Strong Passwords 101
How to create passwords that actually protect your accounts, without memorizing random gibberish
Most people know their passwords aren't great. The problem is that the usual advice ("use uppercase, lowercase, numbers, and symbols!") leads to passwords like P@ssw0rd1 that are annoying to type and easy to crack. Here's what actually matters.
Why common passwords fail
The most commonly used passwords are things like 123456, password, qwerty, and birthdays. Attackers don't guess these one at a time — they run automated tools that try millions of known passwords in seconds. If your password is a word from the dictionary, a name, a date, or any common pattern, it's already on the list.
Substituting letters with numbers (p@55w0rd, h3llo) doesn't help either. Attackers know those tricks and their tools already account for them.
Length beats complexity
A 20-character password made of common words is harder to crack than an 8-character mess of symbols. That's because the math works in favor of length. Each additional character multiplies the number of possible combinations exponentially.
Tr0ub4dor&3— 11 characters, looks complex, crackable in hourscorrect horse battery staple— 28 characters, easy to remember, would take centuries
This is why passphrases work.
Passphrases: the easy way to be secure
A passphrase is just 4 or more random words strung together. Pick words that have no logical connection to each other or to you.
Good passphrases:
marble trumpet canyon notebookvolcano sleeping orange fourteenceiling rapid whale umbrella door
Bad passphrases (too guessable):
i love my dog(common phrase)john smith 1990(personal info)the quick brown fox(well-known phrase)
The key word is random. Don't pick words that form a sentence or that relate to your life. If you need help, search "random word generator" and grab 4-5 words.
You can add a number or symbol between words if a site requires it (marble7trumpet!canyon-notebook), but the length is doing the heavy lifting.
Password reuse is the real danger
Using the same password on multiple sites is the single biggest risk most people face. Here's why:
- A website you signed up for years ago gets hacked
- The attackers now have your email and password from that site
- They try that same combination on Gmail, your bank, Amazon, social media — everywhere
- If you reused the password, they're in
This happens constantly. Major breaches at companies expose millions of passwords at a time, and attackers share and sell these lists. One breach can cascade across every account where you used that password.
The rule: every account gets its own password. Your bank password should not match your Netflix password, which should not match your email password.
Check if you've been breached
Visit haveibeenpwned.com and enter your email address. It checks your email against known data breaches and tells you which services leaked your information. If you show up in a breach, change that password immediately — and change it everywhere else you used the same one.
This site is run by a respected security researcher and is safe to use. It doesn't store or share your email.
When to use a password manager
If every account needs a unique password and passwords need to be long, you can't realistically memorize them all. That's where a password manager comes in. It generates strong unique passwords for every site and remembers them so you don't have to.
You only need to memorize one strong master password (use a passphrase), and the manager handles everything else. Most also auto-fill login forms, work across your devices, and alert you if a saved password appears in a breach.
If you do nothing else from this article, start using a password manager.
Two-factor authentication: the safety net
Even the best password can be stolen through phishing or a breach. Two-factor authentication (2FA) adds a second step to logging in — usually a code from an app on your phone. Even if someone gets your password, they can't get in without that second factor.
Enable 2FA on your most important accounts: email, banking, and anything with payment info.
Short
The 3 rules that actually matter:
- Use a passphrase — 4+ random words like
marble trumpet canyon notebookinstead of short complex passwords - Never reuse passwords — every account gets its own password, use a password manager to keep track
- Turn on 2FA — enable two-factor authentication on email, banking, and anything important
Frequently Asked Questions
How long should my password be?▾
At least 16 characters, but longer is better. A 4-word passphrase naturally hits 20+ characters. If a site has a maximum length (some still do), fill it.
Are password generators better than passphrases?▾
Password generators create strings like x7#mK9$pL2@qR which are strong but impossible to remember. They're great when paired with a password manager. If you need to actually memorize a password (like your master password), a passphrase is the better approach.
Should I change my passwords regularly?▾
Only if there's a reason to — like a breach notification or suspicious activity. The old advice to change passwords every 90 days has been dropped by most security guidelines (including NIST). Frequent forced changes lead to weaker passwords because people just increment a number at the end.
Is it safe to write passwords down?▾
A piece of paper in your wallet is honestly safer than reusing the same password everywhere. It protects against the most common threat (remote attackers trying leaked credentials) even if it doesn't protect against someone physically searching your desk. A password manager is the better solution, but a written list beats reuse.
What about security questions like "mother's maiden name"?▾
Treat them as extra passwords, not real answers. Your mother's maiden name, first pet, and high school are all findable on social media. Put random answers in your password manager instead. If the question is "What city were you born in?" the answer can be pineapple fortress.