What Makes a Password "Strong"?
A strong password isn't just random characters — it's a combination of length, complexity, and unpredictability. Cybercriminals use automated tools that can test billions of password combinations per second. A weak password can be cracked in seconds; a well-designed one could take centuries.
The Core Rules of a Strong Password
- Length: Aim for at least 12–16 characters. Every extra character increases difficulty exponentially.
- Mix of character types: Use uppercase letters, lowercase letters, numbers, and special characters (e.g., !, @, #, $).
- No dictionary words: Attackers use dictionary attacks that run through common words and phrases. Avoid real words unless you're using a passphrase strategy (see below).
- No personal information: Never use your name, birthday, pet's name, or anything someone could find on your social media.
- Uniqueness: Every account should have a different password. Reusing passwords means one breach can unlock all your accounts.
Two Proven Strategies for Strong Passwords
Strategy 1: Random Character String
Generate a password like Xr7!mQz#2vLp@9kT. This is extremely secure but difficult to memorize — which is exactly why you should use a password manager (covered below) to store it.
Strategy 2: The Passphrase Method
A passphrase is a string of random, unrelated words: Lamp-Thunder-Bicycle-Quartz. These are long, memorable, and surprisingly hard to crack because of their combined length. Add numbers or symbols between words to make them even stronger.
Passwords to Avoid — Common Mistakes
| Weak Password | Why It's Risky |
|---|---|
| password123 | One of the most commonly used passwords worldwide |
| John1985! | Contains a name and birth year — easily guessed |
| qwerty | Keyboard pattern — first thing attackers try |
| iloveyou | Common phrase found in all dictionary attack lists |
| abc123 | Simple sequential combination — cracked instantly |
Should You Use a Password Manager?
Yes — absolutely. Password managers like Bitwarden, 1Password, or KeePass generate and store complex, unique passwords for every site. You only need to remember one strong master password. They also alert you when your credentials appear in known data breaches.
How Often Should You Change Passwords?
Modern security guidance has shifted: you don't need to change passwords on a set schedule unless there's a reason to. Do change your password immediately if:
- You suspect your account has been compromised.
- A service you use announces a data breach.
- You shared a password with someone and that relationship has changed.
- You logged in on an untrusted device.
A Quick Password Strength Checklist
- Is it at least 12 characters long?
- Does it include uppercase, lowercase, numbers, and symbols?
- Does it avoid real words and personal information?
- Is it unique to this account only?
- Is it stored securely (password manager or memorized — not written on a sticky note)?
If you can check all five boxes, you have a strong password. If not, it's time to update it.