Why Most Passwords Are Too Weak
The most commonly used passwords in the world are still things like 123456, password, and qwerty. Even people who think they're being clever use substitutions like P@ssw0rd — a pattern that cracking tools learned to handle years ago.
Modern password-cracking software can test billions of guesses per second. Short passwords, dictionary words, and predictable patterns fall almost instantly. The good news: building genuinely strong passwords isn't complicated once you understand what actually makes them secure.
What Makes a Password Strong?
Security researchers broadly agree on a few key properties:
- Length: This is the single biggest factor. A 16-character password is exponentially harder to crack than an 8-character one, even if the shorter one uses special characters.
- Randomness: Avoid words, names, dates, and patterns. True randomness is hard for humans to generate but easy for a password manager.
- Uniqueness: Never reuse passwords across accounts. If one site gets breached, every other account with the same password is compromised instantly.
- No personal info: Your birthday, pet's name, or hometown are among the first things an attacker would try.
Two Practical Approaches to Strong Passwords
Method 1: The Passphrase
A passphrase strings together four or more unrelated words: correct-horse-battery-staple (famously illustrated by the XKCD comic). These are long, memorable, and surprisingly hard to crack because of their length. You can add a number or symbol between words to meet complexity requirements.
The trick is to choose words truly at random — not a sentence that makes logical sense. "MyDogLovesChicken" is weaker than "Lamp-Glacier-Pencil-Fog" because the first follows a predictable grammar pattern.
Method 2: Let a Password Manager Generate It
This is the approach most security professionals recommend. A password manager generates a completely random string like xK7#mQ2!vLpR9@nJ and stores it so you never have to remember it. You only need to remember one strong master password to unlock the manager itself.
Choosing a Password Manager
Password managers are apps that securely store all your login credentials. Here's what to look for:
- End-to-end encryption: Your passwords should be encrypted locally before they ever reach the provider's servers, so even the company can't read them.
- Cross-device sync: You want your passwords accessible on your phone, laptop, and browser.
- Autofill: A good manager fills in credentials automatically, saving time and reducing phishing risk (it won't autofill on a fake lookalike site).
- Breach monitoring: Many managers alert you if one of your saved passwords appears in a known data breach.
Well-regarded options include Bitwarden (open-source and free), 1Password, and Dashlane. Your device may also offer a built-in option — Apple Keychain and Google Password Manager are decent starting points.
The Password Audit: Where to Start Today
- Identify your most critical accounts: Email, banking, work accounts, and social media should be top priority.
- Check if your email has been in a breach by visiting haveibeenpwned.com — a free, trustworthy tool.
- Change any reused or weak passwords on your critical accounts first.
- Set up a password manager and begin migrating credentials over time. You don't have to do it all at once.
- Enable 2FA on every account that supports it, as an additional layer beyond the password.
What About Security Questions?
Treat security questions like passwords. "What was the name of your first pet?" is information that might be on your social media. Instead of answering truthfully, use a random string of words as your answer — and store it in your password manager. There's no rule that says your mother's maiden name has to actually be your mother's maiden name.
Quick Reference: Password Dos and Don'ts
| Do | Don't |
|---|---|
| Use 16+ characters | Use your name, birthday, or pet's name |
| Use a different password for every account | Reuse passwords across sites |
| Use a password manager | Store passwords in a plain text file or browser note |
| Use a passphrase of random words | Use dictionary words or predictable substitutions like @ for a |
| Enable 2FA everywhere you can | Share your password with anyone via email or text |