Back to Tutorials
ONLINE SAFETY

Creating Strong Passwords

10 min read Beginner

Why Passwords Matter

Your passwords are the keys to your digital life. They protect your email, bank accounts, social media profiles, medical records, and countless other services that contain sensitive personal information. A compromised password can lead to identity theft, financial loss, embarrassment, and a long, painful recovery process.

Despite years of warnings, password-related breaches remain the single most common way that attackers gain unauthorized access to accounts. According to security research, over 80% of data breaches involve weak or stolen passwords. The good news is that creating and managing strong passwords is one of the easiest and most effective things you can do to protect yourself online.

Common Weak Passwords (And Why People Use Them)

Year after year, security researchers analyze leaked password databases and find the same patterns. The most commonly used passwords include:

  • 123456 and its variations (123456789, 12345678, 1234567890)
  • password and password1
  • qwerty (the first six letters on a keyboard)
  • abc123 and similar simple combinations
  • Pet names, birthdates, sports teams, and celebrity names
  • Single dictionary words like dragon, master, or sunshine

People choose these passwords because they are easy to remember. But that same simplicity makes them trivial for attackers to guess. Automated cracking tools can test millions of common passwords in seconds. If your password appears on any known list, it offers essentially zero protection.

Important: If you are currently using any of the passwords listed above, or anything similar, change them immediately. Even a slightly better password is a significant improvement over these commonly cracked choices.

What Makes a Password Strong?

There are two main factors that determine how resistant a password is to cracking: length and complexity. Of the two, length is far more important.

Length Beats Complexity

A short, complex password like X#9k!2 might look strong, but a modern computer can crack it in minutes because there are so few characters to guess. In contrast, a longer but simpler password like correct horse battery staple would take centuries to crack through brute force because of the enormous number of possible combinations.

Here is a rough guide to how length affects cracking time:

  • 6 characters: Cracked in seconds to minutes
  • 8 characters: Cracked in hours to days
  • 12 characters: Cracked in years to decades
  • 16+ characters: Effectively uncrackable by brute force
Tip: Aim for passwords that are at least 12 characters long. Ideally, use 16 or more characters. A longer password made of common words is far stronger than a short password full of special characters.

Complexity Still Helps

While length is king, mixing character types does add strength. A good password should ideally include a combination of uppercase letters, lowercase letters, numbers, and special characters. But do not sacrifice length for the sake of complexity. A 16-character password with only lowercase letters is stronger than an 8-character password with every character type.

The Power of Passphrases

A passphrase is a password made up of multiple words strung together. Passphrases are excellent because they are both long and memorable. Instead of trying to remember j7$kL!9mN2, you can remember something like purple-elephant-rides-bicycle-Tuesday.

To create a strong passphrase:

  1. Choose four to six random, unrelated words
  2. Separate them with hyphens, spaces, or other characters
  3. Optionally capitalize a word or add a number for extra strength
  4. Make sure the words are truly random and not a common phrase
Warning: Avoid using famous quotes, song lyrics, book titles, or other well-known phrases as passphrases. Attackers specifically test these. Your words should be randomly chosen and unrelated to each other.

Password Managers: Your Digital Vault

The biggest password security problem most people face is not creating strong passwords -- it is remembering them. The average person has over 100 online accounts. Remembering a unique, strong password for each one is humanly impossible, which is why most people reuse passwords across sites. This is extremely dangerous: if one site is breached, attackers can use those same credentials to access all your other accounts.

A password manager solves this problem. It is a secure application that stores all your passwords in an encrypted vault, protected by a single master password. With a password manager, you only need to remember one strong master password. The manager handles everything else.

Why Use a Password Manager?

  • Generates strong passwords: It creates long, random passwords for every account
  • Remembers everything: You never need to memorize individual passwords
  • Auto-fills login forms: Saves time and prevents typos
  • Detects phishing: It will not auto-fill credentials on fake websites
  • Syncs across devices: Access your passwords on your phone, tablet, and computer
  • Alerts you to breaches: Many managers notify you when a site you use has been compromised

Popular password managers include Bitwarden (free and open source), 1Password, and KeePass. Most web browsers also include a built-in password manager, which is better than nothing but generally less feature-rich than dedicated tools.

Tip: Your master password for a password manager should be the strongest password you have -- a long passphrase that you can remember but nobody else could guess. Write it down and store it in a secure physical location (like a safe) as a backup.

Two-Factor Authentication (2FA/MFA)

Even the strongest password can be stolen through phishing, data breaches, or malware. That is why two-factor authentication (2FA), also called multi-factor authentication (MFA), is so important. 2FA adds a second layer of security by requiring something in addition to your password when you log in.

The three types of authentication factors are:

  1. Something you know: Your password or PIN
  2. Something you have: Your phone, a security key, or an authenticator app
  3. Something you are: Your fingerprint, face, or other biometric

Common 2FA methods, ranked from most to least secure:

  • Hardware security keys (YubiKey, etc.) -- Most secure, phishing-resistant
  • Authenticator apps (Google Authenticator, Authy) -- Very secure, generates time-based codes
  • SMS text messages -- Better than nothing, but vulnerable to SIM-swapping attacks

Enable 2FA on every account that supports it, especially your email, banking, and social media accounts. Even if an attacker steals your password, they will not be able to access your account without the second factor.

Has Your Password Been Compromised?

Billions of passwords have been exposed in data breaches over the years. These stolen credentials are compiled into massive databases that attackers use to try logging into other services -- a technique called credential stuffing.

You can check whether your passwords or email addresses have appeared in known data breaches. Security researchers maintain databases of compromised credentials (such as the well-known "Have I Been Pwned" service) that allow you to search safely without exposing your actual password. These services use a technique called k-anonymity, where only a partial hash of your password is sent, so even the checking service never sees your full password.

If you discover that a password has been compromised, change it immediately on every site where you used it. This is another reason why using unique passwords for each site is so critical.

One Password Per Site -- No Exceptions

This cannot be emphasized enough: never reuse passwords across different websites or services. When a website suffers a data breach (and breaches happen constantly), attackers immediately try those stolen credentials on other popular services like Gmail, Facebook, Amazon, and banking sites.

If you use the same password for your email and your online shopping account, a breach at the shopping site gives attackers access to your email. With access to your email, they can reset passwords on virtually every other account you own. The damage cascades rapidly.

Important: Your email password should be your most carefully protected credential. If an attacker gains access to your email, they can use password reset links to take over all of your other accounts. Use a strong, unique password and enable 2FA on your email account above all others.

Quick Action Checklist

  1. Install a reputable password manager
  2. Create a strong master passphrase (4-6 random words)
  3. Change your most important passwords (email, banking) to strong, unique passwords
  4. Enable 2FA on every account that supports it
  5. Gradually update all your other passwords to unique, manager-generated ones
  6. Check your email addresses against known breach databases
  7. Delete accounts you no longer use

Taking these steps puts you ahead of the vast majority of internet users in terms of account security. Strong, unique passwords combined with two-factor authentication make you an extremely difficult target for attackers -- and they will almost always move on to easier prey.

Previous: React for Beginners Next: Understanding the Dark Web