How to Create a Strong Password: A Practical Guide
Weak passwords are one of the most common causes of account breaches. Yet most people still reuse simple passwords across dozens of sites. This guide explains what makes a password genuinely strong and how to manage them without memorising every one.
What Makes a Password Weak?
Attackers use two main methods to crack passwords: brute force (trying every possible combination) and dictionary attacks (trying common words, names, and known passwords from data breach lists).
The most common passwords in leaked databases year after year are embarrassingly predictable: 123456, password, qwerty, admin, and variations of the site name (facebook1, google123).
Substituting letters with numbers (p@ssw0rd) and capitalising the first letter (Password1) are so well-known that modern cracking tools account for them automatically.
What Makes a Password Strong?
Password strength comes from length and randomness. These are the two factors that determine how long it takes to crack a password by brute force.
| Password | Length | Estimated Crack Time |
|---|---|---|
| password | 8 chars | Instantly (known word) |
| P@ssw0rd! | 9 chars | < 1 hour (common pattern) |
| Correct-Horse-Battery | 21 chars | Thousands of years (if random) |
| X7#mK9!pQz2$Lv | 14 chars | Billions of years (random + complex) |
Crack time estimates assume a modern GPU-based attack (~10 billion guesses/second). Times vary greatly depending on hash type and available hardware.
Password Rules That Actually Work
- β At least 16 characters: Longer is always better. Every extra character exponentially increases crack time.
- β Use all character types: Include uppercase, lowercase, digits, and symbols. More character types = larger search space for brute force.
- β No real words or names: Dictionary attacks check words, names, places, and common phrases. Avoid all of them.
- β Never reuse passwords: A breach at one site shouldn't compromise all your accounts. Every account needs a unique password.
- β Don't use personal information: Birthdays, phone numbers, addresses, and pet names are often the first guesses in targeted attacks.
How to Generate and Remember Strong Passwords
The easiest way to have strong, unique passwords for every account is to use a password manager. You only need to memorise one master password β the password manager generates, stores, and auto-fills unique strong passwords for every site.
Well-known password managers include Bitwarden (free and open-source), 1Password, Dashlane, and the built-in options in browsers (Chrome Password Manager, Safari Keychain). All encrypt your stored passwords locally before syncing them.
To generate a genuinely random password right now, use our Password Generator. You can set the length (we recommend 16+ characters), choose which character types to include, and generate as many passwords as you need.
Enable Two-Factor Authentication
Even a strong, unique password can be compromised if the site suffers a data breach and stores passwords incorrectly (in plain text, or with weak hashing). Two-factor authentication (2FA) adds a second verification step β typically a time-based one-time code from an app like Google Authenticator, Authy, or Microsoft Authenticator.
With 2FA enabled, an attacker who somehow obtains your password still cannot log in without also having your physical device. Enable 2FA on every account that offers it, especially email, banking, and social media.
Generate a strong random password
Free, runs in your browser β passwords are never transmitted anywhere.