = o. "P@$$w0rd" looks strong but is in every dictionary attack. Random character insertion into words helps only if those words are themselves uncommon and the insertion points vary.
For accounts without password managers (like computer login screens), consider creating a strong passphrase and writing the master password hint on paper stored securely at home. Physical security matters — a strong password written on a sticky note under your keyboard defeats the purpose, but a hint stored in a locked drawer provides reasonable protection for personal devices.