Why Password Strength Matters
A weak password is one of the easiest ways for an attacker to gain access to your accounts. Automated tools can guess simple passwords in seconds using lists of common words, names, and number combinations. A strong password makes this kind of attack impractical — not because it's impossible to crack, but because it would take years or decades to do so by brute force.
What Makes a Password Strong?
Strong passwords share a few key characteristics:
- Length: At least 12 characters; 16+ is better. Length is the single most important factor.
- Variety: A mix of uppercase letters, lowercase letters, numbers, and symbols.
- Unpredictability: No dictionary words, names, dates, or keyboard patterns (like "qwerty" or "12345").
- Uniqueness: Never reused across multiple accounts.
Password Examples: Weak vs. Strong
| Password | Strength | Why |
|---|---|---|
| password123 | Very Weak | Common word + simple number sequence |
| John1985! | Weak | Name + year + single symbol — predictable pattern |
| Tr0ub4dor&3 | Moderate | Better, but letter substitutions are well-known |
| correct-horse-battery-staple | Strong | Long passphrase — easy to remember, hard to crack |
| x7#Lm2$qPz!9vN | Very Strong | Random characters, 14+ length |
The Passphrase Method
One of the most practical approaches is the passphrase — a string of four or more random, unrelated words. For example: "purple-jacket-river-clock". This is long enough to be very secure, and far easier to remember than a random string of characters. Adding numbers or symbols between words strengthens it further: "purple7-jacket-river!clock".
Use a Password Manager
The most reliable way to have strong, unique passwords for every account is to use a password manager. These tools generate, store, and auto-fill complex passwords so you only need to remember one master password.
Popular options include:
- Bitwarden — Open source, free tier available, cross-platform.
- 1Password — Polished interface, strong security model, subscription-based.
- KeePassXC — Fully local, no cloud, great for privacy-focused users.
- Apple Keychain / Google Password Manager — Built into their respective ecosystems; convenient but less portable.
What to Avoid
- Don't use personal information (birthdays, pet names, addresses).
- Don't reuse the same password across sites — if one site is breached, all your accounts become vulnerable.
- Don't store passwords in plain text files, notes apps, or spreadsheets without encryption.
- Don't share passwords via email, SMS, or messaging apps.
Check If Your Password Has Been Compromised
The website HaveIBeenPwned.com (haveibeenpwned.com) lets you check whether your email address or password has appeared in a known data breach. It's a free, reputable service run by a well-known security researcher. If your password appears there, change it immediately on any account where you've used it.
A Simple Action Plan
- Install a password manager (Bitwarden is a great free starting point).
- Change your most important account passwords first — email, banking, and social media.
- Enable two-factor authentication wherever possible.
- Gradually update other accounts as you log in to them.
You don't need to overhaul everything overnight. Start with the accounts that matter most, and build from there.