How to Create a Good Password (And Why Most People Get It Wrong)
Passwords are the first line of defense for nearly every online account you own. Yet most people still rely on weak, reused credentials that take seconds to crack. Understanding what actually makes a password strong — and what doesn't — is the difference between an account that holds and one that gets compromised.
What Makes a Password "Strong"?
Strength isn't about being memorable. It's about being unpredictable and resistant to automated attacks. Modern password-cracking tools can test billions of combinations per second, so the bar is higher than most people realize.
The core factors that determine password strength are:
- Length — The single most important variable. Every additional character multiplies the number of possible combinations exponentially.
- Character variety — Mixing uppercase letters, lowercase letters, numbers, and symbols expands the pool of possibilities an attacker has to work through.
- Randomness — Predictable patterns (keyboard walks like
qwerty, repeated characters, dictionary words) are tested first by cracking tools. - Uniqueness — A strong password used across multiple accounts is still a major vulnerability. One breach exposes all of them.
A password like Summer2024! feels complex but is actually weak — it follows a pattern (common word + year + punctuation) that automated tools handle easily. A password like 7#kLpQ2@mXvT is genuinely strong, even though it's shorter.
The Passphrase Approach 🔑
One of the most practical strategies for creating strong, memorable passwords is the passphrase method: a sequence of four or more random, unrelated words strung together.
correct-horse-battery-staple (popularized by security researcher Bruce Schneier) is a well-known example of the concept. The strength comes from length and the randomness of word selection — not complexity. A 25-character passphrase built from random words is statistically harder to crack than a 10-character string of symbols.
The key is actual randomness. Phrases that mean something to you — song lyrics, quotes, pet names — are weaker because they're guessable through targeted attacks.
What to Avoid
Some common habits significantly reduce password security:
| Bad Practice | Why It's a Problem |
|---|---|
| Reusing passwords | One compromised site exposes all accounts using that password |
| Using personal info | Names, birthdays, and addresses are easy to research or guess |
| Simple substitutions | P@ssw0rd is one of the first patterns tools try |
| Short passwords | Anything under 12 characters is vulnerable to brute force with modern hardware |
| Sequential patterns | abc123, 111111, password1 appear on every leaked password list |
Credential stuffing — where attackers take username/password pairs leaked from one site and try them on others — is now one of the most common attack vectors. Password reuse is what makes it effective.
Password Managers Change the Calculus
Once you accept that strong passwords need to be long, random, and unique per account, the next logical step is acknowledging that no one can memorize dozens of passwords that actually meet that standard.
Password managers solve this by generating and storing complex credentials for you. You only need to remember one strong master password. Most modern managers also:
- Flag reused or compromised passwords
- Auto-fill credentials securely
- Sync across devices
- Alert you when a site you use has been breached
There are two broad categories: cloud-based managers (passwords synced across devices via encrypted cloud storage) and local managers (passwords stored only on your device). Each has different trade-offs around convenience and control.
Two-Factor Authentication Is a Separate Layer 🛡️
A strong password and two-factor authentication (2FA) are not the same thing — but they work together. Even a genuinely strong password can be stolen via phishing or a data breach on the site's end. 2FA adds a second verification step (an app-generated code, a hardware key, or an SMS message) that an attacker needs even if they have your password.
SMS-based 2FA is better than nothing but is the weakest form — SIM-swapping attacks can intercept text messages. Authenticator apps (which generate time-based one-time codes) and hardware security keys offer meaningfully stronger protection.
The Variables That Affect Your Approach
How you build your password strategy depends on factors specific to your situation:
- Number of accounts — Managing five accounts is different from managing 150
- Sensitivity of accounts — Banking and email warrant stricter standards than a throwaway forum login
- Device ecosystem — Some operating systems have built-in credential managers with tight platform integration; others don't
- Technical comfort level — The best system is one you'll actually use consistently
- Threat model — Casual users face different risks than journalists, activists, or people with high-profile public accounts
Someone who maintains a small number of accounts and has strong recall might do fine with a passphrase system and no dedicated manager. Someone managing dozens of accounts across work and personal use will find that approach breaks down quickly. The right combination of password length, character rules, manager type, and 2FA method depends on where you land across those variables.
What counts as "good enough" for a streaming account login isn't the same standard that applies to your primary email — the account most attackers target first, because it controls password resets for everything else. 🔐